OCBC Bank today said that it has begun making goodwill payouts since 8 January 2022 to customers who had fallen prey to the recent SMS phishing scam (‘the Scam’). The payouts to this group of customers are made on goodwill basis after thorough verification, taking into account the circumstances of each case. 

Customers started receiving the goodwill payouts from 8 January 2022, and, to date, more than 30 customers have received them.   

This Scam was particularly aggressive and highly co-ordinated. It also preyed on people’s fear that there was an issue with their bank accounts or credit cards. Past cases of SMS phishing scams largely targeted consumers with ‘too good to be true’ deals.

The Bank’s investigation has confirmed that victims who had fallen prey had provided their online banking log-in credentials to phishing websites. Thereafter, the scammers were very fast in fraudulently transferring the monies out of the customers’ bank accounts.

A dedicated team had been set up to support the victims. The Bank has reached out to affected customers to address their concerns and to assure them of the support in place.

OCBC Bank acknowledged that its customer service and response fell short of our customers’ expectations, especially at a time of stress and anxiety.

As the investigations into these cases are complex and extensive involving multiple checks and parties, the Bank needed more time to get back to affected customers to address their concerns. The Bank seeks the patience and understanding of all affected customers to allow it the time to properly review and validate each case thoroughly.

Affected customers will be contacted as soon as the review and validation of their case is complete.

This Scam first surfaced at the start of December 2021 and became increasingly aggressive over the year-end holiday period. From the time the Bank first detected it in early December 2021, it had, since 3 December 2021, issued multiple alerts and warnings to its customers using multiple channels. It had issued security alerts and advisories on its website, Internet and mobile banking log-in pages, through customer e-mails, as well as through its own social media channels. Two media advisories were issued, one on 23 December and another on 30 December 2021. Both were well covered by the media. SMS messages were sent to all customers on 30 December 2021 and 4 January 2022.  

The Bank has also proactively reached out to customers who might not be aware that their banking activities were susceptible to the Scam. This has helped to prevent more customers from falling prey to the Scam.  

OCBC Bank’s Group Chief Executive Officer, Ms Helen Wong, said: “We strongly condemn this scam as it preyed on consumers’ fear and was a highly-coordinated one. We fully understand the concerns and anxiety of our affected customers. We have begun making goodwill payouts since 8 January 2022. I sincerely ask our customers to allow us the time to conduct a thorough review and validation before we inform them of the payouts. We seek our customers’ patience and understanding as investigations are complex, and we apologise that our response fell short of our customers’ expectations during their time of distress.”

Addressing concerns about the Bank’s systems, Ms Wong added, “I want to assure our customers and members of the public that our banking systems and digital banking platforms are safe and secure. Digital banking remains a convenient way to do banking. We do not want this scam to take that away from us. But scammers are increasing in sophistication. Therefore, I urge everyone to stay alert and do your banking only at the Bank’s official websites and on the official mobile apps. Together with the Association of Banks in Singapore and the Monetary Authority of Singapore, the industry will review to further strengthen the anti-fraud detection and prevention measures.”

OCBC Bank wants to again warn and remind customers and members of the public on how these scams operate so that they do not become victims as well.

How the SMS spoofing works by the fraudster

How the fraudster takes complete control of a victim’s bank account

Members of the public would receive SMSes that appear to be from the Bank claiming there are issues with their bank accounts or credit cards (but were in fact sent by the scammers).

Scammers impersonate the bank through “spoofing” – cloning a legitimate sender ID (e.g. “OCBC”) or other sender IDs non-related to OCBC – via SMS.

When a legitimate sender’s ID is cloned, this enables the scammer’s SMS to appear as if it is originated from a legitimate sender, thus enabling their message to appear in the same thread as legitimate SMSes from the bank.

These SMSes contain a link to a phishing website disguised as a legitimate bank website requesting for banking information and passwords.

The scam messages claim there are issues with the customer’s bank accounts or credit cards and directs customers to a link embedded in the SMS to resolve these issues.

Upon clicking the link, customers would be redirected to the phishing website and asked to key in sensitive bank account log-in information like their username, PIN and One-Time Password. Using this information, scammers can then gain access to the customer’s account and transfer monies out of the accounts.

Scammers often reroute the monies through various accounts, making it difficult to track their movement and even harder to recover the cash.

How customers can prevent falling victim to the Scam

Here are some reminders on what customers can do to protect themselves against the Scam:

1. The Bank will never send an SMS to inform customers about account closures or being locked out of their accounts. Instead, it will send physical letters with such requests to customers to prevent online fraud.

2. The Bank will never send an SMS with a link to reactivate customers’ accounts. Accounts become dormant after 12 months of inactivity. Reactivation is done in person at branches or via internet banking.

3. Do not click on links in SMSes that purport to direct customers to the Bank’s website. Instead, use OCBC’s official mobile banking app or type www.ocbc.com directly in the browser URL.

4. Do not provide sensitive information like log-in IDs, passwords or OTPs to anyone, or key these into unverified webpages.

5. Do not transfer money to strangers. When in doubt, get advice from a family member or friend.

6. If in doubt, call the OCBC hotline directly at (65) 6363 3333. Do not call any numbers provided in the SMS.

7. Customers can download the ScamShield app – a mobile app by the authorities in Singapore that blocks unsolicited messages and calls (only available on iOS devices). Visit https://www.scamshield.org.sg/ to find out more.