Security Advisory
  • Protect your company from email scams
    19 January 2024

    With more companies moving their operations online, cybercriminals have more opportunities to launch Business Email Compromise (BEC) attacks. These attacks often use current events or themes to make the content of emails seem more plausible, increasing the likelihood of recipients falling prey.

    As businesses are usually the primary targets of BEC attacks, it is important to stay vigilant. If attacked, act swiftly.


    WHAT ARE BUSINESS EMAIL COMPROMISE SCAMS?


    Business Email Compromise (BEC) scams are email-based scams designed to trick you into making fraudulent funds transfers. Recently, these scams have become more advanced, such as by using malware to take control of business email accounts. Here is what a typical BEC scam looks like:

    A legitimate-looking email arrives
    Adam, an F&B business owner, gets an email from his regular supplier, Ben. The email contains Ben’s company logo, website details and messaging format – everything Adam is used to.

    The email informs Adam that Ben’s company has recently opened an account with another bank and Adam must make payment for outstanding invoices to this account. Adam reviews the invoices and makes payment as requested.

    The scam unravels
    A week later, Adam gets an email from Ben asking him to make payment for his outstanding invoices. Upon further clarification, Adam realises that the account he made the payment to does not belong to Ben. In fact, the email he received earlier was not sent by Ben. It was a spoofed email sent by a scammer.



    Stay vigilant
    Scammers can hack into your email account, or anyone else’s, and monitor the email correspondences. At an opportune time, they may send an email (using a spoofed address) to you or your colleagues asking for payment to be made to a bank account that differs from the regular one. Do not be duped into doing so. Make your checks first. Verify, then verify again.

    Not sure what spoofed email addresses look like? Here are some examples:




    PROTECT YOURSELF WITH THESE MEASURES

    Improve employee awareness
    Ensure that your employees are aware of the dangers of BEC scams and urge them to report any suspicious emails – via a clear reporting process – immediately.


    Verify payment details via channels other than email
    Always verify the legitimacy of an email by reaching out to the sender through alternative means, such as a messaging app or phone call.


    Practise good cyber hygiene
    Prevent unauthorised access to your company’s systems and data by using anti-spam and anti-phishing software to block malicious emails.



    STOP. THINK BEFORE YOU ‘ACT’
     
    Stay vigilant and do not respond to any email that asks for your confidential information. If you are unsure, please verify the request. Should you receive any phone calls, SMSes or emails alerting you of transactions that are unfamiliar in your account, please call us immediately. You can also block access to your company’s online banking account instantly via the OCBC Velocity login page or the OCBC Business app.
     
    Add
    Instal security tools like antivirus software to be better protected online.
     
     
    Check
    Look out for potential scam signs by verifying information with trusted sources.
     
     
    Tell
    If you encounter any scams, inform the authorities and let others know promptly.

    Learn more about ACT on the NCPC website.

    If you believe you have fallen prey to a scam, please visit any OCBC branch. Alternatively, call our Business Banking hotline: OCBC website > Contact us. Alternatively, use our Enquiry Assistant at the OCBC website > Banking for businesses > Business Banking > Contact us.This message contains links to third-party websites.

    By accessing any such websites, you agree to our terms of use.

  • Adopting the latest security measures against malware
    6 November 2023

    As part of our ongoing efforts against cybercrime and to protect your online banking experience, we introduced an essential security feature to the OCBC Business app.

    The latest version of the OCBC Business app on Android are built to work more optimally and securely on devices whose mobile apps were all downloaded from the official app stores (e.g. Google Play Store or Huawei AppGallery). Such apps are verified before they are made available for downloading. Apps from other sources (e.g. official brand websites or apps installed using Android Package Kit (APK) files) are not verified. They tend to have more security vulnerabilities and so are more susceptible to malware infection, which can allow cybercriminals to gain control of your device and, subsequently, your banking app(s) and personal details.

    This inherent risk in apps downloaded from sources other than official app stores has been reiterated by Singaporean authorities, who classify malware scams as particularly aggressive and a serious threat to consumers. Despite constant reminders by the authorities of the dangers of downloading these apps, the number of customers falling prey to malware scams has continued to increase.


    When one or more potentially malicious apps are detected

    If you try to access the latest version of the OCBC Business app on a device with one or more apps downloaded from unofficial sources, a message – warning you that one or more of these apps may contain malware – will pop up on the screen. For your security, we recommend that you uninstall such apps before proceeding to use the OCBC Business app. You do not have to delete the OCBC Business app.

