PHISHING scams have been the bane of the digital age, tricking victims into handing over their hard-earned money.

Scammers typically pretend to be trusted organisations like banks or government agencies. They contact victims via SMS, e-mail or messaging apps, creating a false sense of urgency.

For instance, in the OCBC phishing scam in late 2021, victims received SMSes claiming they needed to click on a link to resolve an issue with their bank accounts. This led them to fake bank websites where they unknowingly entered their login details.

As a result, scammers stole S$13.7mil from 790 OCBC customers. OCBC eventually made “full goodwill payouts” to all victims affected by the scam.

But not all phishing scam victims are that fortunate.

That is why, to ensure that financial institutions (FIs) and telecommunications companies (telcos) will also pay a price if they have fallen short of their duties in mitigating unauthorised transactions, a proposed Shared Responsibility Framework (SRF) was announced in October 2023.

This will set out a tiered system for FIs and telcos to compensate the victim, depending on how far short of their assigned duties they have fallen.

It is a good approach but, as we can expect FIs, for example, to become more stringent to avoid taking the rap, it raises a tricky question: Must consumers pay the price of heightened security with diminished convenience?

The SRF requires banks to provide real-time notifications, a 12-hour cooling period for high-risk activities and a kill-switch. FIs could further enhance their anti-scam efforts by implementing advanced risk-based authentication systems that adapt to individual user behaviour and patterns.

This would provide a more dynamic layer of protection compared with a static 12-hour cooling-off period.

Such a system works by verifying users’ identities on an ongoing basis, using various factors such as biometrics, behaviour, or context. It uses different types of data, such as typing patterns, device sensors, facial recognition, or location, to calculate an authentication score for each user.

But there are privacy and ethical issues involved with such intrusive monitoring.

The SRF also requires telcos to block unverified SMSes that are not from participating aggregators.

To add to this, telcos could explore implementing artificial intelligence-powered solutions that analyse SMS content and sender information in real-time to identify and block suspicious messages before they reach users.

This, however, may require tighter controls on communication channels. While these measures undoubtedly enhance security, they also inch closer to the uncomfortable realm of surveillance.

This begs the question: Why have not banks and telcos implemented these measures proactively? The answer lies in the delicate balance of security and user experience. The tougher the measures, the more the inconvenience for customers.

For example, OCBC’s anti-scam measure in August 2023 that prevented users from logging onto their Internet banking and OCBC Digital app on their phone if it detected risky apps downloaded from unofficial portals led to an outcry among its customers.

Overly stringent measures can inconvenience customers. Furthermore, accurately identifying malicious actors without infringing on genuine communication is a complex technological hurdle.

However, ignoring the issue is not an option. Media reports of the financial and emotional toll on victims of phishing scams are commonplace. Such stories highlight the urgent need for a multi-pronged approach.

The waterfall approach under the SRF – in which responsibility for the losses is apportioned among FIs, telcos and the consumers – provides a clear framework for deciding on compensation for victims.

To further enhance fairness and transparency, the framework could be expanded to include specific criteria for assessing each party’s contribution to the scam, considering factors beyond just negligence. This would provide a more nuanced and equitable approach to compensation.

Additionally, the SRF could be strengthened by establishing a dedicated ombudsman service to oversee the claims process and mediate disputes between stakeholders. This independent body could ensure impartial and efficient resolution of claims.

Initiatives to counter scams are also emerging in other countries.

For example, in May 2023, the Australian Securities and Investment Commission said it proposed to introduce a cross-industry code that will hold banks, telcos and social media platforms responsible for scams and make them liable to reimburse people who lose money through scams.

The framework is still in its early stages but it could involve similar principles to the Singapore SRF such as outlining duties for different stakeholders and potential compensation for victims.

Japan is considering more draconian measures. In August 2023, Japan’s National Police Agency proposed suspending the bank card of anyone over 65 years old who has not used their card in more than a year, in a bid to stop scammers deceiving elderly people into parting with large amounts of money.

The SRF, while a commendable step, is only one piece of the puzzle. It currently focuses on this common scam type involving unauthorised transactions where the FI or telco has not complied with its duty under the SRF. It does not cover scams arising from authorised transactions if the FI or telco has complied with its duty.

This limits the potential usefulness of the SRF for scam victims, but it could make customers more cautious and vigilant.

Malware scams fall outside the scope of SRF. These include investment or love scams where victims authorise payments to scammers.

The SRF also does not cover scams where the victims authorise payments to the scammers, and where the scammers obtain the victims’ credentials through non-digital means like phone calls.

Banks are going beyond SRF to prevent scams. For instance, in October 2023, it was announced that local banks would be implementing measures to allow customers to lock up funds.

This means that these funds cannot be transferred out of one’s account digitally. Withdrawals can be done only physically at bank branches. But this may inconvenience customers.

What we need is an approach that empowers consumers without sacrificing their privacy and convenience.

The SRF is currently being reviewed and is expected to be implemented some time after the consultation process concludes on Dec 20, 2023.

Scams are evolving and the SRF may need to be continually updated. A dedicated advisory committee can be set up for this purpose. It could comprise representatives from FIs, telcos, consumer groups and cyber-security experts.

Additionally, the SRF could propose that FIs and telcos leverage data analytics and machine learning to identify emerging trends and patterns in phishing activity.

The fight against phishing scams demands a delicate dance between security and convenience.

The SRF serves as a promising starting point but we will need to find better ways to ensure that customers’ money remains safe from scams while they are not overly inconvenienced. — The Straits Times/ANN

Ben Chester Cheong is a law lecturer at the Singapore University of Social Sciences and a financial services (regulatory) lawyer at RHTLaw Asia. The views expressed are the writer’s own.