The purpose of this blog is to share how fast payments in Asia can be used fraudulently and to illustrate some of counter measures that are being implemented to combat frauds and scams. Across Asia and all around the world, scams and cybercrimes have been on the rise, particularly since the global COVID-19 pandemic. This is a concerning development which The SEACEN Centre’s members and stakeholders are taking quite seriously. A recent UN report estimates that hundreds of thousands of people from around the world have been trafficked to Southeast Asia to run online scams. It noted that at least 120,000 people in Myanmar and another 100,000 in Cambodia have been forced into working these scams. Most victims are men from Asia, but some have come from further afield, such as Africa and Latin America.
In an ominous convergence of crime, organised crime groups, call-centre gangs and human trafficking are joining forces, creating a labyrinth of digital deception. Criminals are exploiting vulnerable individuals, forcing them into the role of unsuspecting mules in their fraudulent schemes. According to the UN Report, during the COVID-19 pandemic-related shutdowns millions of people who were stuck at home and glued online became ready targets for the masterminds of online fraud schemes. They became easy victims, lured by advertisements on social-media platforms promising overseas job opportunities with extravagant perks. And while criminal gangs have traditionally preyed on less-educated people desperate to make a quick buck, they are now targeting victims with professional jobs, who often have graduate or even post-graduate degrees.
Based on data from LexisNexis Risk Solutions, scammers are targeting mobile and digital channels. The attack volumes on mobile surged 94 per cent year-on-year worldwide, from 260 million to 505 million at the start of 2023, compared to the same period last year. Traditional third-party fraud is most commonly found in many parts of Asia and has slowly evolved into impersonation scams with third-party account access. This type of more sophisticated scam is harder to detect and is prevalent across the region, including Hong Kong and Singapore. Scams account for 54 per cent of all digital banking fraud in the Asia-Pacific region.
Milieu Insight conducted a comprehensive survey among 2,500 respondents across Singapore, Thailand, Vietnam, Malaysia and Indonesia in March of this year to shed light on the prevalence of scams across Southeast Asia. Across the region, more than half of those who had been scammed (54 per cent) lost money from the incidents. Buying/selling scams were the highest at 37 per cent, likely due to the rise of online shopping, according to respondents who indicated how they were scammed. Investment scams accounted for 31 per cent of reported incidents, ranking as the second most prevalent type of scam in the region. In Thailand, prevalent scams included advance fee scams (34 per cent), where individuals were promised money, services or products in return for a small payment, as well as phishing scams and e-commerce/delivery scams (29 per cent). In Thailand and Vietnam, half of the victims fell prey to scams through social media channels, while in Vietnam, mobile app scams were also prevalent, accounting for 45 per cent of reported scam incidents. Additionally, in Malaysia, one in four victims were deceived through e-mail scams.
From phishing to advanced payment fraud, these crimes are becoming increasingly sophisticated, necessitating the adoption of cutting-edge countermeasures. Romance-investment scams, crypto fraud, money laundering and illegal gambling have ballooned since the pandemic. The UN estimates that these scam centres generate billions of US dollars in revenue per year. The perpetrators of heinous frauds and scams are insensitive to the devastating financial and emotional impact that their crimes have on victims. They act with impunity or operate without fear of facing justice and the money they make is often funneled into untraceable cryptoassets or used to fund further criminal activity.
How can faster payment be used fraudulently?
The pace of transformation spurred by digital technology accelerated at a phenomenal speed during the COVID-19 pandemic. Consequently, we have grown relatively comfortable sharing personal information online, as a result of which we have seen an explosion of data. Our digital and mobile devices are an integral part of our lives creating a heaven or honeypot for fraudsters and scammers. In an era of digitalisation and fast payments, frauds and scams are based upon new habits, whether it’s how we buy things online, how we store or share things or even how some people look for love. Fraud is always a counteraction to initial action. And not all fraud is overt or obvious.
The payments landscape in Asia has evolved rapidly, thanks to the emergence of new payment methods. There are now more choices than ever before for how we make payments, transfer money and set up payment plans for services. The use of mobile wallets or QR codes is also quite prevalent and has bolstered the use of mobile devices for financial transactions as well as spurred significant innovation across the region. Concurrently, real-time fast payments have delivered incredible efficiency and convenience by providing a digital equivalent to physical cash allowing for instant payment. In Asia, these technologies are being adopted by a rapidly growing middle class with increasing disposable income and a rising demand for financial services.
