Bakery worker loses S$111,000 via malware scam after downloading app for durian tour

As Singapore’s digital ecosystem continues to evolve, so does its vulnerabilities. A series of sophisticated malware scams, targeting unsuspecting victims, has come to light, with the most recent involving a part-time bakery worker, Ms Lie.

This incident and others have ignited a nation-wide debate regarding the onus of banking institutions in scam cases.

Ms Lie’s distressing experience began with a seemingly innocent lure: a Facebook advertisement offering a $28 durian day-tour to Kulai, Malaysia, organized by “GD Travel & Tour”.

With fond memories of a similar tour in 2022, she was naturally drawn to the advertisement. The conversation shifted to WhatsApp, where she engaged with a “seller” who appeared genuine, had a convincing Malaysian accent, and seemed well-versed with the details of the tour.

What made the scam particularly devious was the seller’s recommendation for Ms Lie to download an app named EG Store.

Portrayed as a gateway to special tour offers, this app clandestinely introduced malware into her phone. This malware, operating discreetly, eventually granted the scammers access to her banking information.

A week post this engagement, Ms Lie encountered barriers when accessing her DBS Internet banking app. Her subsequent discovery, with the aid of her son Mr Teo, was harrowing.

Large sums had been siphoned off from her DBS account, redirected to various unfamiliar banks. The financial ramifications were profound, as the stolen amount, accumulated over decades, was designated for her retirement and her son’s impending wedding.

DBS, in its response, expressed a robust commitment to support such scam victims. The bank disclosed its intent to enhance its preventive measures, including rolling out advanced anti-malware tools in its digital banking app.

Parliamentary Debate: Banks or Customers – Who Should Bear the Brunt?

The backdrop of a spate of malware scams set the stage for a fervent debate in Parliament. Leading the charge was Workers’ Party chairman, Sylvia Lim, who tabled a compelling adjournment motion last Monday (18 Sep) suggesting that banks should bear full responsibility for reimbursing victims of these scams.

Central to Ms Lim’s argument was the evident surge in malware scams, specifically targeting Android users.

She pinpointed the perceived inadequacies in the current banking security infrastructure, arguing that consumers, especially the vulnerable segments like the elderly, were unfairly exposed to such threats.

Ms Lim’s proposal emphasized the introduction of stringent measures, like the re-adoption of physical tokens for two-factor authentication, thereby adding an extra layer of security.

She also highlighted global benchmarks, referencing the UK’s banking model. The UK approach, she noted, mandates banks to actively deter scams from the onset, which in turn has resulted in fewer fraud incidents.

Ms Lim’s most poignant critique was aimed at post-scam banking procedures. She elucidated how victims often grappled with bank settlements that were grossly imbalanced.

Low goodwill payments and one-sided non-disclosure agreements exemplified the power disparity between individual victims and mammoth banking institutions.

Ms Lim fervently called for the Monetary Authority of Singapore (MAS) to champion a more equitable approach in mediating such disputes.

Contrasting Ms Lim’s standpoint was Mr Alvin Tan, Minister of State for Trade and Industry who responded to her proposal.

While he acknowledged the severity of the situation, his argument revolved around the principle of shared responsibility.

He opined that complete restitution, without evaluating individual responsibility, could inadvertently nurture complacency among consumers.

Mr Tan elucidated the myriad efforts undertaken by MAS, including the implementation of multi-factor authentication measures.

He stressed the importance of consumers playing an active role in their cybersecurity, stating, “Even with enhanced security, scammers can still bypass the digital security measures.”