It can take years and years to save up money, but a simple five-minute procedure can completely erase everything that has been accumulated. For some Oversea-Chinese Banking Corporation (OCBC) users, a simple click on a link sent by scammers pretending to be the bank resulted in the loss of a gargantuan sum of money. Anyone using OCBC (and maybe even other banks) is a possible target, so here is everything you need to know about the phishing incident.
At the end of 2021, the Singapore Police Force (SPF) reported that at least 469 people had fallen prey to phishing scams involving SMSs impersonating OCBC Bank since 1 December.
The impersonators would send an SMS to the victims, claiming that there were problems with their bank account and asking the victims to click on a link. The link then redirected victims to a fake bank website where they would have to key in their online banking account login details.
Now you might be wondering why the victims were so gullible to click on a link that would have made most go sus. Well, in this case, the scammers cloned a legitimate sender ID which was OCBC, allowing their phishing SMSs to appear in the same thread as legitimate messages from the bank.
For those lucky enough to not have received the SMS personally, here is an example:
$8.5 Million Lost in December 2021
As a result of the SMSs looking quite legit, many submitted their account information to these fake websites and a grand total of S$8.5 million was lost in just December alone.
In a media advisory, OCBC stated that between 8 December and 17 December, 26 customers reported a loss of about S$140,000 to phishing scams.
During the Christmas season, the phishing attacks became more vicious and OCBC saw a rise in the number of customers who became victims of the scammers with a total of 186 customers affected from 24 December to 26 December. The amount lost? US$2.7 million. Yikes.
OCBC Stepped Up Measures to Alert Users
After the bank detected the scam in early December last year, it had issued multiple alerts and warnings to customers through various mediums. This included security alerts and advisories on its website, internet and mobile banking log-in pages through customer e-mails, as well as through its own social media channels.
This also included two media advisories on 23 December and 30 December as well as SMS messages to all customers on 30 December last year and 4 January this year.
On top of all that, the bank said in its statement that it had also proactively reached out to customers who might not be aware that their banking activities were susceptible to the scam. This had helped to prevent more customers from falling prey to the scam.
Mother of Seven Lost $100k
Unfortunately, the measures did not reach some in time. For Siti Raudhah Mohd Ali, a mother of seven and wife of an educator, $100,000 was lost in just a few minutes on 28 December 2021. In a letter to The Straits Times’ Forum, she said “I received an SMS which looked very much like the other ones I have received from the OCBC SMS system.”
She did not act on it immediately but later reread the message and became anxious about the account being suspended. Hence she did not think further and keyed in her username, password and other relevant details.
“A few moments later, I received a notification stating that my transfer limit had been increased to $100,000. When I noticed that, I immediately called OCBC as I had not approved this,” she said.
However, she had to navigate an automated system for a long time before reaching a person. By that time, money had already been transferred out of her savings accounts and six of her children’s savings accounts.
Other Victims Lost Life Savings
Another OCBC user, John Paul Tan, took to Facebook to share that his wife clicked on a link in the message seemingly from OCBC, claiming that someone was trying to access her account. However, he soon realised later in the day that five overseas transactions were made which wiped out his life savings.
Others who have fallen prey to the scam include a young couple who lost $120,000 and a father of a young child with special needs who lost $250,000.
Difficult to Retrieve the Money Lost
Despite making police reports and calling OCBC, the victims were told that they are unlikely to have the funds returned to them as the money was gone and the chances of it being retrieved were “slim”. Others also said that the money would most likely not come back as it was their mistake for clicking on the link.
OCBC Giving “goodwill payouts” to Victims
After all the hullabaloo, OCBC announced on 17 January that it has started reimbursing customers who were affected by the SMS phishing scam.
Over 30 customers have already received “goodwill payouts” since the bank began giving them out on 8 January, while the validation process is still ongoing for the others affected by the scam.
“The payouts to this group of customers are made on a goodwill basis after thorough verification, taking into account the circumstances of each case,” the bank also added.
The bank stated that it has set up a dedicated team to support the victims and added that “as the investigations into these cases are complex and extensive involving multiple checks and parties, the bank needed more time to get back to affected customers to address their concerns.”
MAS to Take Action Against OCBC
In light of the phishing incident, the Monetary Authority of Singapore (MAS) has also entered the limelight. Its deputy managing director, Ho Hern Shin, said in a statement, “MAS takes a serious view of the recent phishing scams involving OCBC Bank. They have significantly impacted several customers.”
MAS said OCBC will conduct a thorough probe to identify deficiencies in its processes and implement necessary measures, after which “MAS will consider appropriate supervisory actions”.
Ms Ho said “MAS expects all financial institutions to have robust measures for fraud prevention, detection, and remediation, and to provide prompt assistance to customers who have been victims of scams.”
Who Is To Blame?
In this ping-pong game of who takes the blame, we now have the victims going up against the bank. One victim said, “how can the blame be pinned entirely on me when OCBC’s scam prevention measures are poorly equipped to urgently deal with a case as it is happening?”
However, it is difficult for the bank to ensure all its users do not encounter such scams. As such, it is also the individual’s responsibility to ensure that they remain vigilant when assessing dubious links.
How to Protect Yourself
Lest you end up on our page as a news report for being a victim of this scam, here are some ways to protect yourself and your money:
- Never click on links provided in suspicious e-mails and SMSes
- Always type the Bank’s URL directly into the address bar of a web browser or use the Bank’s official mobile banking app
- Do not divulge confidential information (e.g. your banking login credentials or OTPs) to anyone, or key in your banking login credentials into unverified webpages.
- Do not transfer money to people you do not know. When in doubt, get advice from a family member or friend.
- Customers can download the ScamShield app – a mobile app by the authorities in Singapore that blocks unsolicited messages and calls (only available on iOS devices, sorry Android users)
OCBC maintains that it will never send customers an SMS to inform them of an account closure or that they have been locked out of their accounts temporarily. It will also never send an SMS to customers with a link to reactivate their accounts.
So stay safe out there and in the wise words of your parents, don’t talk to strangers. Or in this case, don’t give them your bank account information.
Since you are still here, why not check out the anti-scam videos we made with the SPF:
- Winner of 2.4km Pocari Sweat Run to Donate 400 of His 700 Packets of Chicken Rice That He Won
- New Study Shows People Who Wear Medical Masks Will Make Them More Attractive to Others
- Concise Guide to The Opening Hours of Supermarket Chains During CNY2022
Featured Image: footageclips/ shutterstock.com + SPF