These new payment methods have taken advantage of technology and the ways in which it has affected human behaviour. They involve building a great user interface (UI) and user experience (UX). Speed and immediacy are a critical component of daily interaction when purchasing goods and services, sending, and receiving money. At the same time, the appeal of these banking innovations has also made it a honeypot for fraud. Scammers are attracted to the increase in money flows and finding new inexperienced consumers to con online. One such cybercrime, called Authorised Push Payment (APP) fraud, is a scam where fraudsters trick a target into sending them money.
The adoption of faster payments across the region relies on users actively sending or ‘pushing’ money to merchants and, vice versa, merchants paying, for instance, a supplier. Fraudsters utilise faster payments by sending communications to an individual or company, acting as if they were someone else in order for you to send payment to them. This may sound like something that you would spot from a mile off, but with fraudsters hacking e-mail accounts along with using social media to gain information about the people they are impersonating, it can be harder to determine whether it is genuine or not.
Once payment has been sent through, if the victim then realises that it has been sent to a fraudster, they will most likely notify their bank as soon as possible to try to get their money back. Unlike other payment methods, with fast payment clearance is almost instantaneous and there may be very little opportunity to cancel a payment. Fraudsters and scammers make use of this to their advantage by transferring money to other accounts, including cryptoassets, as quickly as they come in. Furthermore, due to the payment being made via the ‘push’ method and issued by the victim, this makes it more challenging to get their money back, because of the difficulty of proving that they had no idea that this money would end up in the wrong hands. On the transaction side, Juniper Research reports that merchant losses to online payment fraud will exceed USD206 billion cumulatively for the period between 2021 and 2025. To combat the ‘push payment’ factor, in 2020, the UK launched Confirmation of Payee (CoP) which allows payers to check the details of who they are paying before they confirm the transaction. It has been successfully implemented by several UK banks, building societies and other payment service providers (PSPs). The aim of the service is to reduce certain types of fraud, like the APP scam, as well as prevent misdirected payments.
What are the counter measures being implemented to combat frauds and scams?
Given the extent of fraud and scams, it is imperative that businesses including the banking sector get the right fraud prevention tools in place to anticipate future scams and mitigate financial losses. Businesses and consumers need to be aware of the creativity and agility that fraudsters are using today, especially in our digital-first world. Asian consumers are looking for banks that will protect them from scams like APP fraud. FICO’s latest survey has revealed that good fraud protection is now the top consideration when consumers are looking to open a new financial account. In the Philippines, two in five consumers see it as the top priority, with a further one in four saying it is the second most important consideration. The story is similar in Malaysia, with one in three ranking security first and a further one in four ranking it second. Asian consumers are also becoming more aware of the efforts banks are making to protect them against crimes such as identity theft, account takeover and card fraud: 61 per cent of Filipinos said that identity checks have increased when making online purchases and 56 per cent have experienced more identity checks when they log into accounts.
To this end, SEACEN members and stakeholders have been stepping up efforts to combat financial scams, and in doing so they are collaborating with other stakeholders. Their efforts include rolling out preventive measures, pursuing more effective and coordinated enforcement actions, and raising public awareness. Increasingly, banks are required to adopt high standards of security, especially for internet and mobile banking services. SEACEN members and stakeholders are working with the financial industry to ensure that banking and payment channels remain secure and equipped with up-to-date security controls. Below we explore recent development in Malaysia and Singapore. For example, as outlined in a 2022 speech by Bank Negara Malaysia’s Governor, Malaysia requires financial institutions to:
- first, migrate from SMS one-time passwords (OTP) to more secure forms of authentication for online activities or transactions relating to account opening, fund transfers and payments, as well as changes to personal information and account settings;
- second, further tighten fraud detection rules and triggers for blocking suspected scam transactions. Customers will be immediately alerted when any such activity involving their banking accounts is detected. As an additional measure, financial institutions will block such transactions, and customers will be asked to confirm that such transactions are genuine before they are unblocked;
- third, have a cooling-off period for the first-time enrolment of online banking services or secure devices. During this time, no online banking activity is allowed to be conducted;
- fourth, restrict customers to one mobile or secure device for the authentication of online banking transactions; and
- fifth, financial institutions will be required to set up dedicated hotlines for customers to report financial scam incidents. Financial institutions have been directed to be more responsive to scam reports lodged by customers. Financial institutions have also been directed to facilitate efforts to recover and protect stolen funds, including to work with relevant agencies to prevent further losses.