    Alternatively, if you prefer to keep these apps after having assessed that they are not malicious and do not pose a malware risk, you may turn off ‘Accessibility’ for these apps before continuing to use the OCBC Business app securely. You can do so via the Settings menu on your device. For example, on Samsung mobile devices with the latest One UI user interface, you can navigate to Settings > Accessibility > Installed Apps*.

    Turning off 'Accessibility' will cut off scammers’ remote access to, or keylogging of, your phone and any access to your bank account(s). However, we do not recommend this option because of the residual risk – cybercriminals may still exploit ‘Accessibility’ services to compromise your devices. The preferred and safer option is to uninstall apps not downloaded from official app stores to completely remove the risk of malware from such apps.

    *The steps to turn off an app’s ‘Accessibility’ may differ by phone model. Please refer to question 7 or check with your device manufacturer.


    When ongoing screen-sharing is detected

    If you try to access the OCBC Business app on a device which screen is being shared, a message – warning you that one or more security risks have been detected – will pop up on the screen. You may proceed to use the OCBC Business app once screen-sharing has stopped.

    If you are not sharing your screen, we recommend that you take one of these precautionary measures to protect your account(s):

    • Access the OCBC Velocity login page via a computer and click on ‘Block my access temporarily’; or
    • Call us at +65 6538 1111 immediately.

    You may refer to our article on malware for more information on protecting yourself.


    FAQs

    1. When I open the OCBC Business app, I see a pop-up message informing me that one or more apps on my device may contain malware. Why?

    As part of our efforts to safeguard our customers against malware attacks, and combat fraud and scams, we have introduced an essential security feature to the OCBC Business app.

    The OCBC Business app will now work more securely on devices whose mobile apps were all downloaded from official app stores. Malware attacks may emerge from apps that are downloaded from websites and other sources (i.e. not official app stores), potentially giving cybercriminals control of your devices.

    When one or more potentially malicious apps are detected

    The pop-up message is meant to inform you that that access to the OCBC Business app will be restricted until you uninstall all apps that were not downloaded from official app stores (this is the preferred option) or turn off ‘Accessibility’ for these apps.

    Here is what the pop-up message looks like:


    When screen-sharing is detected
    The pop-up message is meant to inform you that access to the OCBC Business app will be restricted until screen-sharing has stopped.




    2. Do I have to install the OCBC Business app again when I see one of the pop-up messages?
    You do not have to delete and download, or do anything to the OCBC Business app. Instead, here is what you should do to continue using the app:

    if the pop-up message informs you that one or more apps on your device are from an unofficial app store:

    • Uninstall the apps shown in the message (this is the preferred option) or turn off ‘Accessibility’ for those apps.

    If the pop-up message informs you that your screen is being shared:

    • Ensure that screen-sharing has stopped.

     

    3. Will OCBC know what other apps I have on my device through this security feature?

    We take privacy seriously. We do not monitor customers’ phone activity or conduct surveillance on customers’ phones. The new security feature does not collect or store any personal data; neither will it identify the owner of the device. We do not collect or store information on how our customers use apps installed on their mobile device.

    Instead, an additional security check is simply performed directly at the device level. This means that no information or data will be transmitted back to us. The information collected at the device level is only used to identify if certain security parameters are not met. These parameters include apps residing on a device which were not downloaded from an official app store, and which have ‘Accessibility’ turned on. Apps with ‘Accessibility’ turned on can render your device more vulnerable to exploitation by hackers, scammers and other bad faith actors using malware.

    We apologise for the inconvenience caused and seek your understanding that the security feature was implemented to protect our customers from malware or suspected malicious apps. Please refer to our article on malware for more information on how you can protect yourself.

    4. I want to continue using my OCBC Business app alongside these apps. Is it possible for this control to be removed?

    This security feature was implemented with the intent of protecting our customers from malware and suspected malicious apps. If you wish to continue using your OCBC Business app alongside apps that are downloaded from websites and other sources (i.e. not official app stores), you may turn off ‘Accessibility’ and screen-sharing (if applicable) for such apps.

    Please refer to our article on malware for more information on how you can protect yourself.

    5. I want to continue using my OCBC Business app. What can I do?

    To continue using your OCBC app securely, we recommend that you follow these steps:

      1. Depending on the message that pops up on your screen when you launch your OCBC Business app, uninstall the app(s) shown in the message or ensure that screen-sharing has stopped.
      2. Log in to the OCBC app to ensure that it works.
      3. Once you confirm that the OCBC app works, you can try to download the app(s) you deleted from an official app store (e.g. Google Play Store, Samsung Galaxy Store, Huawei Store).

