New cyber decree ‘not enough’ as fake apps spread and mule accounts persist, consumer council warns

Since the second version of Thailand’s Royal Decree on Measures to Protect Victims of Technology Crime (the “cyber decree”) took effect in April 2025, consumers have continued to face the same cybercrime problems—especially difficulties in getting money back—despite expectations of clearer accountability and stronger mechanisms.

Cases generally fall into two main categories: phishing and spoofing scams, which are covered by the decree, and cases where victims are tricked into transferring money themselves, such as investment fraud. Thailand still lacks key pre-transaction safeguards, such as delayed transactions, which have been used in several countries and shown to reduce losses, prompting calls for loopholes to be closed and measures strengthened.

Saree Ongsomwang, secretary-general of the Thailand Consumers Council, said cyber fraud has not eased but has instead become more complex. She pointed to significant gaps across platforms, banks and telecom operators—such as app listings on iOS and Android that do not sufficiently verify whether an app is genuine or fake.

She also said the Electronic Transactions Development Agency (ETDA) has not been able to register platforms or enforce responsibilities as required by law, leaving consumers exposed to newly created fake apps and pages that can appear repeatedly without effective barriers.

Banks: progress, but mule-account gaps remain

Saree said enforcement of Bank of Thailand (BOT) measures is among the most advanced, but major gaps remain—particularly the absence of a shared-liability requirement for banks when mule accounts are used. Mule accounts, she said, should be blocked from transferring funds at the outset, yet many can still transact.

She also flagged the use of mule accounts via juristic persons, saying some companies have failed to submit financial statements for more than five years without being struck off by the Department of Business Development, allowing such entities to be used repeatedly to deceive consumers.

She added that the BOT’s definition of “vulnerable groups” may not reflect reality. Current measures focus on those aged 65 and over, while people aged 60 and above are also frequently targeted, yet may not receive the same protections.

Telecoms: tougher SIM takedown process criticised

Another concern, Saree said, is the telecom sector. She argued that NBTC measures have made it harder to shut down scam SIMs because providers must now wait for an NBTC order before acting. Under earlier rules, providers could detect SIM boxes and shut them down immediately—meaning some operators that previously acted quickly are now more constrained.

She also said registration rules requiring real identities are still not strict enough, enabling fake pages and apps to keep resurfacing without effective verification or enforcement.

Victims forced to sue, compensation still unclear

With legal measures failing to prevent cybercrime effectively, Saree said consumers often have to file lawsuits themselves. In some cases, victims are told they are not “consumers” and receive no help, forcing them to hire lawyers—often at fees of 10% of the damage amount, rising in some cases to 20% even after winning.

Many victims are left financially ruined and unsure how to proceed, she said, while complaints can yield different answers depending on which agency is approached. With no central standard for compensation, she called for the establishment of a fund to jointly provide relief to victims.

She also criticised a “piecemeal” approach, noting that legal provisions requiring platforms to act within 24 hours after receiving notice of false content are still too slow in practice. Cybercrime can cause damage within minutes, and scammers can move funds through multiple layers quickly. She urged the timeframe to be cut to no more than two hours, or even 30 minutes to one hour, which she said is feasible with real coordination and would reduce harm.

Push for automatic liability and delayed transfers

The Consumers Council is calling for an automatic liability system to incentivise platforms and financial institutions to prevent cybercrime, noting that many countries set clear penalties and compensation mechanisms. In Thailand, however, consumers must pursue cases themselves, even though service providers and regulators should have stronger duties of care.

To reduce cyber losses in a meaningful way, Saree said Thailand needs pre-incident safeguards, particularly a delayed-transfer system that gives consumers time to verify transactions before funds leave their accounts. The council has pushed the measure for more than two years, she said, while Singapore has already implemented similar steps with proven results. Automatic compensation and shared liability, she argued, must be pursued in parallel—rather than leaving consumers to fight alone in a slow system that cannot keep up with modern cyber threats.

Complaints data

The Consumers Council said it received 18,687 complaints related to cyber risks between October 2024 and September 2025. The most common issues involved SMS messages with fake links, online purchases where goods were not delivered, and being tricked into transferring money by call-centre scam gangs.

It also noted 111 cases in which it was assisting consumers facing financial-fraud disputes after being sued by credit card companies and banks, stemming from scams. The high number of victims, it said, reflects weaknesses in existing mechanisms and leaves consumers forced to complain to multiple agencies, with no single body taking direct responsibility—despite most cases involving cyber-enabled fraud rather than simple telephone scams.