Why Singapore’s fast payments need faster protections

APP fraud isn’t your typical cybercrime— it bypasses every traditional defence.

Fraudsters are increasingly weaponising Singapore’s rapid payment systems, fuelling a surge in scams.

Last year, authorised push payment (APP) fraud increased by a staggering 30% in Singapore, despite a 27% decline in automated bot attacks. This stark shift reveals that attackers have moved their focus from breaching systems to manipulating users into approving fraudulent payments by exploiting instant settlement and a lack of recall mechanisms.

Financial institutions and regulators must respond. Let’s explore what needs to be done to prevent Singapore’s hyper-efficient payment systems from becoming an easy win for fraudsters.

How real-time payments are exploited
APP fraud isn’t your typical cybercrime. It bypasses every traditional defence – no hijacked sessions, no malware, no system breaches.

Instead, scammers often pose as couriers, bank staff, or government officials, creating a sense of urgency or authority to pressure users into taking action. The login and authorisation appear normal, so the transaction goes through unnoticed – until the money has vanished.

Once a payment is technically authorised, it rarely triggers alerts. Banks see a valid login, correct credentials, and a transaction that fits the rules. With no built-in mechanism to stop or reverse funds once sent, the fraud succeeds through persuasion rather than intrusion, making it hard to detect, hard to prove, and, critically, almost impossible to unwind.

Because Singapore’s real‑time payment systems prioritise speed and convenience, for example, PayNow allows users to transfer funds in seconds using only a mobile number, national registration identity card, or unique entity number, these transfers settle immediately with no pause for risk evaluation or automatic recall.

This design works well when credentials are secure and the intent is clear. But when deception enters the process, the system lacks the tools to challenge it. There’s no behavioural check to pause or verify a transaction made under false pretences.

The migration to account-to-account (A2A) channels fundamentally redefines the security battleground. The critical question is no longer just ‘are the details correct?’ but ‘is the user acting knowingly and willingly?’ Fraudsters are exploiting fear, impersonation, and time pressure to secure approvals that appear legitimate but are, in fact, coerced.

Card‑based payments show the same weakness in a different form. When card data is exposed through phishing, merchant breaches, or insecure storage, it remains valid until it is noticed and blocked. Static card credentials reused across merchants allow repeated unauthorised payments before detection.

The common thread is exposure. Static credentials, whether a card number or an account proxy, create fixed points of vulnerability that can be intercepted, replayed, or misused. Fraud prevention can’t rest on the assumption that authorisation equals consent. Instead, it has to be built into the rails themselves.

The need for tokenisation and controls
Replacing static credentials with dynamic, single-use tokens limits the extent to which intercepted data can travel. A token issued for one device or transaction cannot be reused elsewhere, and the underlying account data never leaves the system.

However, tokenisation alone won’t stop APP scams. It needs to be supported by active controls, such as device binding, push approvals for high-risk transfers, freeze options, and spending caps. These measures give users visibility and make it harder for scams to succeed without raising alarms.

Wallets, whilst often excluded from fraud discussions, offer a structurally different model. Their device-bound credentials and dynamic authorisation make them harder to intercept or replay, reducing exposure without compromising speed.

Scheme‑level tools such as Visa’s Provisioning Intelligence, combined with richer transaction data and behavioural analytics, also enable issuers to intervene in real-time without blocking legitimate spending. The shift is from static authorisation to contextual authorisation, which not only evaluates the credential but also determines whether the transaction makes sense in the moment based on device, location, pattern, and risk score.

These are dynamic frictions; real-time checks that adapt to context, not just credentials. They challenge transactions that pass technical validation but raise behavioural flags, enabling issuers to intervene before approval without blocking legitimate spend.

Why regulators must step up
Financial institutions can’t tackle this emerging trend alone. Regulators must also adapt.

Singapore’s Shared Responsibility Framework (SRF), introduced in June 2024, signals a move towards shared liability for digital payment fraud. It sets out obligations for financial institutions and telecoms, such as blocking scam SMS links or detecting phishing sites, and creates a pre‑funded Loss Sharing Arrangement to reimburse victims where those duties aren’t met.

Alongside the SRF, MAS’s revised E‑Payments User Protection Guideline further clarifies the roles of consumers and issuers in cases of unauthorised or erroneous digital transactions. Together, the updates aim to close gaps in liability and promote faster dispute resolution.

Whilst this is a welcome development, the SRF leaves key terms open. Customers must take ‘necessary steps’ to protect themselves, but the guidance doesn’t spell out what that entails in practice. That ambiguity matters when authorisation is technically valid but behaviourally manipulated.

The UK’s Faster Payments Service (FPS) reimbursement rules provide a clearer benchmark. There, victims are reimbursed by default unless the bank can show gross negligence or deliberate fraud.

That flips the burden of proof and has prompted UK banks to adopt upstream controls, such as scam warnings, behavioural analytics, and even delayed transfers, to prevent fraud before it occurs.

Singapore’s model moves in a similar direction but without equally explicit customer protections or reversal rights. Its success will depend on consistent application and transparent dispute handling; otherwise ‘shared responsibility’ risks becoming diluted responsibility.

Instant payments need instant protection 
Singapore has the infrastructure to be a leader in digital payment security. But APP scams highlight the limits of fast payments without fast protections. As digital payment volumes rise in Singapore and tokenised card-not-present transactions drive higher authorisation rates across Asia Pacific, the systems that move money instantly must also enable prevention instantly.

That means reducing reliance on static credentials, implementing tokenisation by default, and giving issuers the tools to spot abnormal patterns, approve intelligently, and act in real-time.

Tokenising by default strengthens fraud prevention whilst simultaneously lifting approval rates. As a result, security and efficiency no longer need to be mutually exclusive.

Consumer‑authorised fraud isn’t new, but the scale and speed at which it’s growing in Singapore make it a structural problem. To lead in payments, Singapore must lead in protection, embedding fraud defences into the rails themselves.