New Singpass face verification feature for CPF log-in to protect vulnerable Singaporeans against malware scams
Published June 29, 2023
Updated June 29, 2023
Singapore — Central Provident Fund (CPF) members who log in to their accounts using their Singpass may have to go through another step — face verification.
The additional precaution comes amid a spate of malware scams involving CPF savings, said the CPF Board, GovTech and the police in a joint advisory on Thursday (June 29).
ADVERTISEMENT
In the first half of 2023, more than 700 reports of malware-related scams were reported, with losses amounting to about S$8 million. Of these, eight cases involved CPF savings, with losses of S$124,000.
"As a further precaution, CPF Board and GovTech had urgently introduced the Singpass Face Verification during the login to protect vulnerable CPF members who access CPF e-services," the agencies said in a statement.
"While this may make it less convenient for members to access CPF online services, we seek CPF members’ understanding that it might be better to be safe than sorry."
READ ALSO
At least S$20,000 lost to fake Singtel SMS phishing scams since June: Police
Vulnerable members include those above 55 years old and using android phones, according to CPF.
In the malware scams, the victim uses his Android phone to click on a Facebook or other social media advertisement selling an item at a steep discount and receives a link to download an Android Package Kit (or APK) from a non-official app-store to facilitate the purchase.
ADVERTISEMENT
Upon downloading the APK, a malware is installed on the phone. The scammer then convinces the victim via a phone call or text message to turn on accessibility services on his Android phone.
This weakens the security of the phone and allows the scammer to take full control of the phone.
It allows the scammer to log every keystroke and steal banking credentials stored in the phone. This also means the scammer can remotely log in to the victim’s banking apps, add money mules as payees, raise payment limits and transfer money out to money mules.
The scammer can further delete SMS and email notifications of that bank transfer to cover his tracks. Additionally, the scammer may log in to the victim’s CPF account through Singpass to make a withdrawal.
READ ALSO
Phishing attempts on Singapore targets rose 175% to 8,500, with banking sector most spoofed in 2022
"Although CPF withdrawals can only be paid to a bank account verified to belong to the CPF member, the scammer can subsequently transfer the money out from that bank account using stolen banking credentials from the phone," said the release.
ADVERTISEMENT
Last month, police arrested nine people in a five-day operation for their alleged involvement in banking-related phishing scam cases related to malware attack on Android mobile devices.
The authorities said that phone users should only download applications from official app stores to avoid malware being installed, especially those who use android phones.
"Exercise the greatest of caution when turning on the phone’s accessibility services or allowing access as doing so will weaken the security of the phone," the release read.
"Always expeditiously update the mobile phone with the latest security patches."
For more information, visit www.scamalert.sg or call the Anti-Scam Helpline at 1800-722-6688. CNA
