Security Advisory
  • ACT against scams to keep your business safe
    15 May 2023

    Safeguard your business’ finances 

    Last year saw a spike in the number of scams reported in Singapore. Millions of dollars have been lost – young adults are especially affected by job and e-commerce scams while seniors increasingly fall victim to fake friend, investment and phishing scams.

    So how can you avoid falling prey to scams?

    Join us and the National Crime Prevention Council (NCPC) to ACT against scams.
    By remembering the three simple steps of ‘Add, Check, Tell’, you can protect yourself and your business.

    WHAT IS ACT?

    Organised by the NCPC, the ACT Against Scams campaign aims to educate the public on how to prevent, spot and stop scams.

    Add
    Install security tools (e.g. antivirus software) on your devices and adopt security features (e.g. biometric authentication) that protect you online

    Check
    Be vigilant and on the lookout for signs of scams. Always check with trusted sources to verify if the information you receive or are asked to share is true

    Tell
    If you encounter a scam, inform the authorities, your bank and your staff/colleagues at once



    Learn more about ACT on the NCPC website.
    Read about how we can all “ACT Against Scams” in the Scaminar 2023 keynote address delivered by Ms Sun Xueling the Ministry of Home Affairs.

    COMMON THREATS

    Be better prepared to ACT by learning more about the following threats:

    Phishing scams

    Scammers may pretend to be from a legitimate organisation and approach you via email or SMS, or on social media. They often offer fake benefits or rewards, or use fear tactics (e.g. demanding immediate action to resolve a fictitious urgent issue), to trick you into disclosing confidential information (e.g. NRIC number, card details, or online banking or Singpass credentials).

    Malware

    Cybercriminals may use malware, a type of malicious software, to infect your devices. They may then steal confidential data, take control over the compromised device and data remotely, and spy on your online activities.

    Impersonation scams

    Impersonators may contact you, claiming to be a member of a legitimate business, bank or the government. They may use fear tactics to get you to reveal personal details, which they will then use to commit fraud.


    Learn about the above and other common threats.

    ‘ADD’ WITH OCBC

    Use the following security measures by OCBC to safeguard your banking experience.

    Enable e-alerts to get timely notifications related to your account(s) and banking activities.

    Opt for e-Statements to closely keep track of all your transactions via OCBC Velocity or the OCBC Business app.


    For an extra layer of protection, download the ScamShield app by the NCPC to block scam calls and detect scam SMSes.

    Find out how to make use of these features and the other solutions OCBC has designed to safeguard your banking experience: go.ocbc.com/security


    This message contains links to third-party websites. By accessing any such websites, you agree to our terms of use

  • Security advisory: Protect yourself against malware

    17 Feb 2023

    Look out – especially if you have an Android device.

    New variants of Android malware (‘malicious software’) allow scammers to control your device remotely or steal sensitive information like login credentials or card details. This means that scammers can log in to your account and make fraudulent transactions or transfers without your knowledge.

    Android malware may be found in apps available in the Google Play Store. They could also be disguised as ‘helpful apps’ in Android Package Kit (APK) files that you may be tricked into downloading. By downloading them or giving access to certain functions, you may unwittingly allow scammers to take control of your device.

    Here is how you can protect yourself against malware:

    • Only download apps from the App Store (for iOS) or Google Play Store (for Android).

    • Do not download apps (e.g. email attachments, pop-up advertisements or links coming from unsolicited emails, messages or social media posts) without verifying the authenticity and source.

    • When installing apps, review the permissions that are requested. Make sure they are genuinely necessary. Asked to download additional apps? Be very wary.

    • Instal anti-virus software and malware removal tools on phones, computers and devices with Internet access.

    • Always get the latest versions of your devices’ operating systems and applications – the latest security patches will address security vulnerabilities. Enable automatic updates so your devices are protected.

    • Check transaction details carefully and read the notifications we send you. Notify us immediately if you receive alerts for transactions you did not make.

    If you believe you have fallen prey to a scam, please call us at +65 6538 1111

    You may also stop your ID from being used to access your account:

    • Via OCBC Velocity: Go to the OCBC Velocity login page > Click ‘Block my access temporarily’.

    • Via the OCBC Business app: Open the app > More > Block Access > Enter your Org ID, User ID and Password > Block Access.

    As scams constantly evolve, please stay vigilant at all times.

  • Scam alert: Fake OCBC Velocity websites

    18 March 2022

    Scammers may use fraudulent links that direct you to fake websites resembling OCBC Velocity’s login page in order to steal login credentials.



    These fake websites will prompt you to enter login credentials such as your Organisation ID, User ID, Password or One Time Password (OTP). The scammers can then make fraudulent transfers using your account(s). To prevent such unauthorised activity, never key in such details into unverified websites.

    We urge you to stay vigilant and take necessary precautions.

