Can the Government Protect People from Themselves? – 7th January 2025 – Speech By Jamus Lim

Mr Speaker, the Protection from Scams Bill is the government’s latest legislative salvo in its efforts to tackle the scourge of scams, which almost doubled between 2022 and 2023, and amounted to more than $650 million in losses.[1] The key idea embedded in the Bill is the granting of powers to issue restriction orders (ROs) to banks to stop transactions, as a last-ditch effort to prevent what has clearly adjudged to be a scam.

I will make two main points. First, given the eroding distinction between frauds and scams, I wonder whether the definition of scams covered by the Bill is sufficient. Second, in light of how the Bill represents a significant intrusion into private transactions, I wonder if there is room to further constrain the application of ROs.

The distinction between fraud and scams is fading

Let me start by explaining how many observers perceive a difference between frauds and scams. Fraud is the result of deception. A malicious actor obtains personal information without the victim’s knowledge or consent, and proceeds to use said information for financial gain. Scams, in contrast, occur when an unwitting victim is manipulated to either voluntarily release such information, or—in the most egregious cases—abet the process altogether, with active cash withdrawals or fund transfers.

As observers, we are often inclined to place the blame for fraud on the provider, and scams on the consumer. Hence, we think of how financial institutions or telecommunications companies can step up their surveillance of fraudulent schemes or ads, to plug security holes in their back-end systems, to contain fraudulent activity. This has, indeed, been the focus of the Shared Responsibility Framework (SRF),[2] where guidelines underscore how the duties and responsibilities of the bank or telco tend to be limited to actions taken when fraudulent activity is detected and ascertained. If the consumer subsequently authorizes the transaction, however, then these institutions are absolved of their share of the loss, since they would  have already taken reasonable steps to stop the said transaction.

There is often less sympathy for those who fall victim to scams. Many claim that victims are too naïve, too greedy, or too careless. Surely, if they stepped back and simply thought through the moment carefully, they would not fall prey to the wily  scammers. Or worse, they are frequently viewed as willing participants who should be punished to learn their lesson. They need to recognize that 20 year-olds who connect with 80 year-olds aren’t really there because of true love, or that it isn’t possible to double your money in the span of a few months by lending it to a cash-strapped entrepreneur, returns guaranteed.

The problem, however, is that this distinction, while appealing in theory, is both artificial and misleading in practice. Let me offer a few real-life examples to illustrate my point.

Those holding credit or debit cards may have inadvertently used them at a terminal with a skimmer installed, or exposed their card to a radio frequency identification (RFID) device. The card then gets cloned, and the clone is either used directly to make purchases, or the relevant information is sold on the dark web. Syndicates have also become sophisticated in testing the waters, effecting one or two small transactions that may easily be missed in a sea of transactions, or by sending packages to the actual address. Verified “live” cards are then used for large purchases, usually in foreign jurisdictions with weak scammer protection laws. Has the consumer been defrauded here, as one could argue, since they never approved these purchases? Or is it a scam, since it could be argued that their indifference in response to the test transactions implies their acquiescence to the larger scheme?

As another example, consider an investment scam, disseminated as an ad through a social media platform. The scammer would have paid for the ad—and in many cases, an ad targeted at a potentially vulnerable demographic—and the text of the ad may well include disclaimer language about the “opportunity.” So it seems straightforward: surely someone who “invests” in, say, a villa in Cambodia, or a business in Thailand, understands the associated risks. But these scammers do not always propose overt gambles of this nature. In our meet-the-people sessions, we’ve encountered residents that were duped by offers of a tour in Malaysia, offered at a discount. Or the promise of a job, which involves specialized pre-training for a fee. From the vantage of  the social media platform, these may seem legitimate—and, unsurprisingly, the social media company would have a financial interest to classify them as such—yet, when revealed to be a scam, the provider is often reluctant (or outright refuses) to take down the ad. Is this a scam or fraud? It exploits the victim’s desire to secure a good deal or a job, which makes it closer to a scam. Yet it embeds elements of deception, such as hidden fine print or bait-and-switch tactics, which make them more akin to fraud.

Of course, there is yet another possibility, often cited by defenders of the status quo: That scammers may pose as victims, to try to defraud financial institutions. Such conspiracies are, of course, criminal. But what if the line between collaborating to deceive and a plea for assistance is less clear? We are certainly acquainted with cases where, in the name of love or compassion, someone is asked to help with hospital expenses for a person, or their child. Is this a scam, or a cry for help, or something in between? And while it is an empirical question whether such activities are actually as widespread as feared (or would become so, if a more robust consumer protection framework were put in place), it is nevertheless true that practices of this nature tend to blur the line between scams and fraud, and the sort of give-and-take common to relationships.

The artificial line between frauds and scams therefore places an even more pressing onus on the formulation of laws that adequately protect Singaporeans from the scourge of both. We should not simply default to the necessary—but absolutely insufficient—calls for consumers to exercise more cyber hygiene, while standing pat with more robust legislation.

