The Singapore Police Force is warning of a rise in scams using phished card credentials and mobile wallets.
From 1 Oct to 31 Dec 2024, at least 656 reports where phished card credentials were provisioned to mobile wallets were lodged, with losses amounting to at least $1.2 million. Of these cases, at least 502 reports involved cards linked to Apple Pay.
The modus operandi starts with the scammer obtaining the victim’s card credentials through e-commerce related phishing websites, including social media advertisements. The scammer then adds the card details onto the Apple wallet of his own device and inercepts the SMS One-Time Password enttered by the victim at the phishing site.
After successfully taking over the victim’s card, the scam syndicate conspires with a money mule to purchase high value electronic items or luxury goods by connecting the mule’s mobile device to the scammer’s Apple wallet.
In a joint statement with the country's central bank and cybersecurity agency, the SPF states: "The SPF, CSA, and MAS have been working with the banks, mobile wallet providers such as Apple, and card service providers to impose measures to arrest this trend. We urge the stakeholders to cooperate with us, and impose measures to protect their customers."