Security Advisory



Beware of emails that may direct you to phishing webpages asking for your online banking credentials

22 February 2019
Threat: Phishing alert
Severity: Medium


There has been an increase in phishing emails received by our customers claiming to be from OCBC, such as a recent one requesting customers to register for a new authentication login for online banking.

These emails contain a hyperlink directing you to a phishing website, which will require you to provide your personal or banking details. For example, full name, NRIC/ passport numbers, Bank account numbers, card numbers, expiry date, CVV number, Personal Identification Number (PIN), One Time Password (OTP) and even in some instances to provide the OTP generated from their hardware token. Once this is done, fraudulent transactions may be effected from your accounts.

We advise you to stay vigilant and take the necessary precautions to protect yourself.

Sample of a phishing email


How to protect yourself:

  • OCBC will not request for your confidential information (e.g. PIN or OTP) through email, SMS or voice conversation.
  • Do not respond to unsolicited emails or SMS messages requesting for personal/banking credentials (e.g. NRIC/ passport numbers, address, emails, access code, PIN or OTP) or credit/debit/ATM cards details (e.g. card number, expiration date, CVV number, PIN).
  • Stay vigilant before clicking on any links embedded in the SMS messages or emails. Always type the URL of the website directly into the address bar of the browser.
  • Do not transfer funds to any unknown parties.
  • Always read the entire SMS alerts sent to your mobile phone for your transactions carefully. Inform the Bank immediately if you find the transaction suspicious.
  • Inform the Bank immediately when there is a change in your contact details such as mobile number or email address.


What you should do:

Please call the Bank immediately at 1800 363 3333 or +65 6363 3333 (when calling from overseas) if:

  • You notice any suspected fraud or transactions which are suspicious or not performed by you.
  • There is any compromise or loss of your security device or security details.
  • You received a SMS message or email for transactions which you did not perform.
  • You are alerted on change of daily withdrawal limit or add beneficiary for transfer to an account which you do not know of or did not perform.


Learn more about Phishing, Malware and Online Banking security.




Beware of emails that may direct you to phishing webpages asking for your credentials

19 December 2018
Threat: Phishing alert
Severity: Medium


Avoid getting an unwanted surprise this holiday season. There has been an increase in phishing emails purporting to be from OCBC. These emails may contain hyperlinks directing you to a non-OCBC website that requires you to provide your credit/debit/ATM cards details such as card number, expiration date, CVV number or Personal Identification Number (PIN), or online banking login credentials such as Access Code, PIN or One Time Password (OTP). This may result in unauthorised access to your bank accounts. Exercise vigilance during the holiday season and be mindful not to respond to such unsolicited requests.

Sample of a phishing email



Sample of a phishing webpage

How to protect yourself:

  • OCBC will not request for your PIN or OTP through voice conversation, SMS or email.
  • Do not respond to unsolicited SMS or emails requesting for credit/debit/ATM cards details (e.g. card number, expiration date, CVV number, PIN), or online banking credentials.
  • Stay vigilant before clicking on any links embedded in the SMS messages or emails. Always type the URL of the website directly into the address bar of the browser.
  • Do not transfer funds to any unknown parties.
  • Always read the SMS alerts sent to your mobile phone for your transactions carefully. Inform the Bank immediately if the transaction is suspicious.
  • Inform the Bank immediately when there is a change in your contact details such as mobile number or email address.


What you should do:

Please call the Bank immediately at 1800 363 3333 or +65 6363 3333 (when calling from overseas) if:

  • You are aware of any suspected fraud or transactions not performed by you including any compromise or loss of your security device or security details.
  • You received a SMS message or email for transactions which you did not perform.
  • You are alerted on change of daily withdrawal limit or add beneficiary for transfer to an account which you do not know of or did not perform.


Learn more about Phishing, Malware and Online Banking security.




For iOS version 12 users - How to safely use the Security Code Autofill suggestion for One-Time Password (OTP)

1 November 2018
Threat: Autofill input of OTP resulting in unauthorised transaction
Severity: Medium


Apple has introduced a new feature, Security Code Autofill, in iOS version 12. As shown in the diagrams below, this feature enables mobile devices to scan incoming Short Message Server (SMS) messages for One-Time-Password (OTP) and automatically display it as an AutoFill suggestion in the Quick Type bar above the virtual keyboard. You will only need to tap on the OTP to input it in the OTP field of an application or website instead of keying it manually.



