Singapore’s Scam Surge Strategy: What Enterprises Must Do Now Under the New Shared Responsibility Framework

Scam losses in the Asia-Pacific region continue to escalate, positioning the area as a global testing ground for phishing innovations. Singapore’s recent implementation of the Shared Responsibility Framework (SRF) serves as a critical alert for enterprises: both regulators and customers are demanding heightened vigilance.

Scam Surge, APAC-Wide

In Singapore, the total number of scam cases increased by 10.6% to 51,501 cases in 2024, up from 46,563 in 2023. The total amount lost surged by 70.6% to at least SGD 1.1 billion in 2024, compared to at least SGD 651.8 million in 2023. Cryptocurrency losses accounted for about 24.3% of total scam losses in 2024, a significant rise from 6.8% in 2023. While overall losses increased, the average loss per victim actually dropped by 40%, from SGD 5,300 in 2023 to SGD 3,200 in 2024—suggesting scams are growing in volume, if not always in per-case severity.

In South Korea, voice phishing scams resulted in damages totaling 3.87 trillion won (approximately USD 2.9 billion) over 15 years through 2021. While specific 2024 data is limited, reports indicate that voice phishing remains a significant concern.

Scam tactics are evolving rapidly: AI-generated fake sites, real-time credential harvesting, and impersonation across SMS and social platforms. These industrialized fraud operations pose a substantial threat to APAC businesses across all industries, from banking and e-commerce to telecommunications and travel.

Singapore’s SRF: Raising the Bar

Implemented in December 2024, Singapore’s SRF puts legally binding scam-prevention duties on financial institutions and telcos. It defines who does what – and who pays when customers fall victim.

For Banks & Financial Institutions:

• Enforce a 12-hour cooling-off period after digital token activations or logins from new devices.
• Provide real-time notifications for account activations, new logins, and outgoing transactions.
• Offer 24/7 fraud reporting and a customer-activated “kill switch” to freeze access.
• Implement real-time fraud surveillance for fast-draining scams.
  

For Telcos:

• Connect only to authorized aggregators to deliver Sender ID SMS.
• Block Sender ID SMS from unverified sources.
• Deploy scam filters to stop SMS with malicious links.
• If either party fails its duties, it pays. If both comply, the consumer may still bear losses. The framework is crystal clear: responsibility is now shared, but accountability is enforceable.

A Regional Signal, Not Just a Singapore Story

Don’t mistake this as Singapore-specific. The SRF is emerging as a potential model for broader regulatory reform in the region. Governments across APAC are watching closely, and some are already moving.

South Korea is tightening SMS spoofing laws and rolling out proactive credit protections, with over 4,000 financial institutions signed on to a new pre-blocking system that prevents unauthorized loans before they happen. Amendments to its Telecommunications Business Act now require businesses to register as bulk SMS senders and implement safeguards against caller ID spoofing.

The message is consistent: when scam volume explodes, regulators won’t wait for the private sector to figure it out.

Reactive Isn’t Resilient

Tick-the-box compliance might keep you legal, but it won’t keep you safe. Most enterprises still rely on MFA, transaction monitoring, and takedown services. These are table stakes – and scams are blowing right past them.

Modern phishing scams don’t just trick users. They impersonate entire user experiences. They manipulate login flows, spoof brand interfaces, and use stolen credentials in real time. By the time fraud teams detect anything, damage is done.

Fraud teams can’t catch what they can’t see. SOCs need context-rich alerts that mean something. And digital leaders need ways to protect the brand experience without blocking real users.

What Enterprises Must Do Now

1. Treat Real-Time as the New Baseline

You need visibility during the attack, not after. That means detecting when a user is interacting with a fake version of your site, getting phished, or being guided into an ATO. Real-time scam defense means knowing who’s being phished, when, and how—while it’s happening. That’s no longer futuristic. It’s already happening in high-risk sectors.

2. Make Scam Protection User-Visible

Consumers now expect early warnings and authenticity indicators. If your brand isn’t giving them assurance at key digital touchpoints, trust erodes fast. Whether you’re in banking, eCommerce, or telecom, real-time impersonation visibility is the new foundation of digital trust.

3. Prioritize Prevention Over Remediation

It’s no longer about cleaning up after fraud. It’s about stopping it midstream: locking out bad actors, redirecting scammed users safely, and preserving account integrity before funds move.

4. Learn from Regional Leaders

Singapore’s shared liability framework, South Korea’s pre-blocking model, and emerging safeguards across APAC all point toward one truth: resilience is a team sport. Enterprises that isolate scam response within fraud teams will fall behind.

Compliance Isn’t the Finish Line

The SRF marks a shift from consumer education and blame to institutional accountability. For enterprises across APAC, the writing is on the wall: if you touch customer data, payments, or communications, scam defense is your job.

The enterprises already investing in real-time visibility are the ones shutting down attacks before they reach your fraud team—and before the story hits the news.

Enterprises that treat this moment as a regulatory burden will spend the next year firefighting. The rest are already investing in solutions that accompany attacks in real time, identify victims mid-scam, and shut down threats before damage spreads.

Singapore didn’t just draw a line. It raised the bar. And the rest of APAC won’t be far behind.

Lior Derry