    Alternatively, you can turn off ‘Accessibility’ for the app(s) via the Settings menu on your device. For example, on Samsung mobile devices with the latest One UI user interface, navigate to Settings > Accessibility > Installed apps*.

    *The steps to turn off an app’s ‘Accessibility’ may differ by phone model. Please refer to question 7 or check with your device manufacturer.

    6. What are 'Accessibility' services and how do criminals exploit them?
    Accessibility services, like text-to-speech and speech recognition, are designed to make technology easier to use. For these services to work, advanced Android system permissions have to be granted to the app requesting them, such as allowing the app to read the text on the device’s screen or record text typed using the device’s keyboard. The latter, for instance, could be used to record your online banking login details.


    7. How do I change the Accessibility settings for the third-party apps that I have downloaded?

    The path to changing Accessibility settings may differ by device manufacturer and operating system.

    Here are the possible paths for some popular phone models. If you continue to face difficulties with changing the Accessibility settings, please check with your device manufacturer.

    Samsung Galaxy A53 5G / Flip 4 / Fold4 / A73 5G / S21 Ultra / A23 5G: Settings > Accessibility > Installed Apps

    Samsung Galaxy S21 5G / Galaxy S10: Settings > Accessibility > Installed Services

    Oppo A78 5G / Reno8 5G: Settings > Additional Settings > Accessibility

    Oppo Find X2 Pro / A17: Settings > System Settings > Accessibility

    Huawei P50 Pro: Settings > Accessibility features > Accessibility > Installed Services

    Huawei Nova 3i / Nova 5T: Settings > Smart Assistance > Accessibility

    Huawei Mate30 & Huawei Y9a: Settings > Accessibility features > Accessibility (Scroll down to Downloaded Services)

    Google Pixel 5 / Pixel 3 XL: Settings > Accessibility

    Redmi Note 10 5G: Settings > Additional Settings > Accessibility > Downloaded Apps

    Poco X5 5G: Settings > Additional Settings > Accessibility > Downloaded Apps


    8. Why are some well-known apps being flagged by the OCBC Business app?

    This security feature flags apps that have been downloaded from sources other than official app stores. You may have downloaded them from websites or other sources. If you need to continue using these apps, we advise you to first uninstall them. After taking the steps listed in question 5, you can then download and install the most up-to-date version of the app(s) from an official app store (this is the preferred option).

    Alternatively, if you prefer to keep these apps after having assessed that they are not malicious and do not pose a malware risk, you will be given the option to continue using the OCBC Business app after turning off ‘Accessibility’ for these apps – via the Settings menu on your device (e.g. on Samsung mobile devices with the latest One UI user interface, you can navigate to Settings > Accessibility > Installed Apps). This step will help to prevent your device – and OCBC account(s) – from being controlled by cybercriminals looking to exploit potential vulnerabilities in these apps (because ‘Accessibility’ is turned on).

    We apologise for the inconvenience caused. The security feature was implemented to protect our customers from malware or suspected malicious apps. Should you require further assistance, please provide more information to us via our enquiry form.

    9. Where can I read more about how malware may infect my mobile device?
    You may refer to the joint advisory issued by the Singapore Police Force and Cyber Security Agency on how malware may infect your mobile device through the downloading of apps that are not found on official app stores.


    10. What are the official app stores?

    The list includes:

    • Google Play Store
    • Samsung Galaxy Store
    • Huawei AppGallery
    • Xiaomi MI App Store
    • Amazon appstore
    • Vivo V-Appstore
    • Oppo App Market
  • Sounds too good to be true? It could be a scam
    23 October 2023

    Came across an advertisement that offered an unbelievably good deal? Did a job offer – promising lucrative commissions – suddenly fall into your lap? If something sounds too good to be true, it likely is.

    Learn to identify the tricks used by scammers. Join us and the National Crime Prevention Council (NCPC) to ACT Against Scams by remembering three simple steps: Add, Check, Tell.


    COMMON THREATS

    Here are two types of scams that aim to expose your vulnerabilities: 


    Investment scams

    How scammers may approach you:

    Individuals claiming to represent stockbrokers, banks or financial companies may approach you with unsolicited investment opportunities. They may promise quick money and/or extraordinary returns at little to no risk. Such scammers often offer time-limited deals and gifts, or rebates, to pressure you into acting quickly. They may – in attempts to persuade you to invest in their bogus opportunities – repeatedly send you messages via social media or messaging apps.

