Losses from one-time password scams jump 33-fold to S$15.3m in 2019

SINGAPORE — Last week, 23-year-old university graduate Marie received messages on Instagram from an account posing as a co-worker from a temporary job she once held.

She was asked to provide her mobile number and unique passwords to her GrabPay account in order to take part in a contest.

She ended up losing S$500 in a matter of 20 minutes. “It was a hard lesson for me,” Marie said, declining to give her full name. 

She immediately reported the issue to her bank, the police and Grab, but she has not recovered the sum.

Marie is among a growing number of people here who have fallen victim to scammers requesting unique one-time passwords (OTPs) for online transactions.

Last year, victims of such scams lost an eye-watering S$15.3 million — a 33-fold increase from S$456,000 in 2018, the police revealed in a media briefing on Wednesday (April 1).

The number of these scams also more than quadrupled to 1,101 last year, from 244 cases in 2018.

When contacted, the police declined to reveal the sums recovered from such scams. 

Superintendent Chew Jingwei, head of syndicated fraud at the police’s Commercial Affairs Department, told reporters that fraudsters would typically ask for OTPs in cases involving impersonation on social media and lucky draws, as well as in technical support and bank phishing scams.

In these scams, offenders masquerade as the victim’s friends, government officials, technical-support employees from a company, or bank staff members so as to trick them into divulging personal log-in credentials.

In February, the police announced that reported scams rose by 53.5 per cent last year, driving up the annual crime rate by 6.3 per cent.

DON'T TRUST REQUESTS FOR PASSWORDS 

Supt Chew said that OTPs are security features used to verify an individual’s identity and safeguard online transactions, and are not meant to be shared with others.

Being asked to disclose an OTP should be a “big red flag” for anyone, he added, noting that police officers and government officials would never ask the public for an OTP.

“The number one rule that members of the public should remember is never divulge your one-time passwords for online transactions to anyone,” he said.

Supt Chew also noted that unlike victims of traditional scams, who often actively transact with scammers, those who fall prey to OTP schemes are usually unaware that a transaction is happening.

Furthermore, the culprits are usually not caught, because many operate overseas and are part of syndicates targeting Singaporeans. 

Supt Chew said that the police have been working with their foreign counterparts to identify these scammers and stop their operations.

To stem the surge in scams involving OTPs, firms such as Grab and OCBC bank have started displaying messages and advisories when issuing OTPs to customers, warning them not to disclose the passwords.

Mr Foo Wui Ngiap, head of technology at Grab’s integrity group, said that the firm has added another layer of protection that is triggered when individuals make large transactions or when Grab’s system detects suspicious log-in activity.

Users are given a six-digit code that they must remember, similar to a password or internet-banking pin (personal identification number), he said.

However, such security measures would ultimately be ineffective if users willingly provide scammers with sensitive information, Mr Foo said.

“You can have the most locked-down, high-tech house, but if you pass the front-door key to someone, they can just walk in,” he added.

Mr Patrick Chew, head of operational risk management at OCBC, stressed that banks would not ask customers for information such as log-in credentials or OTPs.

OCBC said that last year, its customers reported losses of S$3.8 million owing to scams involving the disclosure of OTPs. The bank prevented and recovered S$1.5 million worth of such scam transactions that same year. 

Mr Chew added: “Our collaboration with the police to include warning messages in our OTP messages to remind customers not to share their passwords is one of the important steps in this scam prevention fight.

“However, preventing scams goes beyond the bank and our fraud detection systems. Customers and members of the public play an equally important role.”