Singapore authorities and banks are ramping up efforts to tackle a growing scam where fraudsters steal card details through phishing and trick victims into providing an OTP.
This allows scammers to fraudulently provision stolen card credentials onto their mobile wallets for unauthorised contactless transactions.
The Singapore Police Force (SPF), Cyber Security Agency of Singapore (CSA), and Monetary Authority of Singapore (MAS) reported at least 656 cases of phished card credentials being added to mobile wallets between October and December 2024.
This lead to losses of at least S$1.2 million and at least 502 of these cases involved Apple Pay.
Scammers typically create fake e-commerce websites or social media ads to steal victims’ card details.
Once victims enter their information, scammers attempt to add the card to their Apple Wallet.
To complete this, they trick victims into entering an SMS OTP on the phishing site, granting them full control over the stolen card.
Scammers then work with money mules, who link their mobile devices to the fraudulently provisioned Apple Wallet and use the stolen card details for contactless NFC purchases.
They often target high-value electronics and luxury goods.
Authorities are working with banks, mobile wallet providers (Apple Pay, Google Pay, Samsung Pay), and card service providers (Visa, Mastercard) to tighten security measures.
The Association of Banks in Singapore (ABS) reported that card-issuing banks prevented S$53.9 million in losses in the fourth quarter of 2024 through enhanced fraud surveillance.
Banks are introducing stricter card provisioning security measures, including in-app controls and digital token authentication, which will be fully implemented by July 2025.
Banks will proactively remove cards from mobile wallets if there are clear indicators of fraudulent activity.
Authorities urge the public to remain cautious, install the ScamShield app, enable security features, lower notification thresholds, and disable overseas card use if not needed.
Consumers should monitor SMS OTPs and bank notifications to detect unauthorized provisioning.
Anyone who suspects their card has been fraudulently provisioned should report it to their bank immediately.
The public can report scams by calling the Singapore Police Hotline at 1800-255-0000, submitting information online at www.police.gov.sg/i-witness, or calling the ScamShield Helpline at 1799 for more information.
For urgent police assistance, dial 999.
Featured image credit: Edited from Freepik