    Watch out for these tactics:

    • If you express interest in the investment, the scammer will ask you to give them your business and personal information/bank account details, and/or install an "investment" app. They will claim that you need to do so to open an investment account.
    • You may be asked to visit professional-looking websites – complete with fake client testimonials and case studies used to support the scammer’s false claims.
    • The scammer may ask you to send money to a non-business account, supposedly to pay an ‘initial fee’ and for the investment. Later, when you try to withdraw your returns or initial investment amount, you may realise that the scammer has disappeared with your money.

    Job scams

    How scammers may approach you:

    Scammers may approach you with unsolicited offers that promise low-effort, high-paying jobs; or ‘guaranteed’ ways of generating fast income. If you do express interest, they will try to get you to hand over your money, business and personal information and/or bank account details, which they then use to commit fraud and theft.

    Watch out for these tactics:

    • You receive, via messaging apps, unsolicited messages offering part-time job opportunities from seemingly legitimate companies or recruiters. These messages are typically poorly written or sent from an unknown or unverifiable number.
    • You are added to a group chat where multiple people – possibly the scammer(s) using multiple accounts – share fake testimonials to drum up interest in the job opportunity.
    • You are directed to a website/app and asked to enter your personal information/banking details to access a job opportunity. Any details you enter may be stolen to commit fraud.
    • Scammers may offer you a commission for performing simple tasks – reviewing restaurants or completing simple surveys, for example – through messaging platforms like WhatsApp or Telegram. To gain your trust, they may initially pay you a small commission for each task you do. However, they will eventually ask you send them increasingly large sums of money to continue accessing the tasks. They will then vanish with the cash.

    Learn more about job scams.


    ‘CHECK’ WITH OCBC AND NCPC

    Adopt these security measures to safeguard your online experience:

    Only download apps from official stores like the App Store (for iOS) or Google Play Store (for Android) and review the permissions that are requested. Make sure they are genuinely necessary.

    Keep your devices with Internet access secure and up to date by enabling automatic updates and installing anti-virus software.

    Always check that the websites you browse are official ones. Do not let your web browser or devices store your login credentials.

    Conduct your investment dealings exclusively with companies licensed by the Monetary Authority of Singapore (MAS). Always do a thorough check on companies and their representatives using resources such as the Financial Institutions Directory, Register of Representatives or Investor Alert List (available on the MAS website). If a company is based outside of Singapore, check if it is licensed with the relevant overseas authority.

    Enable biometric authentication for your devices and apps (where available) and two-factor authentication (2FA) for any online accounts you have.

    Do not transfer money to or agree to receive money from people you do not know. Be responsible for all transactions made under your account(s) and do not let third parties use your account(s) to make transactions.

    STAY ALERT

    Quickly detect and respond to fraudulent activities. To get timely notifications related to your account(s) and banking activities, ensure your mobile number and email address in our records are up to date.

    ALWAYS REMEMBER TO ‘ACT’

    Organised by the NCPC, the ACT Against Scams campaign aims to educate the public on how to prevent, spot and stop scams.

    ADD
    Instal security tools like antivirus software to be better protected online.

    CHECK
    Look out for potential scam signs by verifying information with trusted sources.

    TELL
    If you encounter any scams, inform the authorities and let others know promptly.

    Learn more about ACT on the NCPC website.

    If you believe you have fallen prey to a scam, please visit any OCBC branch. Alternatively, call our Business Banking hotline: OCBC website > Contact us. Alternatively, use our Enquiry Assistant at the OCBC website > Banking for businesses > Business Banking > Contact us.This message contains links to third-party websites.

    By accessing any such websites, you agree to our terms of use.

  • Be alert to scams that use fear tactics

    11 July 2023

    Is someone telling you that, to avoid serious consequences, you must reveal your banking details or sensitive information? Creating a sense of fear and urgency like this is a common tactic used by scammers to make it harder for their targets to think critically and take precautions.

    Be wary – even if the caller claims to be from a government agency or a reputable business.

    Learn how to spot such fear tactics. Join us and the National Crime Prevention Council (NCPC) to ACT Against Scams by remembering three simple steps: Add, Check, Tell.


    COMMON THREATS

    In our previous security advisory, we learnt how to ACT against the dangers of malware, phishing and impersonation scams. Now, let us learn about:


    Government official impersonation scams


    How scammers may approach you:

    Scammers might contact you claiming to be government officers investigating an alleged offence you have committed in Singapore or overseas. To gain your trust, they may even use a real officer’s name. Their aim in leveraging the authority and reputation of the officer is to stop you from questioning their demands.

    Watch out for these tactics:

    • Using the threat of legal action or arrest, they will try to manipulate you into revealing personal details. They may claim that they need such details before they can tell you more about the (fake) investigation that they are conducting.
    • They may also ask you to visit websites that would, under the guise of ‘verifying your identity’, prompt you to scan a Singpass QR code or enter your online banking details. Your details would then be stolen and used for fraudulent activities.

