Staying agile: Navigating the evolving cybersecurity landscape in Singapore

All throughout the year, scams continued to rank high on Singapore’s list of major concerns. In 2023, there were several reports of phones being hacked and people losing their hard-earned savings. 

These cyber-attacks range from traditional social engineering methods to more sophisticated malware scams – one particularly malicious variant could initiate a factory reset on the victims’ infected devices while the scammers executed unauthorised transactions on the phone’s banking app. Exercising vigilance against scams can go a long way, however, the ordinary consumer does not have the capability to detect modern malware. That onus is on businesses and app makers. 

In fact, according to a 2023 survey, 41.2 per cent of Singaporeans stated that they want the best protections against malware and fraud from app makers, and 96 per cent of all local respondents advocated for apps that protect them against malicious actors.

This is why the proposed Shared Responsibility Framework by Monetary Authority of Singapore (MAS) and the Infocomm Media Development Authority (IMDA) was a commendable move. Authorities are now holding banks and telcos accountable for stronger cyber defences against phishing scams. 

The Safe App Standard launched by the Cyber Security Agency (CSA) was another positive step, encouraging corporations to take a more proactive role against scams with technological solutions on strengthening authentication, authorisation, data storage security and malware protection on devices. 

Lower barriers of entry for scammers

Despite new regulations and banks taking proactive steps in building up their mobile app cyber defences, scammers are not relenting. In the recent Budget 2024 phishing attacks, infographics using real information were shared on Telegram, posing as the Ministry of Finance (MOF). These messages included a link directing victims to a fake MOF website to verify their eligibility for government cash disbursements. Once victims keyed in their personal information, scammers were able to take control of their telegram accounts. 

The democratisation of artificial intelligence (AI) through large language models such as ChatGPT has simplified the work of hackers. Sophisticated programming knowledge and persuasive language skills are no longer essential. Today, hackers and scammers can create functional websites to collect personal information and develop malware for a large-scale attack within seconds. 

There are strategies that can help companies stay ahead of malicious actors.

Geo-compliance 

New guidelines, stricter regulations and amended bills are essential to keeping up with the threat landscape. Similar to Singapore, the Philippines’ Bangko Sentral ng Pilipinas released Circular 1140 aimed at protecting consumers against scams and the Hong Kong Monetary Authority (HKMA) mandated that banks implement several new measures. This creates a complicated regulatory landscape for app developers to maneuverer. 

Hene, organisations need to adopt an automated geo-compliance solution that can bend with the dynamic mobile app ecosystem. In addition to maintaining compliance with industry or in-country regulations, geo-compliance can defend against bad actors falsifying location information, from malicious proxies or VPN. This is a common technique used in love scams where malicious actors pretend to be stuck in a foreign country and require desperate financial help from their victims. 

Building collaborative workflows

The primary challenge in mobile app development is the inherent conflict between developers, who aim to create user-friendly and feature-rich experiences, and security teams, who focus on regulatory compliance and cyber defence. Despite having vastly different goals, cyber security teams can only “review,” “report,” and “recommend” while the implementation and execution lies solely in the hands of developers. 

With development teams focused on better customer experience on the app, security can at times take a back seat. Consequently, mobile apps with known vulnerabilities may still be published on app stores, increasing the risk of malware attacks.

Businesses need to provide cyber teams with more control and visibility over the security model without developers having to do any extra work. Automating security implementations directly during the development process will go a long way in plugging the gaps. In fact, this is the only way organisations can stay ahead of malicious actors, who can now leverage AI to improve their malware and automate their attacks to be continuous and relentless.

Connecting with customers through the app

Last August, some OCBC customers were denied access to their mobile banking app. It was only after consumers aired their frustrations on social media that OCBC disclosed their new security update; users with side loaded apps were at higher risk of scams, and hence blocked form using mobile banking services.  

App makers therefore need to update their customers with the latest security threat information and, in some situations, give them the freedom of choice to respond to these matters. These can be done via in-app pop-up notifications. 

This communication method is also useful as a social engineering prevention method. According to the SRF, organisations have a duty to disrupt scams and pop-up notifications that alert potential victims to suspicious activities can help break the "spell" cast by scammers.

With increased consumer protections under new regulations, companies now have better guidelines to secure online transactions. The challenge now is finding a way to disrupt sophisticated social engineering attacks without interrupting business continuity.