In addition, financial institutions in Malaysia are required to provide convenient ways for customers to suspend their bank accounts if they suspect that their accounts have been compromised as a result of a scam. Customers will also be able to subsequently reactivate their accounts after a reasonable period to ensure that their accounts are secure.
In Singapore, the Monetary Authority of Singapore (MAS) and the Association of Banks in Singapore (ABS) introduced a set of additional measures to bolster the security of digital banking, in view of the recent spate of SMS-phishing scams targeting bank customers. MAS expects all financial institutions to have in place robust measures to prevent and detect scams as well as effective incident handling and customer service in the event of a scam. The growing threat of online phishing scams calls for immediate steps to strengthen controls, while longer-term preventive measures are being evaluated for implementation in the coming months. Banks in Singapore, in consultation with MAS, are expected to provide more stringent measures to minimise scams and frauds and financial losses, including:
- removal of clickable links in e-mails or SMSes sent to retail customers;
- threshold for funds transfer transaction notifications to customers to be set by default at SGD100 or lower;
- delay of at least 12 hours before activation of a new soft token on a mobile device;
- notification to existing mobile number or e-mail registered with the bank whenever there is a request to change a customer’s mobile number or e-mail address;
- additional safeguards, such as a cooling-off period before implementation of requests for key account changes such as in a customer’s key contact details;
- dedicated and well-resourced customer assistance teams to deal with feedback on potential fraud cases on a priority basis;
- more frequent scam education alerts.
These more stringent measures will lengthen the time taken for certain online banking transactions but will provide an additional layer of security to protect customers’ funds. In consultation with MAS and the Singapore Police Force (SPF), banks are progressively implementing the following additional measures effective 31 October 2022:
- require additional customer confirmations to process significant changes to customer accounts and other high-risk transactions identified through fraud surveillance;
- set the default transaction limit for online funds transfers to SGD5,000 or lower;
- provide an emergency self-service ‘kill switch’ for customers to suspend their accounts quickly if they suspect their bank accounts have been compromised;
- facilitate rapid account freezing and fund recovery operations by co-locating bank staff at the SPF Anti-Scam Centre; and
- enhance fraud surveillance systems to take into account a broader range of scam scenarios.
The preventive measures implemented to combat financial scams are likely to inevitably result in some friction or inconvenience in the online banking experience of customers. For example, it might take a little longer to complete online banking transactions. Financial institutions will also conduct more due diligence when customers request to change or register a new phone number. In an era of fast payment and increased fraud and scams, one notable result of the countermeasures is to protect the interests of customers. It is important, however, to balance these checks to make sure they don’t provide too much friction to the banking process. The FICO survey found for example that many Malaysians won’t open an account if the identity checks are too difficult or time-consuming: 37 per cent gave up opening a savings account, 29 per gave up applying for a credit card and 27 per cent abandoned applying for a personal loan. Further to this, 26 per cent of Malaysians said troublesome checks meant they reduced their use or stopped using their bank account and 27 per cent their credit card. Policymakers and the financial industry recognise the need to carefully balance between security considerations and customer convenience.
The combatting of financial scams requires co-operation and concerted action from all parties, not just of financial sector regulators and the financial industry, but also from law enforcement agencies, government and relevant ministries, as well as the public. To this end, an emerging trend is the establishment of centralised fraud reporting or co-ordinating centres. For example, the Malaysian government established the National Scam Response Centre (NSRC), a command centre to co-ordinate the rapid response to online financial scams. NSRC brings together resources and expertise from multiple agencies from BNM, financial institutions and the telecommunication industry to combat financial scams more quickly and effectively. This is part of facilitating the reporting by the public of financial scams. Victims must make a police report to furnish more detailed information to allow the authorities to investigate the matter. Victims must also immediately call their banks or the hotline as soon as they discover that they have been scammed. This is because in trying to trace and intercept stolen funds, and to prevent further losses, time is critical.