      Learn more about Impersonation Scams.


    Tech support scams

    How scammers may approach you:

    Impersonating employees from legitimate companies, scammers may call you – or scare you into calling them with website pop-ups made to look like warnings from your device or anti-virus software.

    They often claim that there is a software, online account or Wi-Fi issue that requires your immediate attention. Their goal? To create anxiety so that you will act hastily without confirming the legitimacy of their claims.

    Watch out for these tactics:

    • They may threaten to suspend your account unless you provide them with sensitive information or make an immediate payment to ‘fix’ the issue.
    • They may ask you to share personal and banking details via a spoofed website/email address made to look like it belongs to a legitimate company or government agency.
    • Others may claim that your device or Wi-Fi network has been hacked and/or fraudulent transactions were made in your name. Under the guise of diagnosing the issue, they may ask you to download a remote access application (which would give them access to your device) and have you log in to your online banking account or share sensitive information (e.g. card details or One-Time Passwords).

    Learn more about other common threats.


    ‘ADD’ WITH OCBC AND NCPC

    Adopt these security measures to safeguard your online experience:

    Be very wary of messages containing links or attachments that prompt downloads. Only download apps from the App Store (for iOS) or Google Play Store (for Android).

    Download the ScamShield app by NCPC. ScamShield can block scam calls and detect scam SMSes.

    Instal anti-virus software and malware removal tools on your phone, computer and other devices with Internet access; and enable automatic updates. Look for software with features that help identify and block fraudulent pop-up ads. When installing apps, review the permissions that are requested to ensure they are necessary.

    Enable biometric authentication for your devices and apps (where available) and two-factor authentication (2FA) for any online accounts you have.

    Enable OCBC OneToken so you can log in to your online banking account and authorise transactions securely.

    Opt for e-Statements to closely keep track of all your transactions via OCBC Velocity or the OCBC Business App.

     

    STAY ALERT

    Quickly detect and respond to fraudulent activities. To get timely notifications related to your account(s) and banking activities, ensure your mobile number and email address in our records are up to date.


    ALWAYS REMEMBER TO ‘ACT’

    Organised by the NCPC, the ACT Against Scams campaign aims to educate the public on how to prevent, spot and stop scams.

    ADD
    Instal security tools like antivirus software to be better protected online.

    CHECK
    Look out for potential scam signs by verifying information with trusted sources.

    TELL
    If you encounter any scams, inform the authorities and let others know promptly.

    Learn more about ACT on the NCPC website.

    If you believe you have fallen prey to such scams or that your OCBC account details/funds may be, or may have been, compromised, please call us at +65 6538 1111

    You may also stop your ID from being used to access your account:

    • Via OCBC Velocity: Go to the OCBC Velocity login page > Click ‘Block my access temporarily’.
    • Via the OCBC Business app: Open the app > More > Block Access > Enter your Org ID, User ID and Password > Block Access.
    As scams constantly evolve, please stay vigilant at all times.

    This message contains a URL that redirects to a third-party website. By accessing any such websites, you agree to our terms of use which you can find at OCBC website > Conditions of Access.

  • ACT against scams to keep your business safe
    15 May 2023

    Safeguard your business’ finances 

    Last year saw a spike in the number of scams reported in Singapore. Millions of dollars have been lost – young adults are especially affected by job and e-commerce scams while seniors increasingly fall victim to fake friend, investment and phishing scams.

    So how can you avoid falling prey to scams?

    Join us and the National Crime Prevention Council (NCPC) to ACT against scams.
    By remembering the three simple steps of ‘Add, Check, Tell’, you can protect yourself and your business.

    WHAT IS ACT?

    Organised by the NCPC, the ACT Against Scams campaign aims to educate the public on how to prevent, spot and stop scams.

    Add
    Install security tools (e.g. antivirus software) on your devices and adopt security features (e.g. biometric authentication) that protect you online

    Check
    Be vigilant and on the lookout for signs of scams. Always check with trusted sources to verify if the information you receive or are asked to share is true

    Tell
    If you encounter a scam, inform the authorities, your bank and your staff/colleagues at once



    Learn more about ACT on the NCPC website.
    Read about how we can all “ACT Against Scams” in the Scaminar 2023 keynote address delivered by Ms Sun Xueling the Ministry of Home Affairs.

