Banks, telcos or consumers - who will bear phishing scam losses under proposed framework? Here are 4 scenarios

SINGAPORE: If a new framework proposed by the authorities on Wednesday (Oct 25) is implemented, financial institutions could bear the full losses incurred by victims of digitally-enabled phishing scams, should the institutions be found to have breached anti-scam obligations.

The proposed Shared Responsibility Framework (SRF) for phishing scams was unveiled in a joint consultation paper published by the Monetary Authority of Singapore (MAS) and the Infocomm Media Development Authority (IMDA).

The paper, which outlines a “waterfall approach”, proposes that responsibility for losses cascades from financial institutions, to telephone companies (telcos) if the phishing scam was perpetrated via SMS - and finally to consumers - if these companies fail to meet their obligations as set out in the framework.

In the consultation paper, MAS and IMDA said the proposed framework will only cover digitally-enabled phishing scams with a “clear Singapore nexus” for now.

This means that any entities impersonated in phishing scams should either be Singapore-based, or entities based overseas that offer their services to Singapore residents.

It also has to be a phishing scam - which generally involves consumers being deceived into clicking on a phishing link and entering their credentials on a fake digital platform. 

In doing so, they unknowingly reveal their credentials to scammers, who can proceed to perform unauthorised transactions from their accounts.

Still, where there are clearly outlined conditions for the filing of claims and multiple stakeholders involved in the waterfall framework, consumers may - at the start - find it hard to discern what could be covered by the proposed framework.

TODAY looks at some possible scenarios where phishing scam victims may file reports in hope of recouping their losses, and who should bear responsibility in these different instances.

WHO SHOULD BEAR THE LOSSES?

SCENARIO 1

• A scammer impersonates the police and contacts a consumer via a WhatsApp message
• The consumer is directed by a link in the scammer’s WhatsApp message to a fake Immigration and Checkpoints Authority (ICA) website to pay for his purported “outstanding fines”
• The consumer then enters his banking credentials and one-time password into the fake banking website, as directed from the fake ICA website
• The scammer then uses the consumer’s banking credentials and one-time password to activate a new digital security token on the scammer’s own phone
• The scammer then makes 10 transactions of S$500 (US$364) each to another local account
• As the bank’s system is down, notification alerts for the 10 outgoing transactions and activation of a new digital security token are sent to the consumer only two days later
• When the consumer receives these notification alerts, he immediately tries to report them to the responsible financial institution, but is unable to as the institution is receiving a high volume of calls
• He then tries to activate the kill-switch - that allows consumers to quickly suspend their accounts if they fear they have been compromised - but is unable to do so due to a system issue on the institution’s end
• Subsequently, the scammer makes further unauthorised transactions amounting to S$4,000 on the consumer’s account, as the consumer is unable to suspend his account
• A notification alert is sent for this further S$4,000 transaction

Verdict: A full payout will be borne by the responsible financial institution, under the new proposed framework

• The case is applicable for assessment under the new proposed framework, as all elements of a phishing scam - as outlined by the framework - have been met
• The financial institution has failed in its duty to send real-time notification alerts for the activation of a new digital token, and for the first 10 unauthorised transactions
• It also failed in its duty to make a kill-switch available to the consumer at all times
• Telcos would not be involved in this assessment, as the link leading to the fake ICA website was sent through WhatsApp, not SMS
• As such, the financial institution would have to bear the full losses incurred by the consumer (that is, for the 10 S$500 transactions and the subsequent S$4,000 transaction)

SCENARIO 2

• A scammer impersonates a financial institution and contacts a consumer via a phishing email
• The email informs the consumer that his account is about to be suspended
• The consumer proceeds to click on a website link provided in the email, believing it would take him to an online page where he can prevent his account from being suspended
• The link then brings him to a spoofed “financial institution” website, where he enters his account credentials
• The scammer subsequently uses the credentials and one-time password provided to take over the consumer’s account without his knowledge, and sets up a digital token on the scammer’s own device
• Due to a system error, the responsible financial institution does not impose a 12-hour cooling-off period during which high-risk activities cannot be performed
• As a result, the scammer is able to increase the consumer’s online transaction limit from S$5,000 to S$10,000 - which is deemed a high-risk activity - within 12 hours of the new digital token’s activation
• Although the consumer sees the notification alerts informing him of the activation of a new digital token and the increase of his transaction limit, he does not act on it
• The scammer then proceeds to make multiple transactions of S$10,000 each, out of the consumer’s account