Is it sufficient to treat scams as instances of cheating?

Relatedly, the current treatment of scams in the ambit of the law appears imperfect. Scams are defined in the Schedule as offenses falling under Sections 416A, 417, 418, 419, 420, 420A, an 420A and B of the Penal Code 1871.[3] We can cross-reference this against guidelines issued by the Sentencing Advisory Panel for scam-related offenses,[4] which touch on Sections 51 and 55A of the Corruption, Drug Trafficking, and Other Serious Crimes Act,[5] Sections 8A and B of the Computer Misuse Act,[6] and Section 420 of the Penal Code. The overlap is Section 420 of the Penal Code.

If we treat this as encompassing the full scope of how scams will be addressed by the proposed law, then the sort of scams that would trigger the issuance of restriction orders are those associated with cheating behavior.[7] The key question, then, is if this is sufficient for prosecuting the sort of scams experienced in the real world, given the examples cited above.

After all, as already mentioned, scams could be designed such that the fraud intent is either not immediately evident, or justifiable. Love, job, and investment scams could be framed as genuine pursuits, with the perpetrator undertaking actions—disclaimers to risky investments, a nominal amount of useless training, or a genuine medical bill—that would justify the request for money, and its subsequent transfer.

Furthermore, the most successful scams often involve confidence-building measures that exploit known weaknesses in human psychology[8] or emotion,[9] to an extent that victims may even refuse to acknowledge or believe that they are being duped, even when the scam may appear evident to external parties. Many remain in denial well after the fact,[10] or refuse to face the reality of their losses head-on.[11] Is this cheating any more, if an individual truly wants to proceed with an action, even when presented with evidence to the contrary? When even experts and professionals that do this for a living may be duped,[12] how can we be assured that the police will have special insight or clarity, in advance, into what does or does not constitute a scam? Will the RO only be activated when the police is able to successfully peg the case to a known scammer or organization?

And if we accept this inherent uncertainty, how will we be certain that ROs will be effective in instances where scammers are not immediately recognized, especially in an age of artificial intelligence, where the online signature of a potential scammer may be masked by extreme personalization and customization,[13] otherwise known as deepfishing? What if the 30-day freeze period activated by Clause 5 of the Bill simply postpones the inevitable? Would the knowledge that a scammed victim plans to remain resolute in their insistence on a monetary transfer ultimately undermine the intent of the law?

The Shared Responsibility Framework doesn’t even protect against fraud well

To be clear, existing laws and regulations are admittedly incomplete, which is precisely why efforts like the current Bill appear necessary. Even if we focus more narrowly on the notion of fraud, the existing framework offers scant protection for the consumer. This is a matter that the Workers’ Party has previously spoken up about.[14] In particular, we believe that the way the Shared Responsibility Framework doles out the burden for dealing with fraud and scams remains incomplete at best, and ineffectual, at worst.

For instance, the responsibilities of telcos in the SRF are currently only limited to texts via Short Message Service (SMS), perhaps due to known vulnerabilities in the system. But can telcos do more? After all, I am sure that many of us have received calls from what appears to be local numbers, phishing for details in a foreign accent. If indeed these are locally-registered numbers (rather than spoofed ones), and these numbers have been reported to ScamShield, could the police use registration documentation to preemptively pursue these scammers?

Moreover, scams are often disseminated via alternative communications channels, such as WhatsApp messages, social media post or ads, and direct messages on social media platforms. So while phishing texts that seek to prod potential victims into clicking through malicious links or fake websites do exist, the more nefarious scamming attempts of late are reliant on social engineering and establishing relationships, more scam than fraud.

Perhaps more concerning is how the SRF relieves financial institutions from solely bearing the burden of fraud so long as they fulfill a checklist of seemingly-reasonable actions. These include instituting cooling-off periods, real-time notifications of risky transactions, a self-reporting tool for freezing accounts, and a fraud detection system. These are, surely, valuable measures. But they cannot cover reasonable eventualities where the customer does not appear to be much at fault.

One example, based on an experience that I believe many in this House would share, is when a resident encounters an unrecognized transaction in their account. Typically, when they discover such charges on their credit card, they would simply call the bank. The institution would freeze the card, issue a new one, and perform an investigation on the matter, after which (in most cases) the errant transaction would be struck off. Unfortunately, when the charge is on a debit card, things get more complicated. In principle, such transactions would have required some sort of additional PIN verification, which would make fraud far more unlikely. But the rise of contactless payments means that the embedded RFID chip in the card performs the same security function, which negates the need for the PIN. This has permitted fraud of this nature to emerge, via RFID skimming. While the cardholder could certainly take additional steps to protect their phone or cards from such skimming attempts, to me, it is a stretch to claim that the fault lies with the customer, and that they should bear the burden of such unauthorized transactions.

