Banks, telcos or consumers — who will bear phishing scam losses under proposed framework? Here are 4 scenarios

SINGAPORE — If a new framework proposed by the authorities on Wednesday (Oct 25) is implemented, financial institutions could bear the full losses incurred by victims of digitally enabled phishing scams, should the institutions be found to have breached anti-scam obligations.

The proposed shared responsibility framework for phishing scams was unveiled in a joint consultation paper published by the Monetary Authority of Singapore (MAS) and the Infocomm Media Development Authority (IMDA).

The paper, which outlines a “waterfall approach”, proposes that responsibility for losses cascades from financial institutions, to telecommunications companies (telcos) if the phishing scam was perpetrated via SMS — and finally to consumers — if these companies fail to meet their obligations as set out in the framework.

In the consultation paper, MAS and IMDA said the proposed framework will only cover digitally-enabled phishing scams with a “clear Singapore nexus” for now.

This means that any entities impersonated in phishing scams should either be Singapore-based, or entities based overseas that offer their services to Singapore residents.

It also has to be a phishing scam — which generally involves consumers being deceived into clicking on a phishing link and entering their credentials on a fake digital platform. 

In doing so, they unknowingly reveal their credentials to scammers, who can proceed to perform unauthorised transactions from their accounts.

Still, where there are clearly-outlined conditions for the filing of claims and multiple stakeholders involved in the waterfall framework, consumers may — at the start — find it hard to discern what could be covered by the proposed framework.

TODAY looks at some possible scenarios where phishing scam victims may file reports in hope of recouping their losses, and who should bear responsibility in these different instances.

WHO SHOULD BEAR THE LOSSES?

SCENARIO 1

• A scammer impersonates the police and contacts a consumer via a WhatsApp message
• The consumer is directed by a link in the scammer’s WhatsApp message to a fake Immigration and Checkpoints Authority (ICA) website to pay for his purported “outstanding fines”
• The consumer then enters his banking credentials and one-time password into the fake banking website, as directed from the fake ICA website
• The scammer then uses the consumer’s banking credentials and one-time password to activate a new digital security token on the scammer’s own phone
• The scammer then makes 10 transactions of S$500 each to another local account
• As the bank’s system is down, notification alerts for the 10 outgoing transactions and activation of a new digital security token are sent to the consumer only two days later
• When the consumer receives these notification alerts, he immediately tries to report them to the responsible financial institution, but is unable to as the institution is receiving a high volume of calls
• He then tries to activate the kill-switch — that allows consumers to quickly suspend their accounts if they fear they have been compromised — but is unable to do so due to a system issue on the institution’s end
• Subsequently, the scammer makes further unauthorised transactions amounting to S$4,000 on the consumer’s account, as the consumer is unable to suspend his account
• A notification alert is sent for this further S$4,000 transaction

Verdict: A full payout will be borne by the responsible financial institution, under the new proposed framework

• The case is applicable for assessment under the new proposed framework, as all elements of a phishing scam — as outlined by the framework — have been met
• The financial institution has failed in its duty to send real-time notification alerts for the activation of a new digital token, and for the first 10 unauthorised transactions
• It also failed in its duty to make a kill-switch available to the consumer at all times
• Telcos would not be involved in this assessment, as the link leading to the fake ICA website was sent through WhatsApp, not SMS
• As such, the financial institution would have to bear the full losses incurred by the consumer (that is, for the 10 S$500 transactions and the subsequent S$4,000 transaction)

SCENARIO 2

• A scammer impersonates a financial institution and contacts a consumer via a phishing email
• The email informs the consumer that his account is about to be suspended
• The consumer proceeds to click on a website link provided in the email, believing it would take him to an online page where he can prevent his account from being suspended
• The link then brings him to a spoofed “financial institution” website, where he enters his account credentials
• The scammer subsequently uses the credentials and one-time password provided to take over the consumer’s account without his knowledge, and sets up a digital token on the scammer’s own device
• Due to a system error, the responsible financial institution does not impose a 12-hour cooling-off period during which high-risk activities cannot be performed
• As a result, the scammer is able to increase the consumer’s online transaction limit from S$5,000 to S$10,000 — which is deemed a high-risk activity — within 12 hours of the new digital token’s activation
• Although the consumer sees the notification alerts informing him of the activation of a new digital token and the increase of his transaction limit, he does not act on it
• The scammer then proceeds to make multiple transactions of S$10,000 each, out of the consumer’s account

