7 charged with money mule offences after DBS bank customers fall for recent SMS phishing scams

SINGAPORE: Seven people aged 18 to 27 were charged in court on Wednesday (Jan 17) in relation to a recent spate of SMS phishing scams that affected DBS bank.

The surge in cases led to at least 219 DBS customers losing about S$446,000 (US$335,000) in the first two weeks of this year, the authorities previously announced on Sunday.

Those hauled to court were arrested in an islandwide anti-scam enforcement operation conducted between Monday and Tuesday.

They are accused of acting as money mules in facilitating the scams by giving up their bank accounts and internet banking credentials. One of them also allegedly disclosed his Singpass credentials in exchange for money.

Money mules are typically recruited by criminal syndicates and help to launder money for scammers.

They play a major role in scams by handing over control of their payment accounts – such as bank accounts – to criminals, or using their accounts to receive or transfer money under the criminals' instructions.

Six of the accused individuals face charges under the Computer Misuse Act, for abetting unknown persons to secure unauthorised access to a bank’s computer system this month.

They are:

• Mark Lim Jun Feng, 19. The Nanyang Polytechnic student supposedly gave away his DBS or POSB internet banking login details to unknown persons in October last year, resulting in multiple unauthorised transactions.
• Ei Thin Zar Kyaw, 22. The Myanmar national allegedly handed over her POSB debit card and internet banking account credentials between Dec 26 last year and Jan 4. She was also charged with obstructing justice by deleting her Facebook Messenger chat history between her and one Kyaw Zar Wa, and giving false information to a police officer by saying she lost her debit card at her workplace in Resorts World Sentosa.
• Nur Iffah Natasha Mohamed Zazeri, 23. She allegedly handed over her DBS ATM card along with her PIN.
• Muhamad Zulhilmi Zuraini, 24. He is accused of handing over the PIN and internet banking credentials for a DBS account to someone named Khai on Mar 27 last year.
• Kingston Teo, 27. He allegedly gave away his internet banking login details and ATM cards for a DBS account and UOB account, resulting in unauthorised access to both banking systems. He is set to plead guilty on Feb 27.
• Tan Jun Liang, 27. He supposedly handed over the PIN and internet banking credentials of a DBS account last month.

First-time offenders can be jailed up to two years or fined up to S$5,000, or both.

The remaining accused person – Jovier Ng Junrong, aged 18 – was charged with disclosing his Singpass account details to an unknown person through a phishing link for commission in October last year, which led to the opening of two Standard Chartered Bank accounts.

Ng was also charged with getting commission by disclosing the user ID, password, ATM card and PIN of his DBS account to someone on the Telegram messaging app, so that transactions could be made through the account.

First-time offenders who disclose access codes without authorisation can be jailed up to three years or fined up to S$10,000, or both.

HOW THE SCAMS WORKED

In a press release announcing the seven arrests, the police said they received several reports of SMS banking-related phishing scams this month.

Victims would receive unsolicited SMSes bearing short codes, overseas numbers, or local numbers, from scammers impersonating banks or bank staff. They would then warn victims of “possible unauthorised attempts” to access their bank accounts.

These SMSes would urge them to click on embedded links to "verify their identities and stop the transactions".

After clicking on the links, the victims would be directed to fake DBS websites and asked to provide their internet banking details and one-time passwords (OTPs), which scammers would then use to make unauthorised withdrawals.

A DBS spokesperson earlier said it would assess victims' circumstances and "offer goodwill payouts on a case-by-case basis".

The authorities also warned that since early 2022, all banks have removed clickable links in emails or SMSes to retail customers – one of several safeguards that banks put in place to combat the spate of phishing scams in 2022.

“To avoid being an accomplice in these crimes, members of the public should always reject seemingly attractive money-making opportunities promising fast and easy pay-outs for the use of their Singpass accounts, bank accounts, or allow their personal bank accounts to be used to receive and transfer money for others,” said the police.

The police also reminded members of the public that individuals will be held accountable if they are found to be linked to such crimes.