    How to protect yourself:

    • Verify the authenticity of the website you are accessing
    • Always type the official OCBC Velocity login URL (https://velocity.ocbc.com) directly into the address bar
    • Do not divulge your login credentials to anyone or any organisation, or enter such confidential information into unverified webpages
    • Do not click on any links provided in suspicious SMSes
    • Be cautious of scanning unknown QR codes when making payments or transactions in unsecure or unfamiliar environments


    Please call us immediately at +65 6538 1111 if you:

    • Receive SMS transaction alerts or email notifications for transactions or activities you did not initiate or perform
    • Lose your security device or security details – or suspect these have been compromised in any way.
  • I have received a call from OCBC. How can I verify that the caller is from OCBC and contacting me for legitimate purposes?

    Verify the person’s identity and ask about the purpose of the call. You may want to take down the number and request the full name and department of the person calling. The caller’s email should also be “xxx@ocbc.com”. If in doubt, call us at +65 6538 1111 for further assistance.

    Be vigilant and protect yourself from scams. Beware of such calls or messages from persons impersonating as employees from OCBC.

    Do adopt the following measures to prevent your bank account from being compromised:

    • NEVER disclose your online banking login details such as your Organisation ID, User ID, PIN, or OTPs to anyone. OCBC Bank employees will never request your PIN and/or OTP.
    • DO NOT respond to or authorise any authentication requests (through your OneToken or hardware token) if you did not initiate any online banking transaction.
    • If you receive a suspicious message or call purporting to be from OCBC Bank, do not call the number provided in the SMS or by the caller. Instead, call us back at +65 6538 1111 to verify the authenticity of the request.
  • How can I ensure that my OCBC Velocity User ID is not compromised?
    • DO NOT click on any links provided in suspicious emails or SMSes.
    • NEVER divulge banking credentials or one-time passwords to anyone or any organisation, or key such confidential information into unverified webpages.
    • If you have an employee leaving the organisation, make sure you submit the request to us to remove the user from OCBC Velocity. While waiting for the request to be processed, you may also take these precautions:
      1. Block his/her access via the “Block my access temporarily” hyperlink on the OCBC Velocity login page. You will need to enter his/her OCBC Velocity login credentials.
      2. Delete the OCBC Business app from their devices
    • Look out for notifications from OCBC either via SMS or email notifying you of major changes or transactions. Notify the bank immediately at +65 6538 1111 if these are not valid actions initiated by you.
  • How can I minimise my risk from phishing scams as an OCBC Velocity User?
    • DO NOT click on any links provided in suspicious emails or SMSes.
    • NEVER divulge banking credentials or one-time passwords to anyone or any organisation, or key such confidential information into unverified webpages.
    • Look out for notifications from OCBC either via SMS or email notifying you of major changes or transactions. Notify the bank immediately at +65 6538 1111 if these are not valid actions initiated by you.
  • I have received an SMS which contains an OCBC hotline number. How do I know if this is legitimate?

    Beware of SMS scams which may direct you to call a fake hotline.

    DO NOT call any numbers within SMSes or click on any links in SMSes.

    When in doubt, call us at our official OCBC Business Banking hotline number at +65 6538 1111.

  • What should I do if I receive an email or SMS notification from OCBC informing me that my OneToken has been activated when I have not applied for a new one?

    This could be a situation where your OCBC Velocity ID/Password has been compromised.

    We recommend that you block your own ID access via the following methods:

    • Click on the “Block my access temporarily” hyperlink on the OCBC Velocity login page, and submit a request to delete and re-apply for a new user ID.
    • Open your OCBC Business app and tap on “More”, followed by “Block Access”. Then, key in your Org ID, User ID, and Password before tapping on “Block Access”.

    Alternatively, you may call us at +65 6538 1111 for further assistance.

  • If the SMS is not legitimate, why did it appear under the OCBC SMS thread?

    Scammers are using technology to spoof the SMS sender name as “OCBC”. When the spoofed SMS is received on the user’s mobile phone, the spoofed SMS with the name “OCBC” will appear in the same SMS conversation thread with OCBC.

    These messages usually come with a phishing URL link to obtain your details on a lookalike OCBC login page. It is therefore important to stay vigilant against phishing scams.

    Do not click on such phishing SMS links. The links will lead you to a fake website controlled by the scammers. You should always type URLs directly into the address bar of the browser or log in via the official OCBC Business app. Never key in your login credentials through the phishing URL links in the SMSes.

  • How does the scammer know that I have an account with OCBC? Has the bank’s system been compromised?

    Scammers are sending mass phishing SMSes and emails, not knowing if the recipients are OCBC customers or not. Should you click on the link and provide your login credentials, they will then know that you have an account with OCBC. It is therefore important to stay vigilant against such phishing scams. Do not click on any phishing SMS links.

    We wish to assure you that our banking systems remain secure and have not been compromised.

  • Did the OCBC system get hacked? Are you sure that your system has not been hacked?

    We wish to assure you that our banking systems remain secure and have not been compromised.

  • With so many SMSes sent by scammers, how can I differentiate them from legitimate SMSes by OCBC?

    We will not send you any message asking you to click on any links to verify or validate certain transaction information. When in doubt, please call us at +65 6538 1111.

