Counting the cost of digital trust

News of how a financial advice columnist at American magazine The Cut lost US$50,000 (S$68,000) in a scam shocked the internet in February. 

In her column published on Feb 15, Ms Charlotte Cowles said she had received a call from an Amazon customer service agent alerting her to fraudulent purchases under her account and claiming that the Federal Trade Commission (FTC) was involved due to numerous identity thefts and false accounts on the platform.

What followed were calls with officials – or so she believed – from the FTC and the Central Intelligence Agency, who claimed that 22 bank accounts, nine vehicles and four properties had been registered in Ms Cowles’ name. More than US$3 million had been wired overseas from the bank accounts, and she was being investigated for drug smuggling and money laundering.

The bogus government officials knew her home address, Social Security number, the names of her family members, and that her two-year-old son was playing in the living room on that fateful day in October 2023. She was also told that her home was being watched, her laptop had been hacked and her family was in imminent danger. 

Ms Cowles, who also writes a weekly column in the business section of The New York Times, does not fit the profile of an easy prey. But her tale is becoming increasingly familiar to many young adults, even if they are digitally savvy.

A 2022 analysis by the FTC stated that Gen Z, millennials and Gen X are 34 per cent more likely to report losing money to fraud compared with those over 60 years old. This includes online shopping fraud involving advertisements on social media, cryptocurrency investment scams and job scams. 

Experts said young people are susceptible to get-rich-quick schemes, as they have inherited inflation and high housing costs – a global phenomenon. Their high digital connectivity and trust of what they see on social media also get the better of them.

Trust under siege

In Ms Cowles’ case, the scammers used fear tactics to alter her sense of reality. While it showed that anyone can become a victim, it also underscored how easily trust can be won – and eroded.

Trust is the bedrock of a progressive, digital society. Yet, rapid digital transformation can come at the cost of trust.

One of the downsides of going online is that on the internet, nobody knows if you are a dog, a robot or a scammer, making deception more easily carried out.

Indeed, the cleverness of impersonation tools and slack user verification online have given criminals a massive boost over the last two decades, making it easier to impersonate authorities or agents from reputable firms to gain trust with unsuspecting victims.

A 2023 report from Netherlands-based Global Anti-Scam Alliance captures the growing problem: Scammers stole over US$1 trillion from victims that year, equivalent to 1 per cent of the global gross domestic product (GDP).

The International Criminal Police Organisation said in March 2024 that technology is enabling organised crime groups to better target victims around the world. 

The anonymous dark web, which first emerged in 2000, teems with stolen personal data and credentials obtained from the breached systems of governments, banks, payment firms, airlines and retailers, which can be used in nefarious ways.

Social media allows anyone to broadcast user-generated content and methodically advertise to billions of people based on their age, interests or past purchases. Criminals have taken advantage of these tools. 

In just about every scam currently being perpetrated, criminals are also using artificial intelligence (AI) tools for productivity gains and to make their deceptions more effective.

Phishing e-mails, for one thing, are now far more convincing, thanks to generative AI tools like ChatGPT which correct suspicious spelling and syntax errors. AI also allows vast amounts of personal information on social media to be harvested for more personalised phishing messages. 

In phone call scams, robots are helping organised crime groups make unsolicited calls. AI can also remove foreign accents from callers’ voices, making them sound more like a local representative. Most alarmingly, AI is used to create deepfake voices, images and videos. A scammer can grab as little as 30 seconds of someone talking on YouTube, TikTok or Instagram to create an AI version of that person’s voice. 

Deep fake voice clones have been used in family emergency scams, which the FTC started warning Americans about in March 2023. In a special Congress hearing on AI and fraud in November 2023, Philadelphia attorney Gary Schildhorn said he almost became a victim. On his way to work in 2020, he picked up a phone call to the panicked voice of his son claiming that he needed US$9,000 to post bail following a car crash. He became uneasy and called his son to verify the accident when asked by the scammer to send the money through a Bitcoin kiosk.

Most recently in February, CNN reported that a finance worker at a multinational firm in Hong Kong was duped into paying US$25 million to fraudsters after attending a multi-party video conference call with deepfake recreations of the company’s UK-based chief financial officer and other members of staff. 

Restoring trust

A common phrase in the business world, “Digitalise or die”, neatly sums up what economies and businesses must do, even when going digital does not look pretty for now.

Here’s why.

The World Bank said the digital economy – which captures the value of economic activities produced and distributed using digital technologies – will fuel the future economy.

The digital economy, which makes up more than 15 per cent of global GDP, has expanded twice as fast, at least, as the value of physical goods over the last 10 years. E-commerce, e-banking, online advertising, internet search engines, on-demand ride hailing and cyber-security services are major contributors to the current digital economy.

Undergirding these activities is trust, without which data cannot flow freely and across borders for everything from networking to on-demand manufacturing to payment and order fulfilments.

Today, so much of daily life is carried out online, be it bill payments, banking, work meetings, classes or shopping.

But all these activities require trust in the sharing of data across networks – and trust, once lost, may not be easily regained.

Governments have a key role in safeguarding trust, by mandating that organisations secure their systems to protect the personal data of consumers, or risk being penalised.

A 2021 survey by the Public Affairs Council, a US association for public affairs professionals, found that the least trusted industries in the US were those perceived as having the least regulation and oversight. They included the technology sector, which has, in fact, continued to fall in the eyes of the public in terms of trustworthiness.

