Tech Is Available to Protect Against Scams, Businesses Just Need to Apply It

by Foo Siang-Tse, Senior Partner (Cyber), NCS

It seems like almost every other day now there are new scam cases reported in Singapore, with even digital-savvy professionals falling prey and others losing their life savings.

Allowed to fester, this can fuel consumer doubt and erode trust in the country’s digital ecosystem.

So, what are we doing wrong? Where exactly are the loopholes? Which party in the equation isn’t doing enough?

The short answer is we can all do more, starting with the need for businesses to think out of the box and for consumers like you and I to better arm ourselves as the last line of defence.

The impetus to do so is more urgent than ever as scammers continue to accelerate their activities. The number of scam and cybercrime cases increased by almost 50% in 2023 compared to 2022 and in just the first two weeks of January 2024 alone, at least 219 victims lost more than S$446,000 to scams, mostly by clicking on phishing links sent via SMS messages, according to the Singapore Police Force.

These links directed the victims to fraudulent banking websites and hoodwinked them into providing their online banking details as well as OTP (one-time password), which were then used to make unauthorised withdrawals.

And it isn’t just suspicious SMS messages we need to be careful about because scammers continue to evolve their modus operandi. Synthetic identity theft, deepfakes, and cryptocurrency scams are just a handful of tactics that will likely gain further prominence this year.

With synthetic identities, scammers piece together elements of a victim’s personal information such as name and date of birth to create new false identities. These then are used to open bank accounts, sign up for credit cards, or commit other fraudulent activities. In fact, synthetic identity fraud is projected to generate losses exceeding US$23 billion by 2030, according to Deloitte Centre for Financial Services.

Scammers also are getting help from the likes of Prime Minister Lee Hsien Loong and Deputy Prime Minister Lawrence Wong to bait potential victims. When I say like, I’m actually referring to the likeness of the two ministers, whose voices and images were mimicked using deepfake technologies and used to hawk cryptocurrency investment scams.

The emergence of generative artificial intelligence affords more opportunities for scammers to generate deepfakes, synthetic identities, and personalised phishing messages at scale, tapping these to proliferate their campaigns.

It underscores the need for us to also adopt anti-scam technologies at scale and bolster our overall cyber defence.

Finding The Returns to Apply Anti-Scam Tools at Scale
When we look deeper into scams, we’ll realise that the crux of the problem really is identity fraud. It underpins the fraudulent transactions in which scammers are able to convince one party that the other is bona fide.

The parties involved are not properly authenticated, hence, enabling scammers to assume the victim’s identity and cause damage such as taking over a bank account and sending money where it should not be sent.

It points to the importance of identity, authentication, and authorisation. Here, multi-factor authentication (MFA) plays a fundamental and crucial role in helping to significantly curb scams – if it is implemented where it matters.

For instance, one common trick involves scammers calling a targeted victim and assuming it to be an entity that they’re not, such as a bank or retailer, in a bid to convince the victim to divulge their personal banking or payment details.

To stem the ability of such scams to follow through, businesses could send an alert via their official mobile app to inform customers a service agent will be calling them on their phone within the next minute. Customers can be further prompted to authenticate their identity via the app when the call comes through.

This assures customers a legitimate service agent is on the other line and the bank or retailer also is able to validate the customer’s identity.

MFA technologies already are available to facilitate this, so it basically is a matter of applying the tool where it counts. And I think this should encompass any time a customer interacts with an organisation and not just those involving high-value transactions, which is often the case now.

Whenever someone engages in a business, regardless of whether any money is exchanged, their identity is inherently associated with that interaction. Unauthenticated, this identity – if fraudulent – can proceed to extract personal details that can then be used to create synthetic identities and in subsequent interactions to perform fraudulent transactions.

It demonstrates how a seemingly innocuous interaction that an organisation may not initially think warrants MFA can potentially lead to significant damage and high-value losses.

This can be a key consideration when businesses carry out risk-benefit assessments and want to justify their investment in MFA and identity management as an anti-scam measure.

It may not be the silver bullet, but MFA can step in as good bronze ammunition to combat and reduce scam incidents.

That said, it will still take a village to raise a sufficiently resilient wall of defence. In short, everyone in the ecosystem needs to play their part.

Consumers As the Last Line of Defence
Just as it is important for businesses to implement the necessary guardrails, consumers play an equally crucial role as the last line of defence.

Even the strongest application of MFA will prove ineffective if consumers actively put themselves in situations that are likely fraudulent. Remember the saying, when a deal sounds too good to be true it probably isn’t? Let’s try to keep that in mind and learn from the victims who unfortunately fell for scams that peddled discounted Chinese New Year food items, losing SG$167,000 in total.

Apart from staying vigilant and away from suspicious deals, consumers also should be prepared to lose some convenience in exchange for stronger safeguards. It may be a pain to authenticate our identity every time we interact with a retailer, but doing so may very well save us from losing our nest eggs.

Organisations, too, should conduct regular training sessions to educate employees about common scams and social engineering tactics. NCS has helped guide its enterprise customers on how they can empower their workforce to recognise potential scams and build a healthy cybersecurity posture.

This also requires the necessary tools including email security, to detect and filter phishing and malicious email, and financial controls, such as implementing dual authorisation for transactions. There also should be rigorous procedures in place to verify invoices, purchase orders, and vendor information before payments are processed.

Topmost, businesses will want to determine their risk profile so they can identify the most critical areas to secure as well as risks they are willing to take. They then can optimise their investments in cybersecurity, mitigate the potential risks, and establish the necessary remediation in the event of a security incident.

Together with the government’s anti-scam measures, Singapore can turn the tide and stop scammers from siphoning another dollar if both consumers and businesses play their part.