Security Advisory | OCBC Online Banking | OCBC Business Banking Singapore
Security Advisory
  • Scam alert: Fake OCBC Velocity websites

    18 March 2022

    Scammers may use fraudulent links that direct you to fake websites resembling OCBC Velocity’s login page in order to steal login credentials.



    These fake websites will prompt you to enter login credentials such as your Organisation ID, User ID, Password or One Time Password (OTP). The scammers can then make fraudulent transfers using your account(s). To prevent such unauthorised activity, never key in such details into unverified websites.

    We urge you to stay vigilant and take necessary precautions.

    How to protect yourself:

    • Verify the authenticity of the website you are accessing
    • Always type the official OCBC Velocity login URL (https://velocity.ocbc.com) directly into the address bar
    • Do not divulge your login credentials to anyone or any organisation, or enter such confidential information into unverified webpages
    • Do not click on any links provided in suspicious SMSes
    • Be cautious of scanning unknown QR codes when making payments or transactions in unsecure or unfamiliar environments


    Please call us immediately at +65 6538 1111 if you:

    • Receive SMS transaction alerts or email notifications for transactions or activities you did not initiate or perform
    • Lose your security device or security details – or suspect these have been compromised in any way.
  • I have received a call from OCBC. How can I verify that the caller is from OCBC and contacting me for legitimate purposes?

    Verify the person’s identity and ask about the purpose of the call. You may want to take down the number and request the full name and department of the person calling. The caller’s email should also be “xxx@ocbc.com”. If in doubt, call us at +65 6538 1111 for further assistance.

    Be vigilant and protect yourself from scams. Beware of such calls or messages from persons impersonating as employees from OCBC.

    Do adopt the following measures to prevent your bank account from being compromised:

    • NEVER disclose your online banking login details such as your Organisation ID, User ID, PIN, or OTPs to anyone. OCBC Bank employees will never request your PIN and/or OTP.
    • DO NOT respond to or authorise any authentication requests (through your OneToken or hardware token) if you did not initiate any online banking transaction.
    • If you receive a suspicious message or call purporting to be from OCBC Bank, do not call the number provided in the SMS or by the caller. Instead, call us back at +65 6538 1111 to verify the authenticity of the request.
  • How can I ensure that my OCBC Velocity User ID is not compromised?
    • DO NOT click on any links provided in suspicious emails or SMSes.
    • NEVER divulge banking credentials or one-time passwords to anyone or any organisation, or key such confidential information into unverified webpages.
    • If you have an employee leaving the organisation, make sure you submit the request to us to remove the user from OCBC Velocity. While waiting for the request to be processed, you may also take these precautions:
      1. Block his/her access via the “Block my access temporarily” hyperlink on the OCBC Velocity login page. You will need to enter his/her OCBC Velocity login credentials.
      2. Delete the OCBC Business app from their devices
    • Look out for notifications from OCBC either via SMS or email notifying you of major changes or transactions. Notify the bank immediately at +65 6538 1111 if these are not valid actions initiated by you.
  • How can I minimise my risk from phishing scams as an OCBC Velocity User?
    • DO NOT click on any links provided in suspicious emails or SMSes.
    • NEVER divulge banking credentials or one-time passwords to anyone or any organisation, or key such confidential information into unverified webpages.
    • Look out for notifications from OCBC either via SMS or email notifying you of major changes or transactions. Notify the bank immediately at +65 6538 1111 if these are not valid actions initiated by you.
  • I have received an SMS which contains an OCBC hotline number. How do I know if this is legitimate?

    Beware of SMS scams which may direct you to call a fake hotline.

    DO NOT call any numbers within SMSes or click on any links in SMSes.

    When in doubt, call us at our official OCBC Business Banking hotline number at +65 6538 1111.

  • What should I do if I receive an email or SMS notification from OCBC informing me that my OneToken has been activated when I have not applied for a new one?

    This could be a situation where your OCBC Velocity ID/Password has been compromised.

    We recommend that you block your own ID access via the following methods:

    • Click on the “Block my access temporarily” hyperlink on the OCBC Velocity login page, and submit a request to delete and re-apply for a new user ID.
    • Open your OCBC Business app and tap on “More”, followed by “Block Access”. Then, key in your Org ID, User ID, and Password before tapping on “Block Access”.

    Alternatively, you may call us at +65 6538 1111 for further assistance.

  • If the SMS is not legitimate, why did it appear under the OCBC SMS thread?

    Scammers are using technology to spoof the SMS sender name as “OCBC”. When the spoofed SMS is received on the user’s mobile phone, the spoofed SMS with the name “OCBC” will appear in the same SMS conversation thread with OCBC.

    These messages usually come with a phishing URL link to obtain your details on a lookalike OCBC login page. It is therefore important to stay vigilant against phishing scams.

    Do not click on such phishing SMS links. The links will lead you to a fake website controlled by the scammers. You should always type URLs directly into the address bar of the browser or log in via the official OCBC Business app. Never key in your login credentials through the phishing URL links in the SMSes.

  • How does the scammer know that I have an account with OCBC? Has the bank’s system been compromised?

    Scammers are sending mass phishing SMSes and emails, not knowing if the recipients are OCBC customers or not. Should you click on the link and provide your login credentials, they will then know that you have an account with OCBC. It is therefore important to stay vigilant against such phishing scams. Do not click on any phishing SMS links.

    We wish to assure you that our banking systems remain secure and have not been compromised.

