Policy & Regulation

Singapore's Anti-Scam Laws: Restriction Orders and Shared Liability

Singapore fights scams from two directions: police can now freeze a victim's own account before the money leaves, and banks and telcos must pay out when they fail their duties on phishing. Here is how both work — and the big gap that leaves most crypto investment victims uncovered.

3 min read
Table of Contents

Singapore has built one of the most aggressive anti-scam regimes in the world, and it works differently from anywhere else. Two tools stand out: police can step in to freeze a victim's own bank account before they hand money to a scammer, and a Shared Responsibility Framework forces banks and telcos to compensate victims of phishing when they fail their duties. Understanding which one applies to you matters, because there is a large category of crypto loss that neither fully covers.

Jurisdiction matters.

This guide covers scams involving Singapore banks and telcos. Rights differ sharply elsewhere — compare the UK's reimbursement rules, Australia's Scams Prevention Framework, and the US position.

The Protection from Scams Act: freezing accounts to protect victims

The Protection from Scams Act 2025 came into force on 1 July 2025. Its signature power is unusual: it lets the police issue a Restriction Order (RO) to a person's banks when there is reasonable belief that person is being manipulated by a scammer and is about to transfer money.

The order restricts the victim, not the scammer.

An RO temporarily blocks the victim's own outgoing transfers, ATM withdrawals, and credit facilities — a circuit-breaker for cases where someone under a scammer's spell will not listen to family or the bank. It is used only as a last resort.

An RO lasts up to 30 days and can be extended up to five times, giving authorities time to break the scammer's psychological hold. It is a preventive tool — it stops money leaving — rather than a way to get money back after the fact.

The Shared Responsibility Framework: payouts for phishing

The Shared Responsibility Framework (SRF) took effect on 16 December 2024. Issued by the Monetary Authority of Singapore (MAS) and the Infocomm Media Development Authority (IMDA), it assigns concrete duties to banks and telcos and requires them to pay affected victims when those duties are breached.

Key duties include:

  1. 1

    12-hour cooling-off

    Banks must impose a cooling-off period after a digital token is activated on a new device, blocking high-risk actions during that window.

  2. 2

    Real-time alerts

    Customers must get instant notifications for new-device logins, token activation, and high-risk outgoing transactions.

  3. 3

    A 24/7 kill switch

    Every bank must offer a self-service way to instantly freeze an account when a customer suspects unauthorised access.

  4. 4

    Telco duties

    Telcos must block scam SMS through the Singapore SMS Sender ID Registry and filter malicious links.

If a bank or telco fails a duty and a customer loses money to a covered phishing scam, the framework operates as a waterfall: the bank is considered first, then the telco. Where duties were met, the loss may stay with the customer.

The gap that catches most crypto victims

Here is the critical limit. The SRF covers phishing — scams where you were tricked into revealing credentials on a fake site and the scammer then took money from your account without your knowledge. It does not cover scams where you authorised the payment yourself, such as most fake crypto investment and pig butchering scams.

Phishing: scammer drains your account

May be covered by the SRF

Investment scam: you send crypto yourself

Not covered — an authorised transfer

Two scams, two very different outcomes under Singapore's rules.

If you bought crypto and sent it to a fraudulent "platform," that is an authorised transaction, and the SRF payout does not apply. Your realistic path is fast reporting, account freezing, and understanding whether the crypto can be recovered — not a bank payout.

What to do if you were scammed in Singapore

  1. 1

    Use your bank's kill switch

    If you suspect unauthorised access, freeze the account instantly through your banking app or hotline, then call the bank.

  2. 2

    Report to the police / ScamShield

    Call the Anti-Scam Helpline (1800 722 6688) or report through ScamShield. Fast reporting gives the Anti-Scam Centre a chance to trace and freeze funds at receiving banks.

  3. 3

    Ask about the SRF if you were phished

    If your loss came from a phishing link and unauthorised transactions, ask your bank to assess it under the Shared Responsibility Framework.

  4. 4

    Preserve every record

    Keep the phishing SMS, fake website, transaction references, and wallet addresses — essential for both a claim and any tracing effort.

Frequently asked questions

Can Singapore police really freeze my own account?

Yes. Under the Protection from Scams Act, police can issue a Restriction Order blocking your outgoing transactions for up to 30 days (extendable) if they reasonably believe a scammer is manipulating you — a last-resort intervention to protect you from yourself.

I lost money to a crypto investment scam. Will the SRF pay me back?

Usually not. The Shared Responsibility Framework covers phishing, where money left your account without your authorisation. An investment scam you paid into yourself is an authorised transfer and falls outside it.

Who pays first under the Shared Responsibility Framework?

It follows a waterfall: the bank's duties are assessed first, then the telco's. Payout depends on whether a duty was breached — it is not an automatic refund for every phishing loss.

How does this compare with other countries?

Singapore is strong on prevention but narrow on payouts. The UK mandates broad reimbursement, Australia uses fault-based duties, and the US has no mandatory bank refund at all.

Key takeaways

  • The Protection from Scams Act (July 2025) lets police freeze a victim's own account for up to 30 days to stop money reaching a scammer.
  • The Shared Responsibility Framework (Dec 2024) makes banks and telcos pay for phishing losses when they breach their duties.
  • Payouts follow a waterfall — bank first, then telco — and only where a duty was breached.
  • Authorised transfers, including most crypto investment scams, are not covered by the SRF.
  • Freeze the account, report to the Anti-Scam Helpline or ScamShield immediately, and keep all evidence.

Know someone who needs this? Share it.

Scambulance will never ask for your private keys, passwords, or seed phrases. Anyone promising guaranteed fund recovery is likely a scammer.

Were you the victim of a crypto scam?

Knowledge is your first defense — but if it has already happened, the most important step is reporting it properly. Scambulance guides you through every step, free.