    We wish to assure you that our banking systems remain secure and have not been compromised.

  • What should I do if I suspect my OCBC Velocity User login credentials have been compromised?

    You can log in to OCBC Velocity and change your password immediately.

    You may also block your own ID access via the following methods:

    • Click on the “Block my access temporarily” hyperlink on the OCBC Velocity login page, and submit a request to delete and re-apply for a new user ID.
    • Open your OCBC Business app and tap on “More”, followed by “Block Access”. Then, key in your Org ID, User ID, and Password before tapping on “Block Access”.

    Alternatively, call us at +65 6538 1111 for further assistance.

    To reactivate your account, please submit a request form. Simply visit the OCBC Business Banking website and click on Help & Support (top of webpage) > Banking forms > Apply & Manage OCBC Velocity.

  • What should I do if I lose my mobile phone?

    You can activate OneToken on another mobile device, and this will automatically deactivate OneToken on your previous device. Simply download the OCBC Business app on your new device. Then log in with your OCBC Velocity credentials and follow the steps shown in the “Lost/Changed Phone” hyperlink.

    You may also block your own ID access via the following methods:

    • Click on the “Block my access temporarily” hyperlink on the OCBC Velocity login page, and submit a request to delete and re-apply for a new user ID.
    • Open your OCBC Business app and tap on “More”, followed by “Block Access”. Then, key in your Org ID, User ID, and Password before tapping on “Block Access”.

    Alternatively, call us at +65 6538 1111 for further assistance.

    To reactivate your account, please submit a request form. Simply visit the OCBC Business Banking website and click on Help & Support (top of webpage) > Banking forms > Apply & Manage OCBC Velocity.

  • My customer did not log in to OCBC Velocity but received a push notification from our app on 2FA login. What precautions can we advise the customer to take?

    This could be a situation where your OCBC Velocity ID/Password might be compromised.

    We recommend that you log in to OCBC Velocity and change your password immediately, as well as call us at +65 6538 1111 to report the suspicious login. We will investigate the case for any abnormality.

    You may also block your own ID access via the following methods:

    • Click on the “Block my access temporarily” hyperlink on the OCBC Velocity login page, and submit a request to delete and re-apply for a new user ID.
    • Open your OCBC Business app and tap on “More”, followed by “Block Access”. Then, key in your Org ID, User ID, and Password before tapping on “Block Access”.
  • I would like to switch from OneToken to a hardware token. How do I do so?

    The standard process for the request of hardware token applies.

    While customers are given a choice to choose between OneToken or a hardware token, we encourage customers to apply for OneToken, given the following benefits:

    • The processing time taken to equip you with OneToken is shorter.
    • It is simpler and more convenient as OneToken is installed on your mobile phone.

    If you need further assistance, please call us at +65 6538 1111.

  • What should I do if I lose my hardware token?

    We recommend that you block your own access via the following methods:

    • Click on the “Block my access temporarily” hyperlink on the OCBC Velocity login page, and submit a request to delete and re-apply for a new user ID.
    • Open your OCBC Business app and tap on “More”, followed by “Block Access”. Then, key in your Org ID, User ID, and Password before tapping on “Block Access”.

    When applying for a new token, you may want to consider switching to OneToken, given the following benefits:

    • The processing time taken to equip you with OneToken is shorter.
    • It is simpler and more convenient as OneToken is installed on your mobile phone.

    To request a new token, please submit a request form. Simply visit the OCBC Business Banking website and click on Help & Support (top of webpage) > Banking forms > Apply & Manage OCBC Velocity.

    If you need further assistance, please call us at +65 6538 1111.

  • What should I do if I suspect that my mobile phone has been hacked?

    This could be a situation where your OCBC Velocity ID/Password might be compromised. We recommend that you block your own access via the following methods:

    • Click on the “Block my access temporarily” hyperlink on the OCBC Velocity login page, and submit a request to delete and re-apply for a new user ID.
    • Open your OCBC Business app and tap on “More”, followed by “Block Access”. Then, key in your Org ID, User ID, and Password before tapping on “Block Access”.

    Alternatively, you can call us at +65 6538 1111 for further assistance.

    To reactivate your account, please submit a request form. Simply visit the OCBC Business Banking website and click on Help & Support (top of webpage) > Banking forms > Apply & Manage OCBC Velocity. 

  • What measures have the Bank implemented to prevent scams and phishing attacks?

    The Bank is diligently monitoring and taking down phishing sites 24/7.

    To better safeguard your interests, we have rolled out the following measures:

    • Increase the soft token provision cooling period to 12 hours before the user can log in again.
    • Remove all links in SMSes.
  • What should I do if I discover a fraudulent transaction in my account?

    Please call us immediately at +65 6538 1111.

    We recommend that you also block your own ID access via the following methods:

    • Click on the “Block my access temporarily” hyperlink on the OCBC Velocity login page, and submit a request to delete and re-apply for a new user ID.
    • Open your OCBC Business app and tap on “More”, followed by “Block Access”. Then, key in your Org ID, User ID, and Password before tapping on “Block Access”.