The European Union General Data Protection Regulation (EU GDPR) is the gold standard for user data protection. The California Consumer Privacy Act is the US’ equivalent of the GDPR, while Singapore’s Personal Data Protection Act takes reference from the GDPR.

Under these laws, organisations are required to seek consumers’ consent – including when web browser cookies are used – for their personal data to be collected.

Organisations must also be transparent about what data is collected and how it will be used, and promptly notify consumers about data leaks.

On top of complying with personal data protection regulations, critical services operators such as those in the banking, energy and transport sectors are also governed by strict cyber-security laws, such as the NIS2 Directive in the EU and Singapore’s Cybersecurity Act.

However, many digital infrastructure players such as social media and e-commerce platforms are not regulated in similar ways to safeguard the welfare of consumers.

One of the complaints is that these platforms do not have stricter identity verification. Fake personas can be easily created to promote scams, manipulate political opinion and spread fake news. Bots, which generate half of global internet traffic today, are behind many of these fake accounts.

One of the front runners in stringent identity verification is LinkedIn, which allows account holders to display a badge when their personal information is certified as true. Currently, however, verification is optional.

Another complaint is that social media companies do not govern the misuse of their algorithms, which prioritise news feeds that reinforce existing interests or beliefs, to amplify inherent biases and promote misinformation, hate and polarisation.

The Brexit vote in 2016 leading to Britain’s exit from the EU, and Donald Trump’s election as the president of the United States in 2016, are widely believed to have been aided by bots amplifying biases and misinformation to target undecided voters.

In the absence of self-regulation by social media and online businesses, government laws may be needed to curb such misuse of these platforms. But many jurisdictions have found it hard to come up with targeted legislation that does not curtail speech.

One promising anti-fraud tool that could help boost trust in major digital infrastructure players is blockchain technology.

A blockchain is essentially a searchable digital ledger and authentic record of a transaction’s information – for instance, regarding one’s health records, academic qualifications or property ownership. 

Blockchain also allows the ownership of digital goods, such as artworks or concert tickets, to be safely transferred and validated when resold. Scammers will not be able to sell what they do not have, or multiple copies of the artwork or ticket.

But blockchain’s use has yet to become mainstream, partly because of its association with cryptocurrencies, which criminals use to launder dirty money, defraud investors, buy illicit goods and scam victims.

Blockchain has also fallen out of favour with investors, having been overshadowed by generative AI tools since late 2022 when ChatGPT burst onto the scene.

While much more needs to be done by institutions and businesses to shore up trust in their organisations, the demand side merits looking at as well. Policymakers should be investing in developing digital hygiene and literacy skills among consumers to recognise misinformation and protect themselves online.

The woes of the digital world, as players try to close the gap between rapid digitalisation and security safeguards, are unlikely to go away any time soon.

But there is a pathway, argue the authors of the Digital Intelligence Index, published by Tufts University’s Fletcher School. They say the more digitally evolved economies, such as Singapore, have strong institutions alongside the momentum for innovation-driven growth.

What is the cost of building or restoring trust? It may cost more not to invest in it.

The Singapore Perspective

In line with global trends, total scams and cybercrime cases in Singapore jumped to 50,376 in 2023, from 33,669 in 2022.

Scams involving jobs ($135.7 million), e-commerce ($13.9 million), fake friend calls ($23.1 million), phishing ($14.2 million) and investments ($204.5 million) were the top five ruses that Singaporeans fell prey to in 2023.

The true cost of these scams is much more than a dollar figure. They also cause emotional distress to victims, their families and businesses, and lead to a loss of trust in contacts and people around them, experts have said.

Recognising these costs, the Singapore government has played an active role in online protections through regulation.

A key piece of legislation is the Personal Data Protection Act, which was fully effective in July 2014. It compels organisations to be accountable for personal data leaks, which could fall into the hands of criminals.

Under revisions to the law in 2020, the penalities for a data breach may be up to 10 per cent of a company’s annual turnover in Singapore, or $1 million, whichever is higher. Previously, fines were capped at $1 million.

Many liberal democratic countries that value freedom of speech have found it hard to come up with targeted legislation to deal with misinformation, which destroys trust in public institutions. Singapore, however, is an exception with the roll-out of two laws that have drawn some controversy.

The Protection from Online Falsehoods and Manipulation Act, which came into force in October 2019, allows the authorities to order a correction direction to the communicator of a falsehood. They can also order technology companies to shut down fake accounts and bots on their platforms.

The second law, the Foreign Interference (Countermeasures) Act, was passed in October 2021 to counteract foreign influence in domestic politics through hostile information campaigns and the use of local proxies. Among other things, it empowers the Minister for Home Affairs to order social media and other online platforms to aid in investigations of hostile communications activity.

The Singapore Government also takes the lead in many matters concerning cyber security. In October 2023, the nation’s cyber-security watchdog came up with a list of recommended anti-virus apps, with features such as malware and phishing detection, and urged the public to download them. The move is part of the latest national campaign by the Cyber Security Agency of Singapore.

Major retail banks in Singapore have started offering a “money lock” feature that allows customers to set aside a specified sum of money that cannot be transferred digitally, marking a return to bricks-and-mortar practices to give people greater assurance.

Source: Straits Times © SPH Media Limited. Permission required for reproduction.

Bank of Singapore takes action against employees for misusing medical benefits ADV: SUSS School of Law – Apply by 15 July