Verdict: A full payout will be borne by the responsible financial institution

• The case is applicable for assessment under the new proposed framework, as all elements of a phishing scam - as outlined by the framework - have been met
• The responsible financial institution has failed in its duty to impose a minimum 12-hour cooling-off period
• This allowed the scammer to increase the consumer’s transaction limit within what should have been the 12-hour cooling-off period
• As such, the financial institution would have to bear the full losses incurred by the consumer 
• This is in spite of the fact that the consumer has failed to take due care by clicking on the link in the phishing SMS, and also choosing to ignore the notification alerts sent to him

SCENARIO 3

• A scammer impersonates a financial institution and sends a phishing email to a consumer, informing him of an attractive financial product
• The consumer clicks on the link within the phishing SMS, which leads him to a spoofed financial institution website
• He enters his account credentials and one-time password on the fake website to purchase the product
• The scammer uses these account credentials to initiate three monetary transactions - of S$1,000, S$2,000, and S$3,000 - to another local account
• As the consumer has previously adjusted his transaction notification threshold to S$1,500, the notifications are only sent by the responsible financial institution for the transactions of S$2,000 and S$3,000

Verdict: No payout will be made under the proposed framework; consumer to bear full losses

• The case is applicable for assessment under the new proposed framework, as all elements of a phishing scam - as outlined by the framework - have been met
• While the responsible financial institution did not send out notification alerts for the S$1,000 transaction, this does not constitute a breach of duty, as the consumer had previously opted to raise his transaction notification threshold to S$1,500
• Given that the link leading to the spoofed “financial institution” website was sent to the consumer via email and not SMS, the telcos would not be liable in this assessment
• The full losses will therefore be borne by the consumer, though he may approach existing avenues of dispute resolution if he wishes to seek further recourse

SCENARIO 4

• A consumer receives a WhatsApp message containing a clickable link from a scammer purporting to be a foreign seller of furniture
• While the foreign “furniture seller” is an unknown one and its brand is not recognisable, the consumer feels that the prices offered are very attractive and decides to make a purchase
• Upon clicking on the link in the WhatsApp message, the consumer is redirected to a fake digital platform where he keys in his bank account credentials and one-time password to make the fraudulent purchase
• This allows the scammer to obtain his credentials and one-time password
• The scammer then uses these details to enter the consumer’s bank account and make unauthorised transactions

Verdict: No payout will be made under the proposed framework; consumer to bear full losses

• Although the case involved a phishing scam, it does not fall within the framework’s scope, as it does not have a Singapore nexus
• The foreign furniture seller that had been impersonated was neither a legitimate Singapore-based entity nor a legitimate overseas-based entity that is known to offer services to Singapore residents
• In this case, the full losses will be borne by the consumer
• Nevertheless, the consumer may approach existing avenues of dispute resolution, if he wishes to seek further recourse

As a rule of thumb, financial institutions, followed by telcos, will be expected to bear the full losses incurred from such digitally enabled phishing scams, should they fail to discharge their respective prescribed duties, said MAS and IMDA in a joint press statement on Wednesday.

“Financial institutions stand first in line, given that they hold greater responsibility as custodians of consumers’ money. 

“Telcos stand second in line, as they play a secondary role in fostering security of digital payments by facilitating SMS delivery.” 

Still, while the proposed framework is intended to strengthen financial institutions’ and telcos’ accountability to consumers, it will not absolve customers of their own duty to be vigilant.

“If financial institutions and telcos have fulfilled their duties, the Shared Responsibility Framework will not require payouts to be made to consumers,” said MAS and IMDA.

“A discerning and vigilant public remains the first line of defence against scams.

“Individuals have a responsibility to mitigate the occurrence of scams by practising proper cyber hygiene and not giving away their credentials to a third party under any circumstance,” the authorities added.

This article was originally published in TODAY.