Zit Seng's Blog

A Singaporean's technology and lifestyle blog

Age of Internet Banking Scams

Scams have been a part of the Internet for well over two decades. Despite much awareness being raised about these scams, they’ve also gotten a lot more clever, and there is still no end to people getting conned. Reducing these scams is going to take far more work.

There was a recent report on OCBC customers losing $140k to scams a few days ago. Phishing SMSes purportedly from the bank were used in this scam. It is not a new method, but it is still effective. Even though some of us may find these phishing and scamming methods rudimentary and silly, the fact is that they work often enough, and the returns are good enough, that scammers still use them.

We could all say that we need to raise awareness about these scams. I agree. In particular, we need to make sure that our less Internet-savvy, less tech-savvy, family and friends are made aware of such scams. But that’s really not enough. We need to teach people how to be street-smart, so to speak, in the online world. We need people to be able to determine on their own what looks suspicious, and how they should respond.

The challenge in the online world is that there is a lot of inconsistencies. In the real world, we can talk about trusted adults whom you can rely on. In the online world, sometimes, it is the organisations themselves that are part of the problem.

For example, we talk about not divulging personal information to strangers, including to callers on the phone. Here’s my long-standing complaint: why is it that banks make unsolicited calls to me and think it is perfectly normal to ask for my personal information to verify my identity? I am a customer of numerous banks and they are all guilty of doing that. (I know in practice there is a need for some mutual verification, and there’s no easy solution to that.)

The issue about having to send an OTP on a phone call is not helpful either. This only happens on phone calls you initiate, no doubt, but still, it’s a thin line.

The problem is that the online world is fraught with inconsistencies. I previously posted about Citibank telling me to ignore erroneous emails, as if the whole affair is perfectly normal, and there is nothing to be alarmed about. I know, that was in 2014. Such things should not happen anymore. Thankfully, no, not those emails.

That’s not to say other weird stuff hasn’t happened that were treated as just perfectly normal. Like duplicate SMS notifications of credit card transactions. Or notifications of credit card transactions that were reversals, which I knew not about, nor were the reversals actually stated in the message.

The above are issues that were unexpected, and the problem was mainly that the organisation didn’t deal with them properly. A different problem is when inconsistencies are built-in by design, or perhaps, by lack of forethought about the entire experience. This trains people to accept as normal any strange things that might come their way. Unexpected URLs, for example.

In the real world, we know what “normal” is. It not difficult to identify what is unexpected, unusual, or suspicious. Many people’s idea of what is “normal” in the online world, unfortunately, has been corrupted. It’s already hard to tell people that emails can be faked, phone numbers can be faked, and this is all apart from malware that you may have unknowingly downloaded or injected through some unpatched vulnerabilities in the myriad of software you run.

On top of that, we’ve got to deal with inconsistencies in practices. Like giving away personal information to a random caller to claims to be from the bank. Both the bad guys and good guys do the same thing, so how do we tell the bad from the good?

I think it will still be a long way before we get the online world to behave in a good proper order. In the meanwhile, your best defence, is to be always suspicious about everything you’re being asked to do, or to give. Kind of like in the real world.

Leave a Reply

Your email address will not be published. Required fields are marked *

View Comment Policy