While this new feature may enhance user experience, please continue to stay vigilant and adopt the following safe practices when you perform online banking transactions:

  • Verify the transaction details in the SMS message, ensure that it is for the transaction that you are authorising before using the associated OTP. Inform the Bank immediately if the transaction is suspicious.
  • Ensure the OTP is keyed in the correct bank’s mobile application or website. Do not reveal the OTP to anyone.
  • The Bank will not make unsolicited requests for your banking details. Be mindful not to reveal your personal or banking details such as ATM/Credit/Debit Card numbers, Online Banking Access Code, PIN/OTP into mobile applications or websites that you are not sure of.
  • Be on the alert for suspicious emails/SMS messages and websites or mobile messages, purporting to be from the Bank asking for your OCBC Online Banking login credentials such as PIN/OTP etc. Inform the Bank immediately if the transaction is suspicious.
  • Stay vigilant before clicking on any links embedded in the SMS messages or emails.
  • Always type the URL of the website directly into the address bar of the browser.
  • Inform the Bank immediately when there is a change in your contact details such as mobile number or email address so that you continue to receive SMS alerts or e-mail notifications for online banking transactions and activities.
  • Do not transfer funds to any unknown parties.


What you should do:

Please call the Bank immediately at 1800 363 3333 or +65 6363 3333 (when calling from overseas) if:

  • You are aware of any suspected fraud or transactions not performed by you including any compromise or loss of your security device or security details.
  • You received a SMS message or email for transactions which you did not perform.
  • You are alerted on change of daily withdrawal limit or add beneficiary for transfer to an account which you do not know of or did not perform.


Learn more about Phishing, Malware and Online Banking security.




SMS Phishing Scam

24 August 2018
Threat: Phishing alert
Severity: High


Recently, fraudsters have been sending SMSes and emails that appear to originate from OCBC, informing you to check out a new investment program.

It claims that OCBC has announced new software that will make you a millionaire, while others tell you some miraculous software will let you “quit your job in 30 days”.

These are NOT sent by OCBC Bank.

If you know of friends and loved ones who have been tempted to click on the links provided in these SMSes and emails, please tell them not to. While we work hard to help our customers succeed, we certainly don’t believe in “Get rich quick” approaches.

SMS Samples





Sample of website after clicking the link:



We would like to advise the public that under no circumstances will OCBC Bank make unsolicited requests through e-mail, SMSes, and phone calls that request for the following:

  • Personal details
  • Financial details
  • Bank account details
  • Credit/debit details
  • Logging into your Internet banking account
  • Verifying your account validity
  • PIN/Password


How to protect yourself:

  • Be on the alert for suspicious emails / SMSes and websites or mobile messages, purporting to be from the Bank aking for your OCBC Online Banking login credentials such as PIN/OTP etc. You should report these immediately by contacting us.
  • Stay vigilant before clicking on any links embedded in the SMS or emails.
  • Be mindful not to reveal your personal or banking details such as ATM/Credit/Debit Card numbers, PINs, Online Banking Access Code, PIN and OTP into websites or mobile apps.
  • Always type the URL of the website directly into the address bar of the browser.
  • Always read the SMS alerts sent to your mobile phone for your transactions carefully.
  • Update us immediately when there is a change in your contact details such as mobile number or email address so that you continue to receive SMS alerts or e-mail notifications for online banking transactions and activities.
  • Do not transfer funds to any unknown parties.




What you should do:

Please call the bank immediately at 1800 363 3333 or +65 6363 3333 (when calling from overseas) if:

  • You are aware of any suspected fraud or transactions not performed by you including any compromise or loss of your security device or security details; or
  • You received an SMS or email alert for transactions which you did not perform; or
  • You are alerted on change of daily withdrawal limit or add beneficiary for transfer to an account which you do not know of or did not perform.


Learn more about Phishing, Malware and Online Banking security.


SMS Phishing Alert: Beware of SMS that may direct you to phishing webpages asking for your credentials.
6 August 2018
Threat: Phishing alert
Severity: Medium


Fraudsters have been sending SMS containing hyperlinks targeting OCBC customers. Upon clicking on the hyperlink, you will be directed to a page requesting for your Online Banking Access Code, PIN, credit or debit card numbers, expiration date and 3-digit CVV number on the back of your card. The websites are intended to trick you to revealing your personal information and use it for unauthorised transactions on your accounts or credit cards.

Fraudsters may spoof SMS or emails to give the appearance that they originate from OCBC. All mobile device will list the spoofed SMS in the same thread with those sent under the bank.



Please stay vigilant and take the necessary precautions.

How to protect yourself:

  • Always type the URL of the website directly into the address bar of the browser.
  • OCBC Bank will not make unsolicited requests for your personal or banking details (e.g., credit/ debit card information or login credentials) through channels such as emails or SMS. Inform the Bank immediately if such requests are received
  • Do not reveal any personal or banking details (e.g., ATM/ Credit/ Debit Card numbers, login credentials, OTP) into suspicious websites or mobile apps.
  • Always read SMS alerts for your transaction details carefully.
  • Inform the Bank whenever contact details or mailing address get updated.


