Now reading:

OCBC Bank advises public against SMS phishing scams impersonating the bank

OCBC Bank advises public against SMS phishing scams impersonating the bank

  • 23 Dec 2021

OCBC Bank has seen a sharp rise in the number of ‘smishing’ (phishing via SMS) scams impersonating the Bank over the past few weeks. Members of the public have received unsolicited SMSes purportedly from the Bank claiming there are issues with their bank accounts or credit cards. The SMSes contain a link to a fraudulent website disguised as a legitimate bank website requesting for banking information and passwords.

OCBC Bank will never send customers an SMS to inform them of an account closure, or that they have been locked out of their accounts temporarily. Neither will the Bank send an SMS to customers with a link to reactivate their accounts. These are always communicated via physical letters to prevent online fraud.

In the last week alone, OCBC Bank has received more than 20 times the average number of customers contacting the Bank relating to such scams. Between 8 and 17 December 2021, 26 customers reported a loss of about $140,000 to phishing scams. OCBC Bank is working with the Singapore Police Force’s Anti-Scam Centre to try to help customers recover funds lost through these fraudulent transactions. However, once the money has left the customer’s account, the possibility of recovery is very low. OCBC Bank will try its best to recover the funds for customers, but the first and strongest line of defence to combat scams lies with customers taking precaution to protect themselves from falling prey to fraudsters.

For the month of December so far, OCBC Bank has detected and initiated the takedown of 45 phishing websites, about eight times more than the average takedown requests every month.

Phishing enables scammers to obtain confidential information – such as bank account details, PINs, credit card numbers, One-Time Passwords (OTPs) and login credentials – information which scammers can then use to make unauthorised banking transactions.

OCBC Bank works closely with the Singapore Police Force to detect and prevent scams. Whenever a new phishing website is detected, OCBC Bank’s cyber security operations centre will immediately initiate a takedown of the bogus site.

However, scammers’ phishing attacks have become particularly aggressive in recent weeks. On 17 December 2021, the Singapore Police Force also issued an advisory to remind the public not to fall victim to such scams.

This is how the scam works

Scammers typically impersonate the bank through “spoofing” – a technique used to clone a legitimate sender’s name and short code (in this case “OCBC”) using SMS spoofing methods. This enables the scammer’s SMS to appear as if it is originating from a legitimate sender – which mobile devices are not able to differentiate as the names and numbers have been ‘masked’ – thus enabling their SMSes to appear in the same thread as legitimate SMSes from the bank.

Unsuspecting individuals receive unsolicited SMSes with the header “OCBC” claiming there are issues with their bank accounts or credit cards. These individuals are asked to click on a link embedded in the SMS to resolve the issues, which is redirected to a fake website and asked to key in their bank account log-in information like username, PINs, and OTPs. It is only when victims check their bank accounts, or receive notifications from the bank of unauthorised transactions, that they realise they have been scammed.

Customer support and advisory

All the Bank’s frontline employees have been trained to assist customers on such scams. OCBC Bank has alerted and reminded customers and the public to be more careful so as not to fall for these scams through the following measures:

There are ways for customers and the public to assess if SMSes from the bank are legitimate:

  • OCBC Bank will never send customers an SMS to inform them of an account closure, or that they have been locked out of their accounts temporarily.
  • OCBC Bank will also never send an SMS to customers with a link to reactivate their accounts.

Physical letters and not SMSes are sent to customers for account closures or requests to reactivate dormant bank accounts. Physical letters ensure avoidance of doubt and prevent online fraud. Bank accounts turn dormant after 12 months of inactivity. Reactivation is done in person at branches or via internet banking. 

Here are ways customers and the public can protect themselves from phishing scams:

  • Never click on links provided in suspicious e-mails and SMSes
  • Always type the Bank’s URL directly into the address bar of a web browser or use the Bank’s official mobile banking app
  • Do not divulge confidential information (e.g. your banking login credentials or OTPs) to anyone, or key in your banking login credentials into unverified webpages.
  • Do not transfer money to people you do not know. When in doubt, get advice from a family member or friend.
  • Customers can download the ScamShield app – a mobile app by the authorities in Singapore that blocks unsolicited messages and calls (only available on iOS devices). Visit https://www.scamshield.org.sg/ to find out more.

Customers who are in doubt about the authenticity of any SMSes received are advised to contact OCBC Bank at 1800 363 3333 (+65 6363 3333 if overseas) to verify them.


FOR THE PRESS

Media Queries

Please contact:

Bernadette Yuen

corpcomms@ocbc.com