Thailand’s latest legal framework aimed at curbing cybercrime has failed to slow the pace of online fraud, leaving consumers vulnerable despite regulatory changes. Even after the second version of the Royal Decree on Measures to Protect Victims of Technology Crime (the cyber decree) came into force in April 2025, cyber fraud driven by fake mobile apps, phishing scams and mule bank accounts continues unabated.
The warning has been issued by the Thailand Consumers Council, which says that while the law clarifies accountability on paper, the system remains weak on rapid enforcement, shared liability and timely recovery of lost funds.
Two Types of Scams, the Same Outcome
According to the council, cybercrime cases in Thailand broadly fall into two categories. The first involves phishing and spoofing scams, which are covered under the cyber decree. The second includes cases where victims are manipulated into transferring money themselves, such as fake investment schemes and call-centre frauds.
The most glaring gap across both categories is the absence of pre-transaction safeguards, especially a delayed-transfer system that temporarily holds transactions to allow consumers time to verify them. Such mechanisms have proven effective in several countries, but Thailand has yet to implement them.
Weak Oversight of Fake Apps
Council Secretary-General Saree Ongsomwang said cybercrime has not diminished but has instead become more complex and sophisticated. She pointed to structural gaps spanning digital platforms, banks and telecom operators.
Major app ecosystems such as iOS and Android, she noted, lack rigorous verification of app listings, allowing fake apps to repeatedly surface. At the same time, the Electronic Transactions Development Agency (ETDA) has struggled to fully register platforms and enforce legal responsibilities, leaving consumers exposed.
Banking Sector: Mule Accounts a Persistent Threat
Saree acknowledged that guidelines issued by the Bank of Thailand (BOT) are relatively robust, but said enforcement gaps—particularly around mule accounts—remain severe. Such accounts, she argued, should be blocked at the outset, yet many continue to operate and move funds.
A growing concern is the use of mule accounts opened in the names of juristic persons (companies). Several firms have failed to submit financial statements for more than five years without being struck off, allowing fraudsters to repeatedly exploit these entities.
Telecom Rules Slow Down Action
The council also raised concerns about telecom regulation under the National Broadcasting and Telecommunications Commission (NBTC). Under new rules, telecom operators must now wait for an NBTC order before shutting down scam SIM cards.
Previously, operators could immediately disable suspicious SIM boxes upon detection. The revised process has slowed response times, inadvertently giving scammers more room to operate.
Victims Burdened With Legal Battles
Under the current framework, many victims are forced to pursue legal action on their own, the council said. In some cases, they are not even recognised as “consumers,” leaving them without institutional support. Legal fees often range from 10% to 20% of the losses, even after a case is won.
To address this, the council has called for the creation of a central compensation fund and a shared-liability system, ensuring that victims are not left to fight lengthy legal battles alone.
Calls for Faster Takedowns and Automatic Liability
Saree criticised what she described as a “piecemeal approach,” noting that the current 24-hour window for platforms to remove false or fraudulent content is far too slow. Cybercrime can inflict damage within minutes, she said, arguing the response time should be cut to 30 minutes to one hour.
The council’s key demands include:
- An automatic liability system to hold platforms and banks accountable
- A delayed-transfer mechanism to give consumers time to verify transactions
- Shared liability to ensure institutional compensation for victims
She cited Singapore as an example where such measures are already in place and delivering positive results.
Complaint Data Signals a Systemic Failure
Between October 2024 and September 2025, the Consumers Council received 18,687 complaints related to cyber risks. The most common involved:
- SMS messages containing fake links
- Online purchases where goods were never delivered
- Call-centre gangs tricking victims into transferring money
The data, the council said, underscores a stark reality: without rapid enforcement, shared responsibility and pre-transaction safeguards, Thailand’s current system is ill-equipped to counter modern cyber threats—leaving consumers as the weakest link in the digital economy.
