A Singaporean in his 60s thought he was protecting his family’s savings when he co-operated with “police officers” from China who accused him last month of being involved in money laundering.
He ended up losing close to $270,000 from five POSB accounts linked to his name over eight consecutive days last month. This was money that he needed for his family’s expenses and children’s education.
The case took place as scams involving the impersonation of China officials rose from 179 cases in the first half of the year to 249 in the July to September period.
Victims lost at least $21 million from January to September, with one losing $2.38 million, said the police.
There were 74 impersonation scams from January to last month, where scammers pretended to be from local agencies such as the police force or Ministry of Manpower.
In the man’s case, it all started one morning when a caller claiming to be a policeman told him that a female “bank employee” who previously contacted him had been arrested abroad.
He was told that his accounts, which had been implicated in her crimes, would be frozen unless he called Chinese police officers and followed instructions for them to help.
The man provided his details and applied for an Internet banking token – a gadget he had never used before.
He then called a Chinese number, speaking to a man named Liew for up to an hour every day. About seven times a day, he was asked to read out codes on the token after pushing a button.
It was not until almost two weeks later that he realised that five of his family’s bank accounts, which were linked to his name, had been cleaned out.
Money from his children’s and sister’s joint accounts with him had been transferred to one of his own before being siphoned out in sums of between $417 and $2,029.
This was done multiple times in a row, mostly recorded as a transaction to a merchant under D2Pay – a direct debit payment system. Other inter-bank fund transfers were also made.
“It was as though I had been hypnotised, I believed everything they said,” said the victim, who declined to be named.
“They told me not to update my bank book, or they would tell the Monetary Authority of Singapore to hold my accounts.”
When his two children, both in tertiary institutions, realised that money had vanished from their bank accounts, they asked him about it.
He had only recently transferred money that he received from their insurance policies into their accounts.
“I told them that I took the money out for investments,” he said.
He has since come clean with them and reported the case to the police.
He said he asked the bank why it failed to alert him when multiple transactions were made and was told only that the case is under police investigation. The bank also told him to close his accounts.
“I don’t know what is going to happen. My life savings… are all gone just like that,” he said.
In response to queries, a DBS spokesman said the bank is unable to comment on this specific case as it is under police investigation. POSB is a part of DBS Group.
When asked about D2Pay transactions, the spokesman said: “We inform our customers via SMS of transactions done on their accounts. The same protocol is used for D2Pay transactions.”
He said the bank has “a robust due diligence process in place” for those who become merchants on D2Pay, as “they first need to become our corporate customers to obtain a corporate account”.
Instead of allowing customers the option of receiving one-time passwords via SMS, DBS switched to only token authentication last year for better security, he said.
Other banks said they have security measures such as fraud-monitoring systems to detect irregular activity, as well as two-factor authentication (2FA).
United Overseas Bank said that once an irregularity is flagged, investigations will take place immediately and it will call the customer to verify the transaction.
Mr Patrick Chew, head of operational risk management at OCBC Bank, said customers need 2FA for online transactions.
While its number of unauthorised transactions has been low, “in such an instance, it is often a case of the individual having inadvertently divulged his security information”.
A spokesman for Maybank said it introduced an eight-digit code last week for customers who access their accounts online.
Users receive this code on their registered phones and key it into a token to generate a one-time password to complete the transaction. In the past, users needed only the one-time password on their tokens.
Guard personal data, be wary of cold calls: Experts
While banks have improved their security, consumers should be careful not to give out their personal data and to beware of cold calls in particular, experts have warned.
Mr David Freer, vice-president of Intel Security’s Asia-Pacific consumer division, said consumers should read the terms and conditions carefully when giving personal information in return for something such as a gift or free trial.
He added: “If possible, opt out of allowing companies to use the data for other purposes, such as cross promotions.”
Mr Alan Lee, a spokesman for security firm Norton, said that in the last year or so, there have been phone scams involving conmen who pass themselves off as staff of courier company DHL and claim that victims’ details were used to send parcels containing fake passports or weapons.
“Traditionally, banking has been an area where there is a lot to be compromised or taken advantage of,” he added.
An emerging trend is the attacking of the two-factor authentication that banks have adopted, Mr Lee said, noting that this could be done on Android phones using a trojan – malicious software that can steal information, including SMS messages.
Fraud detection systems may detect certain unusual activity, he said, but there could also be ” lower accuracy patterns” that they fail to spot.
A DBS Bank spokesman said customers should be careful when they get unsolicited calls from unknown parties. They could take down the caller’s name and department before calling the supposed company back on its official number.
Customers should not give out information such as log-in details or one-time passwords over the telephone or e-mail, the spokesman added.
He also gave the following tips:
- Be open to family members and banks so they can help – staff can take protective measures if given enough information in time.
- Joint-alternate accounts require only one account holder to effect a transaction. As an added safeguard, customers may sign up for a joint-all account, which would require both account holders’ approval to withdraw funds.
- Do not provide personal or bank information or remit money on the advice of unsolicited callers.
This article was first published on October 25, 2016.
Get a copy of The Straits Times or go to straitstimes.com for more stories.
