.svg)
Authorities in Singapore have issued a joint warning against a new type of phishing scam that targets Apple Pay users when shopping online.
This week, the Singapore Police Force (SPF), the Monetary Authority of Singapore (MAS) and the Cyber Security Agency of Singapore (CSA) published a joint advisory alerting consumers to the scam typology.
The authorities said the scam begins when a consumer inadvertently gives away their card credentials to a phishing website. This could be a dummy e-commerce platform or a social media advert containing a malicious link.
Once the scammer has obtained the card details of the victim, they add them to the Apple wallet of their own device.
A one-time password (OTP) is then sent to the victim’s device, and the victim is tricked into entering the password into the phishing website, thus giving the scammer access to the card.
The authorities note that the scammer is often located overseas, but is part of a syndicate that works closely with local money mules, or that ships money mules into Singapore to spend on the phished card.
By sharing their Apple ID with the mule, the scammer can enable them to open up the same Apple Wallet account and have access to the phished card.
The money mule will then make contactless payments for in-store goods, such as high-value electronics or luxury items, using Apple Pay.
In Singapore, Apple does not set any transaction limits when using Apple Pay to make in-store payments.
Instead, the application of transaction limits — above which a PIN may be required — is the responsibility of card issuers and merchants.
This weak point is exploited by the scammer and the mule while both still have control of the victim’s card and the victim remains unaware.
A growing scam typology
The SPF said it received more than 650 reports of phished card credentials being used via mobile wallets in Q4 2024, and more than 500 of the reports involved cards linked to Apple Pay.
Total losses from these reports exceeded S$1.2m ($900,000), meaning that an average of around S$1,850 ($1,400) was spent in each case before the victim reported the scam.
The SPF, CSA and MAS said they have been working with Apple and other mobile wallet providers, as well as banks and card service providers, to “impose measures” to prevent the scam typology from growing.
“We urge the stakeholders to cooperate with us, and impose measures to protect their customer,” they said.
Banks will be required to introduce additional verification, such as in-app controls or digital token authentication, for provisioning cards to mobile wallets.
Card issuing banks will implement such enhancements as soon as possible, with completion expected by July 2025, as confirmed by the Association of Banks in Singapore (ABS).
Banks will also take proactive steps to remove cards provisioned to mobile wallets if there are indicators of fraudulent activity, the ABS added.
Going forward, the three agencies said they wish to remind the public to exercise caution when shopping online and inputting their card credentials into websites.
“Members of the public are reminded not to share banking and card credentials with anyone - i.e. passwords or OTPs - and to check the veracity of e-commerce websites and links on which they are transacting,” they said.
They also urged consumers to download the government’s ScamShield app, which can run checks on suspicious websites, and to ensure that notifications are switched on for all card transactions.
“Check your SMS OTP and notifications to ensure that your credit cards are not being provisioned to a mobile wallet without your permission,” they said. “Call your card issuing bank immediately if this has happened.”
Arrests made thanks to vigilant retailers
In November last year, the SPF announced that seven individuals had received a Community Partnership Award for their assistance in helping to track down card phishing scammers.
The seven individuals are all directors or sales representatives at retail outlets where mules were attempting to spend using digital wallets containing phished card credentials.
One of the recipients of the award reported three men who tried to purchase 18 iPhones (worth S$35,500) but refused to show any ID when making the transaction.
Another reported a man to the police after he tried to buy four iPhones (worth S$7,500), but refused to show the physical card that he was using to fund the transaction.
In total, the SPF arrested six suspects in connection with the reports. All were foreign nationals — three Malaysian, three Chinese — and those at large are believed to have left Singapore.
The SPF said the mules were recruited to enter Singapore to make fraudulent in-store transactions using digital wallets.
Some of the mules were tasked with selling the purchased items immediately for cash before leaving the city-state.
The victims only realised that their bank cards had been compromised when they received SMS notifications from their banks informing them of the fraudulent transactions.
Under Singapore’s Payment Services Act (PSA), financial institutions are required to refund customers for unauthorised transactions.