    COMMON THREATS

    Be better prepared to ACT by learning more about the following threats:

    Phishing scams

    Scammers may pretend to be from a legitimate organisation and approach you via email or SMS, or on social media. They often offer fake benefits or rewards, or use fear tactics (e.g. demanding immediate action to resolve a fictitious urgent issue), to trick you into disclosing confidential information (e.g. NRIC number, card details, or online banking or Singpass credentials).

    Malware

    Cybercriminals may use malware, a type of malicious software, to infect your devices. They may then steal confidential data, take control over the compromised device and data remotely, and spy on your online activities.

    Impersonation scams

    Impersonators may contact you, claiming to be a member of a legitimate business, bank or the government. They may use fear tactics to get you to reveal personal details, which they will then use to commit fraud.


    Learn about the above and other common threats.


    ‘ADD’ WITH OCBC

    Use the following security measures by OCBC to safeguard your banking experience.

    Enable e-alerts to get timely notifications related to your account(s) and banking activities.

    Opt for e-Statements to closely keep track of all your transactions via OCBC Velocity or the OCBC Business app.


    For an extra layer of protection, download the ScamShield app by the NCPC to block scam calls and detect scam SMSes.

    Find out how to make use of these features and the other solutions OCBC has designed to safeguard your banking experience: go.ocbc.com/security


    This message contains links to third-party websites. By accessing any such websites, you agree to our terms of use

  • Security advisory: Protect yourself against malware

    17 Feb 2023

    Look out – especially if you have an Android device.

    New variants of Android malware (‘malicious software’) allow scammers to control your device remotely or steal sensitive information like login credentials or card details. This means that scammers can log in to your account and make fraudulent transactions or transfers without your knowledge.

    Android malware may be found in apps available in the Google Play Store. They could also be disguised as ‘helpful apps’ in Android Package Kit (APK) files that you may be tricked into downloading. By downloading them or giving access to certain functions, you may unwittingly allow scammers to take control of your device.

    Here is how you can protect yourself against malware:

    • Only download apps from the App Store (for iOS) or Google Play Store (for Android).

    • Do not download apps (e.g. email attachments, pop-up advertisements or links coming from unsolicited emails, messages or social media posts) without verifying the authenticity and source.

    • When installing apps, review the permissions that are requested. Make sure they are genuinely necessary. Asked to download additional apps? Be very wary.

    • Instal anti-virus software and malware removal tools on phones, computers and devices with Internet access.

    • Always get the latest versions of your devices’ operating systems and applications – the latest security patches will address security vulnerabilities. Enable automatic updates so your devices are protected.

    • Check transaction details carefully and read the notifications we send you. Notify us immediately if you receive alerts for transactions you did not make.

    If you believe you have fallen prey to a scam, please call us at +65 6538 1111

    You may also stop your ID from being used to access your account:

    • Via OCBC Velocity: Go to the OCBC Velocity login page > Click ‘Block my access temporarily’.

    • Via the OCBC Business app: Open the app > More > Block Access > Enter your Org ID, User ID and Password > Block Access.

    As scams constantly evolve, please stay vigilant at all times.

  • Scam alert: Fake OCBC Velocity websites

    18 March 2022

    Scammers may use fraudulent links that direct you to fake websites resembling OCBC Velocity’s login page in order to steal login credentials.



    These fake websites will prompt you to enter login credentials such as your Organisation ID, User ID, Password or One Time Password (OTP). The scammers can then make fraudulent transfers using your account(s). To prevent such unauthorised activity, never key in such details into unverified websites.

    We urge you to stay vigilant and take necessary precautions.

    How to protect yourself:

    • Verify the authenticity of the website you are accessing
    • Always type the official OCBC Velocity login URL (https://velocity.ocbc.com) directly into the address bar
    • Do not divulge your login credentials to anyone or any organisation, or enter such confidential information into unverified webpages
    • Do not click on any links provided in suspicious SMSes
    • Be cautious of scanning unknown QR codes when making payments or transactions in unsecure or unfamiliar environments


    Please call us immediately at +65 6538 1111 if you:

    • Receive SMS transaction alerts or email notifications for transactions or activities you did not initiate or perform
    • Lose your security device or security details – or suspect these have been compromised in any way.
  • I have received a call from OCBC. How can I verify that the caller is from OCBC and contacting me for legitimate purposes?

    Verify the person’s identity and ask about the purpose of the call. You may want to take down the number and request the full name and department of the person calling. The caller’s email should also be “xxx@ocbc.com”. If in doubt, call us at +65 6538 1111 for further assistance.

    Be vigilant and protect yourself from scams. Beware of such calls or messages from persons impersonating as employees from OCBC.

