Each day, more than S$2 million are lost by Singapore victims to scammers that target the vulnerable either through cons and lies or other means of social engineering.
What makes today’s scammers different from the past is that they are often armed with loads of information about you, a potential victim.
From NRIC numbers to addresses, private data stolen through large-scale cyber heists often end up being traded on the dark corners of the Internet and used by scammers to better target victims.
Imagine, for example, a scammer calling up as the police and citing your IC number, address and possibly even your bank or employer. He gets your attention instead of a random caller who doesn’t even know your name.
Unfortunately, you can’t control when your IC number is lost, say, by a bank or a government agency. So, you have to assume a lot of your private data – particularly, things you don’t change much, like name, phone number and address – is already in the open.
This means you have to secure access to crucial parts of your digital identity that open doors to important transactions, such as bank transfers. Here are three things to secure:
1. Singpass
If you are reading this from Singapore, you’d know that Singpass is the national digital ID that lets you transact with not just the government but also banks, insurance companies and many others.
In other words, this is probably the most important digital credential you have to protect. Lose your Singpass ID to criminal and they can essentially assume your digital identity.
If someone gets access to your Singpass, they can change your address on record and apply for all sorts of things, like credit cards and have the bills sent to that address.
As an app on your phone, Singpass is also used as a digital token to confirm logins to many highly sensitive accounts, such as your bank account to make money transfers.
And yes, you can even show your digital ID card with the Singpass app when you vote in the next general election later this year.
An ID this powerful, of course, comes with protective features. To set it up, you need to know not just your username and password, but also use two-factor authentication (2FA) with SMS and e-mail. Then, you have to scan your face for verification.
Despite these measures, nothing is unbreakable. You should never share your Singpass passwords or one-time passwords sent over SMS. Okay, except perhaps your children or a trusted relative who’s helping you set things up.
If you’re using the Singpass app on the phone, try to enable fingerprint logins. This is not only faster than typing in a password but also more secure.
2. “Root” e-mail address
Anyone who transacts online needs an e-mail account that is tied to a digital service. Whether it’s your bank or Netflix, this important e-mail account is what one might call a “root” e-mail address.
This is where you get a notice to confirm an attempt to reset a password on your bank account or to set up a banking app on a new phone. Be wary of these requests – especially if you didn’t initiate them.
Without access to this root e-mail account, a scammer usually can’t easily gain access to your digital accounts. So, this is always a target of cyber attackers.
For most people, this e-mail address might be their Gmail, Microsoft or Yahoo account. Hackers might guess their passwords based on the personal data they have on hand. Sometimes, these passwords may have been exposed from earlier hacks of these service providers.
Make sure you have 2FA turned on for these crucial e-mail accounts, so you need an additional detail, like a backup code, to log in to them.
Always copy down or print out a list of backup codes and save them offline. Don’t leave it lying around at home of the office and certainly don’t save them on your phone or PC!
Both Google and Microsoft also run what are known as authenticators, which are mobile apps that act as a second-factor token for many other digital services, such as your social media accounts.
This means if you lose access to your “root” Google or Microsoft e-mail accounts, you may also be logged out of many of your other linked digital accounts and getting them back will be difficult. So, secure them!
3. Mobile phone
These days, losing your phone can be more traumatising than losing your wallet. You can call up your credit card company to block transactions and make a police report to apply for a new national ID card.
Lose your phone – not just physically but also virtually – and you’re in a lot of trouble. If you unwittingly download a malicious app, either through a QR code or a Facebook online sale promising discounts, your phone could end up being remotely controlled by hackers.
This means they can access just about anything on it. If you unknowingly authenticate changes in password or okay transactions when prompted, you basically give them the keys to your money and other valuables. This is also how people get scammed of all their retirement savings.
As a digital wallet, your mobile phone needs to be free of malware. It not only acts as a device to access your account but also as a trusted token to allow many digital transactions.
Giving such access to cyber thieves, perhaps through a scam call or malware download, is almost like going to the ATM machine and taking out the money for the criminals.
How do you secure your phone? Today, there are many built-in safety features but you should also avoid downloading apps from third-party sources outside of official Google or Apple app stores.
Plus, don’t scan dubious QR codes and be wary of clicking on links sent to you over SMS or WhatsApp, especially if it leads to a webpage that asks you to key in your credentials.
To better protect yourself, download the ScamShield app by the Singapore government. It helps to filter out potential scam threats over WhatsApp, websites, SMSes and calls.
No failsafe method
Ultimately, there is no way to totally block out cyber attacks or scams, especially when they are evolving all the time. You can only reduce risks.
Already, deepfakes are being created to dupe people into believing a boss or relative is calling you to send money urgently. That’s a big challenge coming up for any digitally connected society.
As users, it’s not time to unplug and avoid digital transactions altogether. To better protect yourself, make sure the three things that give access to much of your digital life online are hardened and protected.
Making your Singpass (or other national digital ID), root e-mail account and mobile phone harder to compromise will help reduce the chances of being a victim of the growing number of scams targeting users today.