  • Did the OCBC system get hacked? Are you sure that your system has not been hacked?

    We wish to assure you that our banking systems remain secure and have not been compromised.

  • With so many SMSes sent by scammers, how can I differentiate them from legitimate SMSes by OCBC?

    We will not send you any message asking you to click on any links to verify or validate certain transaction information. When in doubt, please call us at +65 6538 1111.

    We wish to assure you that our banking systems remain secure and have not been compromised.

  • What should I do if I suspect my OCBC Velocity User login credentials have been compromised?

    You can log in to OCBC Velocity and change your password immediately.

    You may also block your own ID access via the following methods:

    • Click on the “Block my access temporarily” hyperlink on the OCBC Velocity login page, and submit a request to delete and re-apply for a new user ID.
    • Open your OCBC Business app and tap on “More”, followed by “Block Access”. Then, key in your Org ID, User ID, and Password before tapping on “Block Access”.

    Alternatively, call us at +65 6538 1111 for further assistance.

    To reactivate your account, please submit a request form. Simply visit the OCBC Business Banking website and click on Help & Support (top of webpage) > Banking forms > Apply & Manage OCBC Velocity.

  • What should I do if I lose my mobile phone?

    You can activate OneToken on another mobile device, and this will automatically deactivate OneToken on your previous device. Simply download the OCBC Business app on your new device. Then log in with your OCBC Velocity credentials and follow the steps shown in the “Lost/Changed Phone” hyperlink.

    You may also block your own ID access via the following methods:

    • Click on the “Block my access temporarily” hyperlink on the OCBC Velocity login page, and submit a request to delete and re-apply for a new user ID.
    • Open your OCBC Business app and tap on “More”, followed by “Block Access”. Then, key in your Org ID, User ID, and Password before tapping on “Block Access”.

    Alternatively, call us at +65 6538 1111 for further assistance.

    To reactivate your account, please submit a request form. Simply visit the OCBC Business Banking website and click on Help & Support (top of webpage) > Banking forms > Apply & Manage OCBC Velocity.

  • My customer did not log in to OCBC Velocity but received a push notification from our app on 2FA login. What precautions can we advise the customer to take?

    This could be a situation where your OCBC Velocity ID/Password might be compromised.

    We recommend that you log in to OCBC Velocity and change your password immediately, as well as call us at +65 6538 1111 to report the suspicious login. We will investigate the case for any abnormality.

    You may also block your own ID access via the following methods:

    • Click on the “Block my access temporarily” hyperlink on the OCBC Velocity login page, and submit a request to delete and re-apply for a new user ID.
    • Open your OCBC Business app and tap on “More”, followed by “Block Access”. Then, key in your Org ID, User ID, and Password before tapping on “Block Access”.
  • I would like to switch from OneToken to a hardware token. How do I do so?

    The standard process for the request of hardware token applies.

    While customers are given a choice to choose between OneToken or a hardware token, we encourage customers to apply for OneToken, given the following benefits:

    • The processing time taken to equip you with OneToken is shorter.
    • It is simpler and more convenient as OneToken is installed on your mobile phone.

    If you need further assistance, please call us at +65 6538 1111.

  • What should I do if I lose my hardware token?

    We recommend that you block your own access via the following methods:

    • Click on the “Block my access temporarily” hyperlink on the OCBC Velocity login page, and submit a request to delete and re-apply for a new user ID.
    • Open your OCBC Business app and tap on “More”, followed by “Block Access”. Then, key in your Org ID, User ID, and Password before tapping on “Block Access”.

    When applying for a new token, you may want to consider switching to OneToken, given the following benefits:

    • The processing time taken to equip you with OneToken is shorter.
    • It is simpler and more convenient as OneToken is installed on your mobile phone.

    To request a new token, please submit a request form. Simply visit the OCBC Business Banking website and click on Help & Support (top of webpage) > Banking forms > Apply & Manage OCBC Velocity.

    If you need further assistance, please call us at +65 6538 1111.

  • What should I do if I suspect that my mobile phone has been hacked?

    This could be a situation where your OCBC Velocity ID/Password might be compromised. We recommend that you block your own access via the following methods:

    • Click on the “Block my access temporarily” hyperlink on the OCBC Velocity login page, and submit a request to delete and re-apply for a new user ID.
    • Open your OCBC Business app and tap on “More”, followed by “Block Access”. Then, key in your Org ID, User ID, and Password before tapping on “Block Access”.

    Alternatively, you can call us at +65 6538 1111 for further assistance.

    To reactivate your account, please submit a request form. Simply visit the OCBC Business Banking website and click on Help & Support (top of webpage) > Banking forms > Apply & Manage OCBC Velocity. 

  • What measures have the Bank implemented to prevent scams and phishing attacks?

    The Bank is diligently monitoring and taking down phishing sites 24/7.

    To better safeguard your interests, we have rolled out the following measures:

    • Increase the soft token provision cooling period to 12 hours before the user can log in again.
    • Remove all links in SMSes.
  • What should I do if I discover a fraudulent transaction in my account?

    Please call us immediately at +65 6538 1111.

    We recommend that you also block your own ID access via the following methods:

    • Click on the “Block my access temporarily” hyperlink on the OCBC Velocity login page, and submit a request to delete and re-apply for a new user ID.
    • Open your OCBC Business app and tap on “More”, followed by “Block Access”. Then, key in your Org ID, User ID, and Password before tapping on “Block Access”.