What you should do :

Please call the bank immediately at 1800 363 3333 or +65 6363 3333 (when calling from overseas) if:

  • You are aware of any suspected fraud or transactions not performed by you;
  • If any of your credit or atm cards, banking login credentials or security devices have been lost or compromised;
  • You received an SMS or email alert for transactions which you did not perform; or
  • You are alerted on change of daily withdrawal limit or add beneficiary for transfer to an account which you do not know of or did not perform.


Learn more about Phishing, Malware and Online Banking security.


Beware of unsolicited calls, emails or SMS asking for your personal or banking information or credentials.
23 July 2018
Threat: Phishing alert
Severity: Medium


Last week, SingHealth reported a data breach where patients’ data such as names, NRIC numbers, addresses and date of birth were stolen. The stolen information may be used by syndicates to conduct social engineering and phishing scams. They may use the stolen information to trick victims to believe these scams are real.

Please be reminded to stay vigilant when you receive calls, emails and SMS from unfamiliar or unsolicited sources asking for your personal particulars, banking information and credentials.

Please stay vigilant and take the necessary precautions.

How to protect yourself:

  • Be on the alert for suspicious emails / SMS and websites or mobile messages, purporting to be from the Bank asking for your OCBC Online Banking login credentials such as PIN/OTP etc. You should report these immediately by contacting us.
  • OCBC Bank will not make unsolicited requests for your personal, financial, bank account or credit/debit card information, or unsolicited requests that you log in and verify account validity, through e-mail, mobile messages or on phone unless you have initiated the contact. Under no circumstances will the Bank ask you to reveal your PIN/Password.
  • Be mindful not to reveal your personal or banking details such as ATM/Credit/Debit Card numbers, PINs, Online Banking Access Code, PIN and OTP into websites or mobile apps.
  • Stay vigilant before clicking on any links embedded in the SMSes or emails.
  • Always type the URL of the website directly into the address bar of the browser.
  • Always read the SMS alerts sent to your mobile phone for your transactions carefully.
  • Update us immediately when there is a change in your contact details such as mobile number or email address so that you continue to receive SMS alerts or e-mail notifications for online banking transactions and activities.


What you should do

Please call the bank immediately at 1800 363 3333 or +65 6363 3333 (when calling from overseas) if:

  • You are aware of any suspected fraud or transactions not performed by you including any compromise or loss of your security device or security details; or
  • You received an SMS or email alert for transactions which you did not perform; or
  • You are alerted on change of daily withdrawal limit or add beneficiary for transfer to an account which you do not know of or did not perform.


Learn more about Phishing, Malware and Online Banking security.


SMS Phishing Alert: Beware of SMS linking to phishing websites asking for your credentials.
13 June 2018
Threat: Phishing alert
Severity: Medium


The SMS may contain hyperlinks which redirect you to a webpage requesting for your Online Banking Access Code, PIN, ATM or credit card numbers, expiration date and even the 3-digit CVV number on the back of your card.

The websites are intended to steal your information and use it for unauthorised transactions on your accounts or credit cards.



Please stay vigilant and take the necessary precautions.

How to protect yourself:

  • Always type the URL of the website directly into the address bar of the browser.
  • Stay vigilant before clicking on any links embedded in the SMSes or emails.
  • Be on the alert for suspicious emails / SMS and websites or mobile messages, purporting to be from the Bank asking for your OCBC Online Banking login credentials such as PIN/OTP etc. You should report these immediately by contacting us.
  • OCBC Bank will not make unsolicited requests for your personal, financial, bank account or credit/debit card information, or unsolicited requests that you log in and verify account validity, through e-mail, mobile messages or on phone unless you have initiated the contact. Under no circumstances will the Bank ask you to reveal your PIN/Password.
  • Be mindful not to reveal your personal or banking details such as ATM/Credit/Debit Card numbers, PINs, Online Banking Access Code, PIN and OTP into websites or mobile apps.
  • Always read the SMS alerts sent to your mobile phone for your transactions carefully.
  • Update us immediately when there is a change in your contact details such as mobile number or email address so that you continue to receive SMS alerts or e-mail notifications for online banking transactions and activities.


What you should do

Please call the bank immediately at 1800 363 3333 or +65 6363 3333 (when calling from overseas) if:

  • You are aware of any suspected fraud or transactions not performed by you including any compromise or loss of your security device or security details; or
  • You received an SMS or email alert for transactions which you did not perform; or
  • You are alerted on change of daily withdrawal limit or add beneficiary for transfer to an account which you do not know of or did not perform.


Learn more about Phishing, Malware and Online Banking security.


Phishing Alert: Beware of emails linking to websites asking for your personal information.
7 May 2018
Threat: Phishing alert
Severity: Medium

There has been an increase in phishing emails received by our customers on their accounts being placed on hold and were requested to confirm their card details.

