Singapore: Central Provident Fund (CPF) members who log in to their accounts using their Singpass must now go through another step – face verification.
The additional precaution comes amid a spate of malware scams involving CPF savings, said the CPF Board, GovTech and the police in a joint advisory on Thursday (Jun 29).
In the first half of 2023, more than 700 reports of malware-related scams were reported, with losses amounting to about S$8 million (US$5.9 million). Of these, eight cases involved CPF savings, with losses of S$124,000.
“As a further precaution, CPF Board and GovTech had urgently introduced the Singpass Face Verification during the login to protect vulnerable CPF members who access CPF e-services,” the agencies said in a release.
“While this may make it less convenient for members to access CPF online services, we seek CPF members’ understanding that it might be better to be safe than sorry.”
In such malware scams, the victim uses his Android phone to click on a Facebook or other social media advertisement selling an item at a steep discount and receives a link to download an Android Package Kit (or APK) from a non-official app-store to facilitate the purchase.
Upon downloading the APK, a malware is installed on the phone. The scammer then convinces the victim via a phone call or text message to turn on accessibility services on his Android phone.
This weakens the security of the phone and allows the scammer to take full control of the phone.
It allows the scammer to log every keystroke and steal banking credentials stored in the phone. This also means the scammer can remotely log in to the victim’s banking apps, add money mules as payees, raise payment limits and transfer money out to money mules.
The scammer can further delete SMS and email notifications of that bank transfer to cover his tracks. Additionally, the scammer may log in to the victim’s CPF account through Singpass to make a withdrawal.
“Although CPF withdrawals can only be paid to a bank account verified to belong to the CPF member, the scammer can subsequently transfer the money out from that bank account using stolen banking credentials from the phone,” said the release.
Last month, police arrested nine people in a five-day operation for their alleged involvement in banking-related phishing scam cases related to malware attack on Android mobile devices.