On the Online Criminal Harms Bill – Speech by Gerald Giam

The Online Criminal Harms Bill (“the Bill”) was introduced for the purpose of empowering the authorities to combat online crimes more effectively, and safeguard the public in Singapore from various online harms. It is also supposed to enable swift government action against online criminal activities, proactively preventing scams and malicious cyber activities to protect potential victims. 

Scams are the online criminal activities that loom largest against Singaporeans these days. While I support the Bill, I would like to seek clarification on how the Bill will be able to empower the authorities to deal with scams in ways that existing legislation does not.

According to data from the Singapore Police Force (SPF), the victims of some 31,700 scam cases were cheated of almost $661 million in 2022 — $29 million more than the year before. This works out to an average of almost $21,000 cheated per case. These are staggering amounts of hard earned savings of Singaporeans lost to scammers. Quite a few victims are my residents who approached me for help to recover their lost savings. Sadly, in most cases, the money had been spirited overseas and could not be recovered.

The Infocomm Media Development Authority (IMDA) and police currently work with Internet service providers to block scam websites. In 2021, 12,000 suspected scam websites were blocked, many with the help of artificial intelligence (AI) algorithms that can quickly detect and block scam websites. This means that if a new phishing website was set up to collect usernames and passwords of bank customers, the Government is already empowered to immediately order that website to be blocked, so that no more users in Singapore can access it. What difficulties have the authorities faced in expeditiously blocking actual scam websites, that necessitates the introduction of this Bill?

I note the Minister’s explanation in her speech just a moment ago that this Bill will enable the authorities to block websites if there is reasonable suspicion that they are being prepared in advance of a scam. Can I confirm that this means if someone were to register a domain name that is a variant of, say dbs.com, it will get proactively blocked, even if the website does not contain any content yet and even if that domain is registered overseas? 

Similarly, if a telephone number is reported to have been used to carry out scams, is the Government already empowered to direct telcos to immediately block such numbers? Are there any encumbrances to doing so now that require this Bill?

The Minister previously said that scam calls made over the Internet, such as through messaging apps like WhatsApp, are currently not blocked. With this Bill, would scam calls made over the internet now be blocked through an Account Restriction Direction that can be issued to Online Service Providers?

Will SMS redirection attacks, which redirect text messages containing OTPs sent from banks to hackers, be more effectively blocked under this Bill, and if so how will it be more effectively prevented than under the current regime?

The National Crime Prevention Council (NCPC) and Open Government Products has developed ScamShield, an anti-scam app which automatically blocks scam calls, detects scam messages and allows users to report scam messages and calls. I’m glad to note that a version of ScamShield for Android devices has finally been released. However, in order for SMSes from known scam numbers to be blocked, a user will need to install the ScamShield app and give the app permissions to read their SMS and contacts. This is a multi-step process, which some non-technical users may struggle with. Indeed, even technical users may be reluctant to grant such intrusive access on their phones.

The NCPC says that more than 600,000 people have downloaded the ScamShield app. This means more than 5 million residents in Singapore still do not have ScamShield installed, and presumably more do not have the app setup to block scam messages. To better protect potential victims of scams who are unaware of ScamShield or choose not to install the app on their phones, the Government should direct telcos to block all verified scam messages and calls, without depending on end users to install ScamShield. These should include those scam phone numbers reported by end users through ScamShield and verified by the NCPC and the police. Time is of the essence, since it only takes seconds for an unwitting victim to click on a phishing link and enter their username, password and OTP, and for the scammers to clear out their bank account or CPF accounts.

While the ScamShield app, ScamShield bot and website do provide forms for people to report suspected scams, how many people are aware of these reporting channels and actually use them? How does the Government intend to promote its use? How will they encourage their use and explain it to those who find it challenging with adopting such technology?

The ScamShield bot is able to take in reports of scam messages in non-English languages, but can only reply to users in English. Are there plans to enable it to reply in Chinese, Malay and Tamil, so that more non-English speakers can interact with the bot?

More should be done to leverage the knowledge of the entire population to more quickly and comprehensively identify scams, and block scam numbers before more people fall victim to them. This can be done through better publicity of these reporting channels, giving updates to users when their reports were used for police investigations or when the number is blocked, and making it easier for users to report scams.

The scam epidemic is a gargantuan problem which needs to be tackled more effectively by the Government, telcos and financial institutions. I hope that this Bill will give these agencies and organisations more levers to do so, to prevent more Singaporeans from falling victim and losing their hard earned savings to these criminals.

Thank you.