OCBC Bank has again warned customers about the recent ‘smishing’ (phishing via SMS) scams impersonating the Bank this month, given the potential surge in attacks this New Year weekend.

On 23 December 2021, OCBC Bank had issued its first media advisory to warn of a surge in these scams and advised customers that these SMSes were not sent from the Bank and not to click any link in these messages.

Between 8 and 17 December 2021, 26 customers reported a loss of about $140,000 to phishing scams. However, scammers’ phishing attacks have become particularly aggressive in recent weeks, especially during the Christmas weekend.

As of 29 December, 469 customers had reported a total loss amounting to $8.5 million to these scams. Over the Christmas weekend (24-26 December), there were 186 customers affected, with about $2.7 million lost on these three days alone.

Once the funds have left the customer’s account, the possibility of recovery is very low. As such, customers remain the first line of defence against such scams.

The Bank would like to alert and remind its customers and members of the public on how the scams operate, so they can avoid falling victim to these scams.

How the scams work

Members of the public receive SMSes purportedly from the Bank claiming there are issues with their bank accounts or credit cards. Scammers typically impersonate the bank through “spoofing” – cloning a legitimate sender’s name and short code (in this case, “OCBC”) via SMS. This enables the scammer’s SMS to appear as if it is originated from a legitimate sender, thus enabling their message to appear in the same thread as legitimate SMSes from the bank. These SMSes contain a link to a fraudulent website disguised as a legitimate bank website requesting for banking information and passwords.

The scam messages usually claim there are issues with the customer’s bank accounts or credit cards and directs customers to a link embedded in the SMS to resolve these issues. Upon clicking the link, customers would be redirected to an illegitimate website and asked to key in sensitive bank account log-in information like their username, PIN and One-Time Password. Using this information, scammers can then transfer monies out of the affected customers’ accounts.

They often reroute the monies through various accounts, making it difficult to track their movement and even harder to recover the cash.

How customers can prevent falling victim to the scams

Here are some reminders on what customers can do to protect themselves:

1. The Bank will never send an SMS to inform customers about account closures or being locked out of their accounts. Instead, it will send physical letters with such requests to customers – these ensure avoidance of doubt and prevent online fraud.
2. The Bank will never send an SMS with a link to reactivate customers’ accounts. Accounts become dormant after 12 months of inactivity. Reactivation is done in person at branches or via internet banking.
3. Do not click on links in SMSes. Instead, use OCBC’s official mobile banking app or type www.ocbc.com directly in the browser URL.
4. Do not provide sensitive information like log-in IDs, passwords or OTPs to anyone, or key these into unverified webpages.
5. Do not transfer money to strangers. When in doubt, get advice from a family member or friend.
6. If in doubt, call the OCBC hotline directly at (65) 6363 3333. Do not call any numbers provided in the SMS.
7. Customers can download the ScamShield app – a mobile app by the authorities in Singapore that blocks unsolicited messages and calls (only available on iOS devices). Visit https://www.scamshield.org.sg/ to find out more.