SINGAPORE, while leading globally in many prosperity-related aspects, also sits at the top of a less glamorous category.
Scam victims in Singapore lost $651.8 million in 2023, with a total of 46,563 cases having been reported to local authorities. In total, more than $2.3 billion has been lost to scams since 2019.
The most frequently occurring scams were related to jobs, e-commerce, ‘fake friends’, phishing, and investments, with investment and job-related scams topping the list.
With the majority of online scams being perpetrated by those outside of Singapore, local police have reported difficulty in investigating such cases.
Advice For The Digitally Violated
Even tech experts are not exempt from cyber assault. In the WEDWEBCHAT organised by STORM-ASIA panellist Ravi Krishnan of Mach7 Technologies, who specialise in medical technologies, and Kevin Reed of Acronis, a cybersecurity and data protection company, discussed recent trends.
Kevin expects that scams have existed as long as humanity. “Unfortunately, the frequency and variety of scams has accelerated with tech. Cyber scams vary from an ‘old school’ format, such as social engineering, to sophisticated scams involving advanced tech such as AI.
“The scale of incidents grows with the tech, the scammers go where the money is.”
Ravi Krishnan detailed his recent experience with a social engineering scam. Several weeks prior, while at a large conference, he was messaged by his CEO, who happened to be at aother tech conference in Milan.
The messages had been sent to Ravi from a new number, which the scammer impersonating his CEO explained was a personal number, as this was a private matter. The scammer needed money transferred to his brother in Singapore, who was in urgent need of cash to pay his medical bills. The messages were sent around 3 pm, and the scammer said the payment was needed by 6 pm.
As he was part of an important meeting at the time, Ravi thought little of the amount being asked for, and within minutes he had increased his transaction limit and transferred the money via PayNow to a Singapore registered mobile number.
Ravi explains his emotions at that time. “It was not a big or small number, but I sent it without thinking. I felt like Robin Hood, I was actually feeling good about myself! My bank intervened the next day, when I tried to send more money, and said they believed the previous transaction had been sent to a mule account, and asked me to report the incident online.
“But the funds were lost, they came in and out of the recipient account at lightning speed.”
As part of a tech company, Ravi had undergone numerous internal exercises to prove his cyber scam awareness, but having been preoccupied at the time, was nonetheless unsuspecting, and feels there was a degree of arrogance on his part.
Watch the full discussion of WED WEB CHAT — Advice For The Digitally Violated below.
Scam Attack Vectors
While Ravi feels he was victim of a targeted, so-called ‘spear phishing’ attack, where scammers know their victims identities and locations, Kevin explains that the majority of scams are cast with a broad net, and it would be difficult to know if the perpetrators had inside information.
Kevin notes that the majority of scam victims are those who are deeply distracted. Such pressure results in people having little time to think twice about the information they are receiving, and in the case of Ravi, successful scams may also appeal to your emotions and reward you with good feelings for acting quickly.
In addition to making victims feel pressured to make decisions, Kevin notes that successful scams also feature operational excellence. In Ravi’s case, the recipient moved the funds in minutes, before anyone was able to react. “By the time you’ve been scammed it’s too late. People tend to realise mistakes quickly. Scammers need to move money faster than people can react.”
Breadth Of The Scam Landscape
The average amount taken in major scam venues such as Singapore is smaller than you might expect. Kevin explains that, “We hear about big amounts, but it’s small amounts people end up paying. The majority of victims are small and medium enterprises (SMEs), and the median ransom is around US$2,000.”
This may seem like a small sum, and for most SMEs, this is a small price to pay for recovery of their data. For some very small organisations, such losses can be very damaging, and even terminal.
Kevin recommends not paying ransomware if possible.
“Ransomware is software, and all software has bugs,” Kevin explains.
“Furthermore, as encryption procedures occur more often, they are more tested and reliable than decryption. It’s not uncommon that victims pay the ransom for the decryption key, and when the victim tries to decrypt their data, the key has bugs and destroys their data. Ransomware operators will not refund you. It’s better to back up the encrypted data, then decide on whether you actually want to pay ransom or wait, or start negotiating.”
Those whose ransom ends up funding proven criminals or terrorists may also be prosecuted as such, hence there are multiple incentives not to pay.
Scam Victim Trends
According to Kevin, there has been a shift towards scamming seniors, who may not be as tech savvy, but who are also richer with cash. Some may also be in senior positions in their organisations. Another attractive demographic he has observed has been Bitcoin millionaires.
In the case of the crypto lucky, Kevin has observed that scams happen even faster. “Attackers tend to compromise devices, somehow managing to instal a remote access trojan on the victim’s computer to find their private key. With crypto, once you make a transaction on the blockchain, there’s no way to reverse it to recover the funds.”
Recognising Scams
From Kevin’s experience, in the absence of distractions, recognising scams is very easy. “If you are present in the situation, people tend to figure it out. On the other hand, phishing is weird. On average, the success rate of spotting a scam tested with a large group of subjects is in the range of 10-20%, but this decreases to 5-7% for a phishing exercise. While 95% of people would not click, it’s a game of numbers. The more emails scammers send, the more likely they are to find someone who will click. Sometimes one click is enough.”
In terms of other vectors for financial scams, Kevin warns, “You never know where your financial details will end up. Sometimes you put details somewhere and they are taken. Credit card numbers are supposed to be secret, but used for long enough they can also be leaked. Leaks are usually only noticed after banks detect suspicious transactions.
“Criminals often buy credit card numbers in chunks, and use them to execute numerous microtransactions, again, this is a game of numbers, how much can they get away with without getting caught.”
Ravi recalls his cybersecurity training, advising those who are suspicious of work-related inbound messages.
“Speak to a warm body, make sure you’re talking to the person who’s making the request. If worried, report the interaction to your tech team internally.”
Unfortunately for him, the training deserted him when it was most needed.
In the heat of the moment, Ravi believed he’d “scored”, simultaneously securing the important meeting, and meeting the financial needs of a friend. “Even the next day, in my relaxed state, I still had not noticed that something was wrong. Only when the bank called did alarm bells go off.”
With Ravi’s experience in mind, raising public awareness of such incidents must be given priority, only then will people be prepared to respond effectively to scammers when they are most vulnerable.
Kevin’s simple advice to follow:
“Be mindful whenever something is urgent. Pause for 10 seconds and maybe talk to someone, if it’s related to money. A few seconds or minutes usually won’t matter. And then you can make the right call.
“These situations are not hard to recognise with hindsight, and it will be easier to recognise them the next time.”
Ravi echoes the sentiment. “Unless you’re a cardiothoracic surgeon, nothing is ever that urgent. Stop and think before you take the next click.”
Watch the full discussion of WED WEB CHAT — Advice For The Digitally Violated below.
Watch our previous wedwebchats: https://storm-asia.com/category/wed-web-chat/
If you have a topic that is of interest, or have someone who would make a good panellist with a thought-provoking perspective on a subject, please email editor@storm-asia.com with your details and a short summary.
