A total of eight men and two women, aged between 17 and 57, and a 16-year-old teenager have been arrested for their suspected involvement in the recent spate of banking-related malware scam cases. Another five men and a woman, aged between 21 and 41, are assisting in the investigations, following an island-wide anti-scam enforcement operations conducted between 11 and 22 September 2023.
Over the course of two weeks, officers from Commercial Affairs Department (CAD) and Police Intelligence Department (PID) mounted simultaneous island-wide operations and arrested the 11 persons. Preliminary investigations revealed that seven men and two women, and the teenager, had allegedly facilitated the scam cases by relinquishing their bank accounts, Internet banking credentials and/or disclosing Singpass credentials for monetary gains. A 28-year-old man is believed to have withdrawn money from his bank account and handed the money to an unknown person.
Since January 2023, the Police have received increasing number of reports of malware being used to compromise Android mobile devices, resulting in unauthorised transactions made from the victims’ bank accounts, even when they have not divulged their Internet banking credentials, One-Time-Passwords (OTPs) or Singpass credentials to anyone. In these cases, the victims responded to advertisements (e.g., on cleaning services, pet grooming, food items such as seafood and groceries, etc.) on social media platforms like Facebook. They were then instructed by the scammers to download Android Package Kit (APK) from non-official app stores to facilitate the purchase, which led to malware being installed on their mobile devices. Subsequently, the scammers convinced the victims via phone calls or text messages to turn on accessibility services on their Android phones. This weakened the phones’ security, allowing scammers to take full control of the victims’ phones. As a result, the scammers could log every keystroke, steal banking credentials stored on the phones, remotely log access victims’ banking apps, add money mules as payees, raise payment limits and transfer money to money mules. The scammers can further delete SMSes and email notifications related to these bank transfers to cover their tracks.
Police investigations are ongoing. The offence of acquiring benefits from criminal conduct under Section 54(5)(a) of the Corruption, Drug Trafficking and Other Serious Crimes (Confiscation of Benefits) Act 1992, carries an imprisonment of up to 10 years, a fine of up to $500,000, or both. For deceiving the banks into opening bank accounts that were not meant for their own use and relinquishing their bank account login details, they are liable under Section 417 read with Section 109 of the Penal Code 1871 and Section 3(1) of the Computer Misuse Act 1993 respectively. The offence of cheating under Section 417 of the Penal Code 1871 carries an imprisonment term of up to three years, or with a fine, or both, while the offence under Section 3(1) of the Computer Misuse Act 1993 carries a fine of up to $5,000, or an imprisonment term of up to two years, or both. For disclosing their Singpass credentials under Section 8 of the Computer Misuse Act 1993, they are liable to an imprisonment term not exceeding three years, a fine of up to $10,000, or both.
Advisory Against Downloading of Malicious Apps
The Police would like to remind members of the public that they should not click on suspicious links, scan unknown QR codes, or download mobile apps from third-party websites or unknown sources. These unverified apps may contain malware, which can severely compromise the security of mobile devices. Instead, members of the public are reminded to only download apps from official app stores. Before downloading any app, check the number of downloads and user reviews. Always be wary of any requests for Singpass and banking credentials or money transfers and attractive offers that sound too good to be true. Lastly, members of the public are advised to turn on security settings, such as disallowing installation of apps from unknown sources, to help protect their devices.
The Police will spare no effort to track down cybercriminals responsible for banking-related malware incidents and will continue to take tough enforcement actions against those who flout the law. To avoid being an accomplice in these crimes, members of the public should always reject seemingly attractive money-making opportunities promising fast and easy pay-outs for the use of their Singpass accounts, bank accounts, or for allowing their personal bank accounts to be used to receive and transfer money for others. The Police would like to remind members of the public that individuals will be held accountable if they are found to be linked to such crimes.
For more information on scams, members of the public can visit www.scamalert.sg or call the Anti-Scam Helpline at 1800-722-6688. Anyone with information on such scams may call the Police Hotline at 1800-255-0000 or submit information online at www.police.gov.sg/iwitness. All information will be kept strictly confidential.
SINGAPORE POLICE FORCE
23 September 2023 @ 2:25 PM