An important aspect in dealing with financial scams is raising public awareness, including the scam tactics used by criminals and the steps that the public can take to avoid becoming victims of financial scams. In this regard, SEACEN members and stakeholders, the financial industry and law enforcement agencies are creating awareness programmes and improving the dissemination of information to the public. Various educational and awareness initiatives have been implemented across multiple channels and platforms. The authorities are encouraging users to be vigilant and ensure that their devices, such as mobile phones, run up-to-date software and operating systems. They should ensure that their devices are secure, free from suspicious apps which might carry malware and spyware. This means being careful with what you install on devices used for online banking transactions.
Customers have a vital role in the fight against scams and need to stay abreast of online banking hygiene practices as scam tactics evolve. There are many ways as users of fast payments that we can protect ourselves from scams. For example, MAS suggests the following:
- keeping apprised of scam advisories and alerts put out by SPF, National Crime Prevention Council, MAS and banks;
- referring to official sources, such as the MAS Financial Institution Directory and cards (e.g., ATM or credit cards) issued by banks, for hotline numbers and website addresses to communicate with banks;
- moving towards greater use of bank apps for banking needs and receiving notifications by turning on in-app notifications on their devices; and
- never divulging internet banking credentials or passwords to anyone.
BNM encourages the following three steps called ‘3S – Spot, Stop and Share’:
- spot – look out for signs of scams. Question, investigate and enquire to ensure that you are about to engage in a legitimate transaction;
- stop – if anything looks doubtful or suspicious, it’s probably such a case, so stop engaging with the suspected scammer. It is important that you do not provide any banking or payment details;
- share – share your knowledge of scams with friends and family and help protect others by reporting scams to relevant authorities so that they can take action.
To minimise the risk of navigating to fraudulent websites, bank customers are strongly encouraged to use mobile banking apps, as opposed to web browsers. Banks are encouraged to continuously enhance the functionality of their banking apps and assist customers to make the transition towards greater use of these apps. Customer vigilance remains of paramount importance. Scammers are quick to adapt in targeting unsuspecting consumers. To avoid falling for online banking scams, customers must:
- never click on links provided in SMSes or e-mails;
- never divulge internet banking credentials or passwords to anyone;
- verify SMSes or e-mails received by calling the bank directly on the hotline listed on its official website;
- verify that you are at the bank’s official website before making any transactions, or transact through the bank’s official mobile application; and
- closely monitor transaction notifications so that any unauthorised payments are reported as soon as possible to increase the chances of recovery.
Conclusion
The uptick in the adoption of digital payment modes not only expands the fraud attack surface but makes for a more complex set of customer experience concerns. Frauds and scams are evolving, scammers are preying on users’ habits and behaviours using tactics to fool and ensnare them. The ongoing fight against scams requires an ecosystem approach, with all stakeholders playing their part in staying vigilant and guarding against scams. All of us can do our part to raise awareness and share relevant information on scams with others, being vigilant ourselves while also helping others do so.
It may be challenging for organisations that rely on traditional anti-fraud measures to detect scams and keep abreast of the complex and fluid global landscape. Protecting real-time payments requires analytics that look for changes in customer behaviour such as using accounts or devices outside of their usual habits, as well as standard anomalies such as time-of-day or frequency of a transfer. It requires solid digital identification and authentication with multi-layered defense, usage of digital intelligence and behavioural analysis to make smarter and more informed decisions for fraud prevention. Adaptive authentication will also be vital in helping businesses to thrive and stay competitive with lower friction and higher security in today’s mobile age. These pit the need for superior fraud management against the desire for easier customer communication, authentication and verification preferences. While the enhanced anti-scam measures put in place by banks may lengthen the time taken for customers to complete certain online banking transactions, this is necessary to achieve a greater level of security and protection for their funds. As new scams and frauds emerge, banks are increasingly challenged by balancing customer experience needs against managing fraud risks and controls such as securing payment verification. Implementing effective account security technologies that reduce friction is therefore a priority.
Mark is a Senior Financial Sector Specialist in the Financial Stability, Supervision and Payments pillar at the SEACEN Centre.