Oral Reply to PQ on Malware Scams involving CPF monies

NOTICE PAPER NO. 1992 OF 2023 FOR THE SITTING ON 3 JULY, 4 JULY 2023
QUESTION NO. 3061 FOR WRITTEN ANSWER, QUESTION NO. 4738 FOR ORAL ANSWER

MP: Mr Zhulkarnain Abdul Rahim

To ask the Minister for Manpower in light of recent reports of victims being scammed of their CPF monies after their CPF accounts have been accessed remotely using their stolen SingPass credentials (a) what are the measures that CPF Board will take to protect elderly CPF members against such scams; and (b) whether CPF will consider two-factor authentication or notification to the member or his designated next-of-kin before such withdrawals are made.

MP: Mr Melvin Yong Yik Chye

To ask the Minister for Manpower with regard to the recent cases of Android users losing close to $100,000 of CPF savings through malware-related scams (a) how many similar malware-related scams has the Ministry detected in the past three years; (b) what are the safeguards that the Ministry intends to implement to prevent CPF savings being lost to scammers; and (c) what recourse will the victims have with regard to their lost CPF savings.

Answer:

1. Since January 2023, the Police received more than 700 reports of victims having downloaded malware onto their phones, with more than $8 million worth of savings lost through unauthorised withdrawals from the victims’ bank accounts, etc. Based on investigations thus far, nine of these cases involved unauthorised CPF withdrawals, amounting to a net loss of $124,000 in CPF savings. Even though nine involved unauthorised CPF withdrawals, the 9th case did not result in loss of CPF savings because the Singapore Police Force managed to stop the transfer out from the bank account of the CPF member. CPF monies were paid from members’ CPF accounts to their own bank accounts and subsequently withdrawn from these bank accounts by the scammers.

2. The modus operandi of these malware-related scams has been extensively covered in an earlier joint advisory from the Police, GovTech and CPF Board on 29 June 2023. In gist, the victims downloaded malware-infected Android Package Kits (or APK) from unauthorised sites and subsequently turned-on accessibility services when told by the scammer, to purportedly facilitate the purchase of items at a steep discount. Doing so allowed the scammer to take full control of the phone, steal banking and Singpass credentials stored in the phone, and perform unauthorised CPF log-ins and withdrawals.

3. I urge all Singaporeans to stay vigilant. We should update our phones regularly with the latest security patches, only download apps from official app stores, and exercise the greatest of caution when we are prompted to turn on accessibility services. These accessibility services are mainly meant to assist users with disabilities to use their devices, such as by allowing apps to read and control your screen.

4. As a further precaution, CPF Board and GovTech have introduced additional authentication measures since 22 June 2023 to increase the protection for CPF members. Members may be asked to perform Singpass Face Verification (SFV) or other checks when accessing CPF e-services. This provides additional security in addition to the existing two-factor Singpass authentication required for accessing CPF e-services. Members who require assistance on CPF services and SFV can visit the CPF service centres and Singpass counters respectively. They may also call the Singpass helpdesk.

5. These additional safeguards may make it slightly less convenient for members to perform certain CPF e-services but I think members would agree that it is better to be safe than sorry. This is especially so in light of the new threats. The Government will continue to review and monitor these threats, and work closely alongside banks to introduce more precautionary measures where necessary.

6. The Police will spare no effort in tracking down those responsible for such malware incidents and will take tough action against them. Anyone with information on such crimes should contact the Police immediately.