In an island-wide anti-scam enforcement operation conducted between 14 and 25 August 2023, the Commercial Affairs Department (CAD) and Police Intelligence Department (PID) arrested seven men and four women, aged 17 to 25, and two 15-year-old teenagers for their suspected involvement in the recent spate of banking-related malware scam cases. Another two women, aged 29 and 39, and a 15-year-old teenager are assisting in investigations.
Since January 2023, the Police have received increasing reports informing that malware was used to compromise Android mobile devices, resulting in unauthorised transactions made from the victims’ bank accounts even though they did not divulge their Internet banking credentials, One-Time-Passwords (OTPs) or Singpass credentials to anyone. In these cases, the victims responded to advertisements (e.g., on cleaning services, pet grooming, food items such as seafood and groceries, etc.) on social media platforms like Facebook and were later instructed by the scammers to download Android Package Kit (or APK) from non-official app stores to facilitate the purchases, leading to malware being installed on the victims’ mobile devices. The scammers then convince the victims via phone calls or text messages to turn on accessibility services on their Android phones. Doing so weakens the phones’ security and allows the scammers to take full control of the phones. This means that the scammers can log every keystroke and steal banking credentials stored in the phones and allows them to remotely log in to the victims’ banking apps, add money mules as payees, raise payment limits and transfer monies out to money mules. The scammers can further delete SMS and email notifications of the bank transfers to cover their tracks.
During the two-week operation, officers from the CAD and PID mounted simultaneous island-wide operations and arrested the 13 persons. Preliminary investigations revealed that the seven men and four women, aged 17 to 25, and two 15-year-old teenagers had allegedly facilitated the scam cases by relinquishing their bank accounts, Internet banking credentials and/or disclosing Singpass credentials for monetary gains.
Police investigations are ongoing. The offence of acquiring benefits from criminal conduct under Section 54(5)(a) of the Corruption, Drug Trafficking and Other Serious Crimes (Confiscation of Benefits) Act 1992, carries an imprisonment of up to 10 years, a fine of up to $500,000, or both. For deceiving the banks into opening bank accounts that were not meant for their own use and relinquishing their bank account login details, they are liable under Section 417 read with Section 109 of the Penal Code 1871 and Section 3(1) of the Computer Misuse Act 1993 respectively. The offence of cheating under Section 417 of the Penal Code 1871 carries an imprisonment term of up to three years, a fine, or both, while the offence under Section 3(1) of the Computer Misuse Act 1993 carries a fine of up to $5,000, or an imprisonment term of up to two years, or both. For disclosing their Singpass credentials under Section 8 of the Computer Misuse Act 1993, they are liable to an imprisonment term not exceeding three years, a fine of up to $10,000, or both.
Advisory Against Downloading of Malicious App
The Police would like to remind members of the public that they should not click on suspicious links, scan unknown QR codes, or download mobile apps from third-party websites or unknown sources. These unverified apps may contain malware, which can severely compromise the security of mobile devices. Instead, members of the public are reminded to only download apps from official app stores, and to check the number of downloads and user reviews before downloading any app. Always be wary of any requests for Singpass and banking credentials or money transfers and attractive offers that sound too good to be true. Lastly, members of the public are advised to turn on security settings, such as disallowing installation of apps from unknown sources, to help protect their devices.
The Police will spare no effort to track down cybercriminals responsible for banking-related malware incidents and will continue to take tough enforcement actions against those who flout the law. To avoid being an accomplice in these crimes, members of the public should always reject seemingly attractive money-making opportunities promising fast and easy pay-outs for the use of their Singpass accounts, bank accounts, or for allowing their personal bank accounts to be used to receive and transfer money for others. The Police would like to remind members of the public that individuals will be held accountable if they are found to be linked to such crimes.
For more information on scams, members of the public can visit www.scamalert.sg or call the Anti-Scam Helpline at 1800-722-6688. Anyone with information on such scams may call the Police Hotline at 1800-255-0000 or submit information online at www.police.gov.sg/iwitness. All information will be kept strictly confidential
SINGAPORE POLICE FORCE
28 August 2023 @ 8:00 AM