In an island-wide anti-scam enforcement operation conducted between 19 and 23 June 2023, the Commercial Affairs Department (CAD) and Police Intelligence Department (PID) arrested seven men and a woman, aged between 20 and 28, and a 16-year-old youth, for their suspected involvement in the recent spate of banking related phishing scam cases involving malware attack on Android mobile devices. Another two women and a man, aged between 27 and 57, are assisting in the investigations. Case exhibits such as a mobile phone and several bank cards were seized, and close to 20 bank accounts were frozen with a sum of more than $54,000 seized.
New Scam Modus Operandi
Since late May 2023, the Police have received several reports informing that malware was used to compromise mobile devices, resulting in unauthorised transactions made from the victims’ bank accounts even though they did not divulge their Internet banking credentials, One-Time-Passwords (OTPs) or Singpass credentials to anyone. In some cases, this had also led to unauthorised transactions in the victims’ Central Provident Fund (CPF) accounts, where the money was withdrawn and credited to the victims’ bank accounts, and subsequently transferred out of their bank accounts.
In these cases, the victims responded to advertisements (e.g. on food items such as seafood and groceries) in social media platforms like Facebook, and were later instructed by the scammers to download mobile apps from third-party sites or via WhatsApp, leading to malware being installed on the victims’ mobile devices. Unknown to the victims, the mobile applications, which contained the malware, enabled the scammers to access the victims’ mobile devices remotely and steal Internet banking credentials, OTPs, Singpass credentials, and other personal information found in the devices. With the stolen credentials, the scammers gained illegal access to the victims’ CPF accounts by accessing the victims’ Singpass app and bank accounts. The scammers subsequently carried out unauthorised withdrawals from the victims’ CPF accounts to the victims’ bank accounts, before making further unauthorised transactions from the victims’ bank accounts to several money mules’ bank accounts. A total of more than $221,000 was lost from the victims, including more than $114,000 of money from CPF accounts.
Police’s Anti-Scam Operations
During the five-day operation, officers from the CAD and PID mounted simultaneous island-wide operations and arrested the nine persons. Preliminary investigations revealed that five men and one woman, aged between 20 and 28, and the 16-year-old youth, had allegedly facilitated in the scam cases by relinquishing their bank accounts, Internet banking credentials and/or disclosing Singpass credentials for monetary gains. The other two men, aged 23 and 25, are believed to have withdrawn money from some of the money mules’ bank accounts and handed the money to unknown persons.
Police investigations are ongoing. The offence of acquiring benefits from criminal conduct under Section 54(5)(a) of the Corruption, Drug Trafficking and Other Serious Crimes (Confiscation of Benefits) Act 1992, carries an imprisonment of up to 10 years, a fine of up to $500,000, or both. For deceiving the banks into opening bank accounts that were not meant for their own use and relinquishing their bank account login details, they are liable under Section 417 read with Section 109 of the Penal Code and Section 3(1) of the Computer Misuse Act 1993 respectively. The offence of cheating under Section 417 of the Penal Code 1871 carries an imprisonment term of up to three years, or with fine, or both, while the offence under Section 3(1) of the Computer Misuse Act 1993 carries a fine of up to $5,000, or an imprisonment term of up to two years, or both. For disclosing their Singpass credentials under Section 8 of the Computer Misuse Act 1993, they are liable to an imprisonment term not exceeding three years, a fine of up to $10,000, or both.
Advisory Against Downloading of Malicious Apps
The Police would like to remind members of the public that they should not click on suspicious links, scan unknown QR codes, or download mobile apps from third-party websites or unknown sources. These unverified apps may contain malware, which can severely compromise the security of the mobile devices. Instead, members of the public are reminded to only download apps from official app stores. Before downloading any app, check the number of downloads and user reviews. Always be wary of any requests for banking credentials or money transfers, and attractive offers that sound too good to be true. Lastly, members of the public are advised to turn on security settings, such as disallowing installation of apps from unknown sources, to help protect their devices.
The Police will spare no effort to track down cybercriminals who are responsible for the banking-related malware incidents and will continue to take tough enforcement actions against those who flout the law. To avoid being an accomplice in these crimes, members of the public should always reject seemingly attractive money-making opportunities promising fast and easy pay-outs for the use of their Singpass accounts, bank accounts, or for allowing their personal bank accounts to be used to receive and transfer money for others. The Police would like to remind members of the public that individuals will be held accountable if they are found to be linked to such crimes.
For more information on scams, members of the public can visit www.scamalert.sg or call the Anti-Scam Helpline at 1800-722-6688. Anyone with information on such scams may call the Police Hotline at 1800-255-0000 or submit information online at www.police.gov.sg/iwitness. All information will be kept strictly confidential.
Case exhibits seized ▼
Persons arrested ▼
SINGAPORE POLICE FORCE
24 June 2023 @ 4:40 PM