29-6-2023 (SINGAPORE) Central Provident Fund (CPF) members using Singpass for accessing their CPF accounts will now have to undergo an additional step – face verification. This new measure is being implemented as a precautionary measure against a surge in malware scams targeting CPF savings, according to a joint advisory by the CPF Board, GovTech, and the police on Thursday.
In the first half of 2023, over 700 reports of malware-related scams were received, resulting in losses of approximately S$8 million (US$5.9 million). Among these cases, eight involved CPF savings, with losses totaling S$124,000.
To enhance the security of vulnerable CPF members accessing CPF e-services, the CPF Board and GovTech have urgently introduced the Singpass Face Verification during the login process. While this additional step may slightly inconvenience CPF members when accessing online services, the agencies stress the importance of prioritizing safety over convenience.
The malware scams typically involve victims clicking on discounted item advertisements on social media platforms, such as Facebook. Upon clicking, they receive a link to download an Android Package Kit (APK) from an unofficial app store to facilitate the purchase. Once the APK is downloaded, malware is installed on the victim’s phone. Subsequently, scammers persuade the victims through phone calls or text messages to enable accessibility services on their Android phones.
Enabling accessibility services weakens the phone’s security, allowing scammers to gain full control. They can log keystrokes, steal banking credentials, access banking apps, manipulate payment limits, and transfer money to money mules. Moreover, scammers can delete SMS and email notifications related to bank transfers to cover their tracks. In some cases, scammers may even log in to the victim’s CPF account through Singpass to make unauthorized withdrawals.
Although CPF withdrawals require verification of the recipient’s bank account, scammers can transfer money from the compromised bank account using stolen banking credentials. Authorities caution users to only download applications from official app stores and to remain vigilant. It is essential to exercise caution when enabling accessibility services and promptly update mobile phones with the latest security patches to mitigate such risks.
The recent arrests of nine individuals involved in banking-related phishing scams targeting Android devices highlight the importance of adhering to these security practices.
