How hyper-personalised scams are reshaping fraud management

Scams and cybercrime remain a pressing concern in Singapore. The total number of cases increased by 49.6% to 50,376 in 2023, compared to 33,669 in 2022.

Investigations into the possible involvement of 173 men and 93 women, aged 16 to 78, as money mules or scammers were recently carried out in Singapore. The suspects are believed to have been linked to over 1,011 fraud cases, spanning investment, job, friend impersonation, online love, e-commerce, and fake buyer scams. These cases reportedly resulted in victims losing more than SG$5.55 million.

In response to the growing scam problem, Singapore has proposed the Protection from Scams Bill, submitted to Parliament on November 11, to deter victims from giving money to scammers. As the cybersecurity landscape evolves, threat actors have grown increasingly sophisticated, leveraging new tools and techniques.

This evolution is likely to lead to another major shift in scam tactics. Schemes are becoming more intricate and hyper-personalised, enabling bad actors to target smaller, highly specific groups rather than attempting to defraud tens of millions at once.

Who is most at risk, and how can individuals and organisations protect themselves against these evolving threats?

Who is at risk, and what are the telltale signs to look out for?

While hyper-personalised attacks primarily put more targeted groups at risk, the reality is that everyone remains vulnerable. According to Ping Identity’s 2024 Consumer Survey, 86% of Singaporean consumers lack complete trust in companies handling their personal information. Furthermore, 95% of respondents said they would feel more secure if organisations used verification methods such as biometrics and multi-factor authentication (MFA). Notably, 87% expressed a desire for changes in how they log in to websites and applications, reflecting a widespread demand for seamless digital experiences.

Identity theft, data breaches, and financial loss emerged as consumers’ top concerns regarding the online presence of their personal information. Individuals who accessed online banking (69%), social media (68%), and online shopping (72%) reported feeling most vulnerable to identity theft.

Threat actors are increasingly customising phishing and vishing attacks by purchasing and using data on millions of individuals. These attackers are becoming more effective by exploiting the wealth of personal information available online to deeply understand their targets.

One example of such tactics is their use in extortion schemes. Cybercriminals manipulate victims by using personal information, such as email addresses and passwords, to create the illusion that their accounts have been compromised. Presenting the password as “proof” of a breach, they claim to have access to private information stored on a device. Victims are then threatened with exposure to friends, family, or colleagues unless they pay an extortion fee. The catch? These scammers often lack the access they claim to have. Nevertheless, they capitalise on fear, coercing victims into paying.

Because they are more susceptible to hyper-personalised schemes, businesses — particularly those with large workforces or substantial financial resources — face significant threats to both their finances and reputation. Attackers may target a company’s finance department or seek to embarrass and exploit CEOs through these sophisticated schemes.

How to protect yourself from hyper-personalised scams

How can companies safeguard themselves against highly customised scams?

The first step is comprehensive cybersecurity training across the organisation. Employees at all levels, regardless of their roles, need to understand the risks they may face and serve as the first line of defence. Teams should be trained to recognise red flags such as urgent calls or emails requesting payment or urging the transfer of funds using untraceable currencies like Bitcoin.

To better detect, prevent, and defend against emerging fraud and scam trends, security teams should also review their existing cybersecurity and fraud prevention measures. Establishing a culture of secure identity through tools like MFA or adaptive authentication is a key preventative measure. These solutions bolster network and data security, even if a fraudster gains initial access to a system.

MFA requires users to authenticate themselves using multiple pieces of verifiable information, adding an extra layer of protection for sensitive data.

Autonomous identity systems, which use AI and ML, can help identify blind spots and security gaps. These systems enhance existing identity governance and administration (IGA) frameworks by assessing, recommending, and automating user access privilege remediation.

As fraud continues to evolve, organisations must act now to protect themselves and their employees before it’s too late.