After the pandemic, Singapore has become a very updated market and is widely regarded as a hub for innovation in Southeast Asia. Research from Google, Temasek and Bain indicates that ASEAN’s digital economy will surpass S$ 396 billion ( US$ 300 billion ) in gross merchandise value by 2025, with financial services digitalization a primary growth factor.
Financial institutions are continuously adding new products, features, and engaging consumer experiences, making Singapore’s financial services sector one of the most creative and aggressive in the world. Cybercriminals are now looking to take advantage of the expanding online landscape, despite this rapid change.
Financial corporations handle sensitive personal and business information for thousands of customers, including bank information, signup certificates and high-value purchases. These businesses are therefore extremely resilient and frequently the target of attacks in Singapore, frequently through malware or phishing attacks, making the financial services sector one of the most targeted companies by scammers today.
Singapore’s financial services industry was the leading target of phishing attacks in 2022 according to the Cyber Security Agency ( CSA ) in Singapore, with more than 80 % of reported phishing sites found to be impersonating financial institutions.
In most endeavors, swindlers spoofed banking and financial services, most of which were physical risks, according to the 2024 DBIR by Verizon.
Businesses and pension funds suffer significant losses.
According to the Singapore Police Force ( SPF ) annual scams and cybercrime brief in February 2024, nearly 2, 000 Singaporean victims were victims of a string of Android malware scams, and at least S$ 34.1 million was lost in 2023. Scammers have apparently used Facebook, WhatsApp, Instagram and TikTok to jam their subjects.
One of the highest-profile new hacking schemes was with OCBC in December 2021, with S$ 13.7 million lost. Some victims reported losing their existence saving right away as a result of spoofed SMS messages appearing in the same conversation string as authentic bank messages that were then directed to fake lender websites.
Out of kindness, the lender reimbursed the afflicted customers in complete, even though it was probably not at fault. A person has no remedy to their financial service provider from a legitimate perspective because they are held accountable for the series of events that result in losses.
Phishing scams that pretend to be banks to steal users ‘ bank or pension account login details continue to make headlines in Singapore. However, this kind of fraud can and should be avoided, and Singaporeans should and can do more to protect them from unauthorised access to their online transactions.
Fake advertisements cause token theft.
The modus operandi of these schemes has involved enticing patients with “investment opportunities” posted on social media platforms. These promotions, when clicked, direct to messaging programs or false investment sites. Here, patients are prompted to file for an account, accidentally providing their personal and bank information, which are then used for fraudulent actions.
Every financial institution should switch away from the outdated multi-factor authentication ( MFA ) tools like authenticator apps and one-time passcodes ( OTPs ) sent via SMS, which are vulnerable to phishing, according to best practice. MFA can serve as a powerful first line of defense, but not all MFA forms are created equal.
Instead, organizations need to choose strong phishing-resistant Authorization tools like components security keys. Phishing-resistant MFA processes are immune to attempts to deal or circumvent the authentication process because they rely on encrypted verification between the devices or between the gadget and a domain.
They require something you know ( a PIN), something you have, ( the key ), and something you are ( requiring a physical touch ) to gain access to the account.
However, the classic identification devices and responsive techniques designed to protect customers are inappropriate, and the financial services industry needs to move to a strategic approach to security.
Weak reactive approach to security
Activated through the CPF website, income records in Singapore are then automatically locked, which disables all online transactions. Members can improve the daily withdrawal cap to allow re-enable website withdrawals, which require stronger identification and a 12-hour cooling period.
Customers may call their lender to uncover their accounts, which can be slow and difficult. Taiwanese banks also offer this locking function. Better ways to verify a bank or annuity account owner than to simply lock their accounts completely. These anti-malware safety measures are having an impact on how clients use their bank accounts.
Financial corporations that choose the wrong path from attacks face legal repercussions. The Monetary Authority of Singapore is empowered to impose criteria for tech risk control under the Financial Services and Markets Bill of Singapore.
It has increased the monetary penalties for local financial institutions that are subject to a security breach as a result of oversight to S$ 1 million per occurrence.
Strategic digital protection for consumers with phishing-resistant passkeys
This reactive approach to digital protection is the only way Singaporean financial institutions may take action following a violation. They may stop breaches in the first place if they take a strategic approach to computer safety.
A highly effective technique of enhancing economic institutions’ security is to create mandatory present phishing-resistant MFA for bank and pension accounts, which includes passkeys – a new name for FIDO2 passwordless-enabled credentials, a standard that replaces password-only logins with more stable passwordless experiences.
Modern MFA requires that customers provide a strong, modern authentication system, such as a-passkey, which provides an additional layer of security that stops unauthorized access and theft. However, there are key differences when it comes to the kinds of passkeys available.
A tale of two passkeys: syncable and device-bound
Passkeys use public key cryptography, a technique that uses a pair of related keys. The public key is kept by the app or website, and the user’s device is paired with the private key, which helps safeguard it from unauthorized access.
It is important to understand that there are two types of passkeys: syncable and device-bound. Syncable passkeys are stored in the cloud and can be shared between various devices, which is convenient but also a risk if the devices are stolen or compromised.
Once a malicious actor has control of someone’s phone through malware, they have access to their syncable passkeys. Device-bound passkeys, stored on devices like phones, computers, or hardware security keys, including YubiKeys, provide a much higher level of security.
For optimal security, Singaporean financial services companies should mandate device-bound passkey authentication for all customers, balancing convenience with strong security. So, even if a customer uses a social media channel to engage in a phishing scam or clicks a suspicious link, their passkey is still safe.
Geoff Schomburgk is Vice President for Asia-Pacific &, Japan at Yubico.