    Do adopt the following measures to prevent your bank account from being compromised:

    • NEVER disclose your online banking login details such as your Organisation ID, User ID, PIN, or OTPs to anyone. OCBC Bank employees will never request your PIN and/or OTP.
    • DO NOT respond to or authorise any authentication requests (through your OneToken or hardware token) if you did not initiate any online banking transaction.
    • If you receive a suspicious message or call purporting to be from OCBC Bank, do not call the number provided in the SMS or by the caller. Instead, call us back at +65 6538 1111 to verify the authenticity of the request.
  • How can I ensure that my OCBC Velocity User ID is not compromised?
    • DO NOT click on any links provided in suspicious emails or SMSes.
    • NEVER divulge banking credentials or one-time passwords to anyone or any organisation, or key such confidential information into unverified webpages.
    • If you have an employee leaving the organisation, make sure you submit the request to us to remove the user from OCBC Velocity. While waiting for the request to be processed, you may also take these precautions:
      1. Block his/her access via the “Block my access temporarily” hyperlink on the OCBC Velocity login page. You will need to enter his/her OCBC Velocity login credentials.
      2. Delete the OCBC Business app from their devices
    • Look out for notifications from OCBC either via SMS or email notifying you of major changes or transactions. Notify the bank immediately at +65 6538 1111 if these are not valid actions initiated by you.
  • How can I minimise my risk from phishing scams as an OCBC Velocity User?
    • DO NOT click on any links provided in suspicious emails or SMSes.
    • NEVER divulge banking credentials or one-time passwords to anyone or any organisation, or key such confidential information into unverified webpages.
    • Look out for notifications from OCBC either via SMS or email notifying you of major changes or transactions. Notify the bank immediately at +65 6538 1111 if these are not valid actions initiated by you.
  • I have received an SMS which contains an OCBC hotline number. How do I know if this is legitimate?

    Beware of SMS scams which may direct you to call a fake hotline.

    DO NOT call any numbers within SMSes or click on any links in SMSes.

    When in doubt, call us at our official OCBC Business Banking hotline number at +65 6538 1111.

  • What should I do if I receive an email or SMS notification from OCBC informing me that my OneToken has been activated when I have not applied for a new one?

    This could be a situation where your OCBC Velocity ID/Password has been compromised.

    We recommend that you block your own ID access via the following methods:

    • Click on the “Block my access temporarily” hyperlink on the OCBC Velocity login page, and submit a request to delete and re-apply for a new user ID.
    • Open your OCBC Business app and tap on “More”, followed by “Block Access”. Then, key in your Org ID, User ID, and Password before tapping on “Block Access”.

    Alternatively, you may call us at +65 6538 1111 for further assistance.

  • If the SMS is not legitimate, why did it appear under the OCBC SMS thread?

    Scammers are using technology to spoof the SMS sender name as “OCBC”. When the spoofed SMS is received on the user’s mobile phone, the spoofed SMS with the name “OCBC” will appear in the same SMS conversation thread with OCBC.

    These messages usually come with a phishing URL link to obtain your details on a lookalike OCBC login page. It is therefore important to stay vigilant against phishing scams.

    Do not click on such phishing SMS links. The links will lead you to a fake website controlled by the scammers. You should always type URLs directly into the address bar of the browser or log in via the official OCBC Business app. Never key in your login credentials through the phishing URL links in the SMSes.

  • How does the scammer know that I have an account with OCBC? Has the bank’s system been compromised?

    Scammers are sending mass phishing SMSes and emails, not knowing if the recipients are OCBC customers or not. Should you click on the link and provide your login credentials, they will then know that you have an account with OCBC. It is therefore important to stay vigilant against such phishing scams. Do not click on any phishing SMS links.

    We wish to assure you that our banking systems remain secure and have not been compromised.

  • Did the OCBC system get hacked? Are you sure that your system has not been hacked?

    We wish to assure you that our banking systems remain secure and have not been compromised.

  • With so many SMSes sent by scammers, how can I differentiate them from legitimate SMSes by OCBC?

    We will not send you any message asking you to click on any links to verify or validate certain transaction information. When in doubt, please call us at +65 6538 1111.

    We wish to assure you that our banking systems remain secure and have not been compromised.

  • What should I do if I suspect my OCBC Velocity User login credentials have been compromised?

    You can log in to OCBC Velocity and change your password immediately.

    You may also block your own ID access via the following methods:

    • Click on the “Block my access temporarily” hyperlink on the OCBC Velocity login page, and submit a request to delete and re-apply for a new user ID.
    • Open your OCBC Business app and tap on “More”, followed by “Block Access”. Then, key in your Org ID, User ID, and Password before tapping on “Block Access”.

