The Singapore Police Force (SPF), the Cyber Security Agency of Singapore (CSA) and the Monetary Authority of Singapore (MAS) issued a joint advisory on unauthorised card transactions in Singapore carried out through contactless Near Field Communication (NFC) mobile payments after criminals phish card credentials and add them to mobile wallets. The agencies described a modus operandi in which victims are directed to e-commerce related phishing websites and tricked into entering SMS one-time passwords that enable scammers to provision the victim’s card to an Apple Wallet, before syndicates collaborate with money mules to make in-person purchases of high-value goods via contactless payments. From 1 October to 31 December 2024, at least 656 reports of phished card credentials being provisioned to mobile wallets were lodged, with losses of at least 1.2 million, and at least 502 reports involved cards linked to Apple Pay. SPF, CSA and MAS are working with banks, mobile wallet providers and card service providers to impose measures to curb the trend, and urged consumers to avoid sharing card and banking credentials, verify websites and links, monitor OTPs and provisioning notifications, and tighten security settings such as transaction alert thresholds and overseas-use controls.
Monetary Authority of Singapore 2025-02-17
Monetary Authority of Singapore joins police and cybersecurity agency to warn on phishing-driven mobile wallet provisioning behind contactless card fraud
The Singapore Police Force, Cyber Security Agency of Singapore, and Monetary Authority of Singapore issued a joint advisory on unauthorized card transactions via contactless Near Field Communication mobile payments. Criminals phish card credentials to add them to mobile wallets, causing significant financial losses. The agencies are working with banks and service providers to curb this trend and advise consumers on enhancing security practices.