The Singapore Police Force (SPF) and the country’s Cyber Security Agency (CSA) have observed a recent spate of cases involving cybercriminals using compromised PayPal accounts for transactions. The two have issued a joint alert through a press release.
From January 1 to February 9, 2024, a total of 27 such cases involving hacked PayPal accounts were reported to the police.
- In these cases, victims would receive automated notifications from PayPal either in the form of e-mails or PayPal’s inbox messages, informing them of various activities such as profile changes and receipts for transactions on their account.
- Upon checking their PayPal accounts, some victims discovered that funds from unknown sources were deposited, or that funds were being transferred to unfamiliar bank accounts added by the cybercriminals.
- Subsequently, the cybercriminals would initiate a chargeback request. The victims would then receive an automated notification, and funds were recovered from their accounts, resulting in a deficit balance.
The compromise of online credentials and passwords could be due to several reasons, which include:
- Using weak passwords.
- Visiting phishing websites that ask for your online credentials and/or passwords, and downloading unverified apps sent via e-mails, SMSes, text messages or messages from social media platforms.
- Visiting websites or downloading files that are infected with malware designed to steal victims’ credentials.
- Re-using the same password for multiple online accounts. (When online services or platforms are involved in data breach incidents, it may cause your reused online credentials and passwords to be compromised).
The safe use of online payment platforms must be accompanied by strong cyber-hygiene practices by the users to ensure that their online credentials and passwords are secured.
Security steps to follow for PayPal accounts
● Setting up a passkey for PayPal accounts
Use Face ID or Touch ID
● Setting up 2FA for PayPal accounts
1. Log in to your PayPal account through your web browser (and not the PayPal app)
2. Click the ‘Settings’ icon
3. Click ‘Security’ near the top of the page
4. Click ‘Set Up’ / ‘Update’ to the right of ‘2-step verification’
5. Select ‘Use an authenticator app’, click ‘Set it Up’ and follow the steps on the screen
● Turning off auto-login in PayPal
Turn off auto-login from any browser or device you no longer use or recognise
Precautionary measures and cyber-hygiene tips
Members of the public are advised by the SPF and the CSA to adopt the following precautionary measures and cyber-hygiene tips:
● ADD – security features to your PayPal account by enabling passkeys and two-step verification (2FA). Passkeys are a secure login standard, allowing you to log in to PayPal using the same biometrics or device password you use to unlock your device.
Enable transaction alerts and review all transactions regularly for any suspicious activities. You are also strongly encouraged to install anti-virus apps on your devices that can detect malware and block access to phishing links.
The CSA has also put together a list of recommended apps available at https://www.csa.gov.sg/Tips-Resource/Resources/recommended-security-apps-list.
● CHECK – that you are using a strong password for your PayPal account. A strong password should consist of at least 12 characters with uppercase and lowercase letters, numbers or symbols.
Use different passwords for each of your online accounts. Even if your PayPal account is inactive, you should still change your passwords from time to time as a best practice.
Remove any devices that you no longer use or do not recognise in your PayPal account’s “trusted device” list by reviewing and turn off “auto-login” for your PayPal account. Turn on and monitor automated transaction notifications in your PayPal account.
Be wary of unusual requests received that ask for your personal information, banking details and one-time passwords (OTPs). You should not share your personal information with anyone. Do not click on any suspicious links, download unknown attachments or apps received via e-mails, SMSes, text messages or messages through social media platforms. They may contain phishing links or malicious programmes / apps used to steal data from your devices.
● TELL – authorities, family, and friends about scams. Report any fraudulent transactions to PayPal at spoof@paypal.com or your bank immediately.
If you have any information relating to such crimes or if you are in doubt, please call the Police Hotline at 1800-255-0000, or submit it online at www.police.gov.sg/iwitness. All information will be kept strictly confidential. If you require urgent Police assistance, please dial ‘999’.
For more information on scams, members of the public can visit www.scamalert.sg or call the Anti-Scam Helpline at 1800-722-6688.
227 men and women assisting in scam investigations
Officers from the Commercial Affairs Department and the seven Police Land Divisions in Singapore conducted a 2-week operation between February 2, 2024, and February 15, 2024.
A total of 158 men and 69 women, aged between 15 and 70 years, are assisting in investigations for their suspected involvement in scams as scammers or money mules.
The suspects are believed to be involved in more than 1,000 cases of scams, consisting mainly of loan scams, job scams, e-commerce scams, investment scams, government official impersonation scams, and Internet love scams, where victims reportedly lost over SGD 8 million.
The suspects are being investigated for the alleged offences of providing payment services without a licence, cheating, and money laundering. These offences attract a punishment of prison terms (ranging from 3 years to 10 years) and hefty fines (ranging from SGD 125,000 to SGD 500,000)
56-year-old arrested as suspect in a series of scams
Singapore Police have arrested a 56-year-old man for his suspected involvement in a series of scams. Between November 1, 2023, and February 14, 2024, these scams cheated 36 foreign nationals out of a total of SGD 56,710.
On February 14, the police received a report where a man had collected course fees from his co-workers, allegedly on behalf of his company, with the promise to send the workers for courses to upgrade themselves.
However, the man did not enrol these workers for any courses despite collecting the money. In a separate report, the man had also allegedly made a promise to another co-worker that he would help to find a job for the latter’s relative on condition of a fee. However, after the payment was made to him, he did not do as promised.
Through follow-up investigations, officers from Clementi Police Division established the identity of the man and arrested him within the same day. The suspect was charged in court on February 16 for the offence of cheating.