    Alternatively, call us at +65 6538 1111 for further assistance.

    To reactivate your account, please submit a request form. Simply visit the OCBC Business Banking website and click on Help & Support (top of webpage) > Banking forms > Apply & Manage OCBC Velocity.

  • What should I do if I lose my mobile phone?

    You can activate OneToken on another mobile device, and this will automatically deactivate OneToken on your previous device. Simply download the OCBC Business app on your new device. Then log in with your OCBC Velocity credentials and follow the steps shown in the “Lost/Changed Phone” hyperlink.

    You may also block your own ID access via the following methods:

    • Click on the “Block my access temporarily” hyperlink on the OCBC Velocity login page, and submit a request to delete and re-apply for a new user ID.
    • Open your OCBC Business app and tap on “More”, followed by “Block Access”. Then, key in your Org ID, User ID, and Password before tapping on “Block Access”.

    Alternatively, call us at +65 6538 1111 for further assistance.

    To reactivate your account, please submit a request form. Simply visit the OCBC Business Banking website and click on Help & Support (top of webpage) > Banking forms > Apply & Manage OCBC Velocity.

  • My customer did not log in to OCBC Velocity but received a push notification from our app on 2FA login. What precautions can we advise the customer to take?

    This could be a situation where your OCBC Velocity ID/Password might be compromised.

    We recommend that you log in to OCBC Velocity and change your password immediately, as well as call us at +65 6538 1111 to report the suspicious login. We will investigate the case for any abnormality.

    You may also block your own ID access via the following methods:

    • Click on the “Block my access temporarily” hyperlink on the OCBC Velocity login page, and submit a request to delete and re-apply for a new user ID.
    • Open your OCBC Business app and tap on “More”, followed by “Block Access”. Then, key in your Org ID, User ID, and Password before tapping on “Block Access”.
  • I would like to switch from OneToken to a hardware token. How do I do so?

    The standard process for the request of hardware token applies.

    While customers are given a choice to choose between OneToken or a hardware token, we encourage customers to apply for OneToken, given the following benefits:

    • The processing time taken to equip you with OneToken is shorter.
    • It is simpler and more convenient as OneToken is installed on your mobile phone.

    If you need further assistance, please call us at +65 6538 1111.

  • What should I do if I lose my hardware token?

    We recommend that you block your own access via the following methods:

    • Click on the “Block my access temporarily” hyperlink on the OCBC Velocity login page, and submit a request to delete and re-apply for a new user ID.
    • Open your OCBC Business app and tap on “More”, followed by “Block Access”. Then, key in your Org ID, User ID, and Password before tapping on “Block Access”.

    When applying for a new token, you may want to consider switching to OneToken, given the following benefits:

    • The processing time taken to equip you with OneToken is shorter.
    • It is simpler and more convenient as OneToken is installed on your mobile phone.

    To request a new token, please submit a request form. Simply visit the OCBC Business Banking website and click on Help & Support (top of webpage) > Banking forms > Apply & Manage OCBC Velocity.

    If you need further assistance, please call us at +65 6538 1111.

  • What should I do if I suspect that my mobile phone has been hacked?

    This could be a situation where your OCBC Velocity ID/Password might be compromised. We recommend that you block your own access via the following methods:

    • Click on the “Block my access temporarily” hyperlink on the OCBC Velocity login page, and submit a request to delete and re-apply for a new user ID.
    • Open your OCBC Business app and tap on “More”, followed by “Block Access”. Then, key in your Org ID, User ID, and Password before tapping on “Block Access”.

    Alternatively, you can call us at +65 6538 1111 for further assistance.

    To reactivate your account, please submit a request form. Simply visit the OCBC Business Banking website and click on Help & Support (top of webpage) > Banking forms > Apply & Manage OCBC Velocity. 

  • What measures have the Bank implemented to prevent scams and phishing attacks?

    The Bank is diligently monitoring and taking down phishing sites 24/7.

    To better safeguard your interests, we have rolled out the following measures:

    • Increase the soft token provision cooling period to 12 hours before the user can log in again.
    • Remove all links in SMSes.
  • What should I do if I discover a fraudulent transaction in my account?

    Please call us immediately at +65 6538 1111.

    We recommend that you also block your own ID access via the following methods:

    • Click on the “Block my access temporarily” hyperlink on the OCBC Velocity login page, and submit a request to delete and re-apply for a new user ID.
    • Open your OCBC Business app and tap on “More”, followed by “Block Access”. Then, key in your Org ID, User ID, and Password before tapping on “Block Access”.