Verdict: A full payout will be borne by the responsible financial institution

• The case is applicable for assessment under the new proposed framework, as all elements of a phishing scam — as outlined by the framework — have been met
• The responsible financial institution has failed in its duty to impose a minimum 12-hour cooling-off period
• This allowed the scammer to increase the consumer’s transaction limit within what should have been the 12-hour cooling-off period
• As such, the financial institution would have to bear the full losses incurred by the consumer 
• This is in spite of the fact that the consumer has failed to take due care by clicking on the link in the phishing SMS, and also choosing to ignore the notification alerts sent to him

SCENARIO 3

• A consumer receives an SMS from a scammer with its Sender ID displayed as “DBS Bank”
• The SMS was in fact sent by a scammer impersonating the bank
• A responsible telco had connected to a non-participating SMS aggregator to deliver this SMS to the consumer
• A participating aggregator is one that is licensed by IMDA and registered with the SMS Sender ID Registry to handle the sending of such Sender ID SMSes
• The SMS informed the consumer to reset his online banking password by clicking on a link
• The consumer did so, and keyed in his bank account details online
• The consumer’s account credentials, including his one-time password, were used by the scammer to carry out five transactions where S$10,000 was transferred to another local account
• SMS transaction notifications were sent by the responsible financial institution for all five transactions, and no lapses by the responsible financial institution were observed

Verdict: A full payout will be borne by the responsible telco

• The case is applicable for assessment under the new proposed framework, as all elements of a phishing scam — as outlined by the framework — have been met
• The responsible telco had failed in its duty to connect only to participating SMS aggregators
• As such, the telco is expected to bear the full losses incurred by the customer, even though he had failed to take due care by clicking on the link in the phishing SMS

SCENARIO 4

• A scammer impersonates a financial institution and sends a phishing email to a consumer, informing him of an attractive financial product
• The consumer clicks on the link within the phishing SMS, which leads him to a spoofed financial institution website
• He enters his account credentials and one-time password on the fake website to purchase the product
• The scammer uses these account credentials to initiate three monetary transactions — of S$1,000, S$2,000, and S$3,000 — to another local account
• As the consumer has previously adjusted his transaction notification threshold to S$1,500, the notifications are only sent by the responsible financial institution for the transactions of S$2,000 and S$3,000

Verdict: No payout will be made under the proposed framework; consumer to bear full losses

• The case is applicable for assessment under the new proposed framework, as all elements of a phishing scam — as outlined by the framework — have been met
• While the responsible financial institution did not send out notification alerts for the S$1,000 transaction, this does not constitute a breach of duty, as the consumer had previously opted to raise his transaction notification threshold to S$1,500
• Given that the link leading to the spoofed “financial institution” website was sent to the consumer via email and not SMS, the telcos would not be liable in this assessment
• The full losses will therefore be borne by the consumer, though he may approach existing avenues of dispute resolution if he wishes to seek further recourse

As a rule of thumb, financial institutions, followed by telcos, will be expected to bear the full losses incurred from such digitally enabled phishing scams, should they fail to discharge their respective prescribed duties, said MAS and IMDA in a joint press statement on Wednesday.

“Financial institutions stand first in line, given that they hold greater responsibility as custodians of consumers’ money. 

“Telcos stand second in line, as they play a secondary role in fostering security of digital payments by facilitating SMS delivery.” 

Still, while the proposed framework is intended to strengthen financial institutions’ and telcos’ accountability to consumers, it will not absolve customers of their own duty to be vigilant.

“If financial institutions and telcos have fulfilled their duties, the Shared Responsibility Framework will not require payouts to be made to consumers,” said MAS and IMDA.

“A discerning and vigilant public remains the first line of defence against scams.

“Individuals have a responsibility to mitigate the occurrence of scams by practising proper cyber hygiene and not giving away their credentials to a third party under any circumstance,” the authorities added.