As another example, consider how many banks deal with unrecognized transactions that are reported. The process will usually entail a freeze and an investigation, as I explained earlier. But the investigation itself is opaque, and I’m sure Members will also have residents, as I have, that have reported errant transactions expeditiously, only to be subsequently told that the appeal was unsuccessful, and that they would need to then carry the cost of these charges, even if they had no clue as to how they incurred them.

As a final example, think about how often we receive calls from individuals claiming to be officers from a financial institution. These days, many such calls are fraudulent, and seek to illegitimately obtaining the accountholder’s personal information. But when customers do not have telephone banking set up, they are often asked a series of security questions, in lieu of the passcode or PIN. Even if these questions do not rely on the NRIC—which, as the recent BizFile fiasco has demonstrated, is insecure—the answers to these questions may potentially be obtained by any sufficiently motivated investigator. And on the flip side, it is far from clear how, as customers, we can verify that the caller is from a financial institution. I have, on more than one occasion, challenged an actual call from an officer from my bank, and the absence of equivalent mechanisms to verify the legitimacy of the caller was made amply clear.

All this to say that the SRF, as currently conceived, has offered accountholders scant protection from even instances of fraud, even when customers make good-faith efforts to protect themselves. What more scams, which are more sophisticated in design, and target the most vulnerable among us.

Granting trusted administrators the right to issue ROs instead

Hence, there is clearly more work to be done to protect consumers. Even so, there are reasons to have reservations about whether this manner by which the proposed Bill goes about this task. One may be uncomfortable, specifically, with how the Bill grants law enforcement an enormous amount of latitude to intervene and restrict what is, ultimately, a private transaction.

While there is no perfect solution—and, to be clear, I recognize the well-meaning nature of the effort—I wonder if the law may also exercise flexibility in its application. For instance, is it possible for banks to offer individuals the right to designate a trusted administrator—perhaps a close friend or relative—the full authority to freeze transactions for up to 30 days, in lieu of the police? This would be similar in spirit to a grant of a letter of administration, albeit in a more limited sense. It would also essentially be an extension of the existing Money Lock feature,[15] which already covers 61,000 accounts and $5.4 billion in savings,[16] to designate a third party as an authorized person with the ability to corroborate a genuine withdrawal intent.[17]

Conclusion

Sir, the blurring lines between scams and fraud means that efforts to tackle the scourge of online and offline thievery requires more innovative mechanisms that account for human psychology and behavior. The ROs put forward by this Bill are one way forward. I have expressed some reservations over their intrusiveness, and hope that there will be some exit option for those who, ex ante, insist on opting out. I also urge the government to not be content with this measure alone, but to continue refining the Shared Responsibility Framework to build an ecosystem that is more resilient to scmas and fraud. That said, on balance, I support of the Bill.


[1] SPF (2024), Annual Scams and Cybercrime Brief 2023, Singapore: Singapore Police Force.

[2] MAS & IMDA (2024), Guidelines on Shared Responsibility Framework, Singapore: Monetary Authority of Singapore and Infocomm Media Development Authority.

[3] Penal Code 1871 (2020).

[4] Sentencing Advisory Panel (2024), Guidelines for Scams-Related Offences, Singapore: Sentencing Advisory Panel.

[5] Corruption, Drug Trafficking, and Other Serious Crimes Act (2020) 1992.

[6] Computer Misuse Act (2020) 1993.

[7] The remaining sections of the code that are covered by the Bill also deal with cheating (Sec. 416–419). Fraudulent deeds are addressed in Sec. 421–424.

[8] Liu, X.F., Y. Ai, C. Jiang, X. Wang & Y. Wu (2024), “Understanding the Human Element in Scams: A Multidisciplinary Approach,” Journal of Information Technology Case and Application Research, pp. 1–16.

[9] Chia, O. (2022), “Scam Victims Often Manipulated into Thinking ‘Emotively’: Experts,” Straits Times, Jul 18.

[10] Chua, N. (2024), “‘We Couldn’t Save Her from Herself’: How Scam Victim Went from $130k in Savings to $600 in 2 Months,” Straits Times, Nov 24.

[11] Sun, D. (2024), “‘I Don’t Want to Know How Much I’ve lost’: Scam Victim Who Transferred $1.19m to Syndicate,” Straits Times, Nov 30.

[12] Wood, S. (2023), “Scammed: Why the Rich, Famous, and Experts Get Duped,” Psychology Today, Feb 9.

[13] Franklin, J., S. Gandel & A. Quinio (2024), ”Who Should Foot the Bill for Cyber Scams?”, Financial Times, Dec 11.

[14] Hansard (2023) 95(111): Sep 18; Hansard (2024) 95(119): Jan 10.

[15] Leow, W.X. (2024), “How to Protect Funds Against Scams Using Money Lock,” Straits Times, Mar 12.

[16] Hansard (2024) 95(127): Feb 29.

[17] An alternative is for the police accept an opt-out directive, made in advance by the accountholder, for the issuance of ROs, which would preserve individual sovereignty over the manner by which they handle their own monies.