These emails may contain hyperlink(s) directing customers to a phishing website which will require customers to provide their personal / banking / card details. For example, full name, NRIC/ passport numbers, Bank account numbers, card numbers, expiry date, CVV number, Personal Identification Number (PIN), One Time Password (OTP) and even in some instances to provide the OTP generated from their hardware token. Once this is done, fraudulent transactions may be effected from your accounts.

Example of phishing email

To avoid any unauthorised access to your bank account(s) or transactions on your cards, please be mindful to never enter such information on to links to websites sent via emails. We advise you to stay vigilant and take the necessary precautions to protect yourself.

How to protect yourself:

  • Be on the alert for suspicious emails and websites or mobile messages, purporting to be from the Bank asking for your OCBC Online Banking login credentials such as PIN/OTP etc. You should report these immediately by contacting us.
  • OCBC Bank will not make unsolicited requests for your personal, financial, bank account or credit/debit card information, or unsolicited requests that you log in and verify account validity, through e-mail, mobile messages or on phone unless you have initiated the contact. Under no circumstances will the Bank ask you to reveal your PIN/Password.
  • Be mindful not to reveal your personal or banking details such as ATM/Credit/Debit Card numbers, PINs, Online Banking Access Code, PIN and OTP into websites or mobile apps.
  • Always read the SMS alerts sent to your mobile phone for your transactions carefully.
  • Update us immediately when there is a change in your contact details such as mobile number or email address so that you continue to receive SMS alerts or e-mail notifications for online banking transactions and activities.


What you should do

Please call the bank immediately at 1800 363 3333 or +65 6363 3333 (when calling from overseas) if:

  • You are aware of any suspected fraud or transactions not performed by you including any compromise or loss of your security device or security details; or
  • You received a SMS or an e-mail alert for transactions which you did not perform; or
  • You are alerted on change of daily withdrawal limit or add beneficiary for transfer to an account which you do not know of or did not perform.


Learn more about Phishing, Malware and Online Banking security.


Phishing Alert: Beware of emails or SMS linking to websites asking for your personal information.
17 January 2018
Threat: Phishing alert
Severity: Medium

Reports on phishing attacks had increased over the last few weeks.. Generally, phishing attacks use emails or SMS (purportedly from a trusted organisation such as OCBC) with links to fictitious websites or to download apps. Such emails or SMS typically use fear tactics and may threaten to disable an account or delay services until you update certain information.

Example of phishing email and sms

The links will direct you to a website or app that looks legit, as below. The intent is to gain unauthorised access to your bank accounts once you provide the information they request for such as:

  • Personal information - NRIC/ passport number, mailing address, email address
  • Banking credentials - bank account numbers, card numbers, expiry date, CVV number, Personal Identification Number (PIN), One Time Password (OTP) and in some instances to provide the OTP generated from your hardware token.
Example of how a phishing website or app login may look like

How to protect yourself:

  • Know that OCBC Bank will not make unsolicited requests for your personal, financial, bank account or credit/debit card information, or unsolicited requests that you log in and verify account validity, through e-mail, mobile messages or on phone unless you have initiated the contact. Under no circumstances will the Bank ask you to reveal your PIN/Password.
  • Do not use links in an email or instant message to connect to the Bank's website unless you are certain they are authentic. If you need to get to the Bank’s webpage, open your browser and type the URL directly into the address bar.
  • Do not respond to emails asking for confidential information, e.g: your financial or personal information. Phishers like to use fear tactics and may threaten to disable an account or delay services until you update certain information.
  • Never reveal to anyone or key in your personal banking details such as ATM, Credit Card Numbers, their PINs, Online Banking Access codes, PIN and OTP into websites or mobile apps.
  • Beware of anyone who may request that you install software on your device.
  • Always ensure that you download information or apps from official source only.
  • Protect your computer with firewall, spam filters, anti-virus and anti-spyware software. Ensure you are getting the most up-to-date software and update them regularly to ensure that you are protected against new viruses and spyware.
  • Always keep your contact information with the bank updated so that we may send you:
    • Instant alerts on transactions performed on your bank accounts.
    • Instant notifications on account activities such as adding a beneficiary or change of contact particulars
  • Always read the SMS alerts sent to your mobile phone for your transactions carefully.


What you should do

Please call the bank immediately at 1800 363 3333 or +65 6363 3333 (when calling from overseas) if:

  • You are aware of any suspected fraud or transactions not performed by you including any compromise or loss of your security device or security details; or
  • You received a SMS or an e-mail alert for transactions which you did not perform; or
  • You are alerted on change of daily withdrawal limit or add beneficiary for transfer to an account which you do not know of or did not perform.


Learn more about Phishing, Malware and Online Banking security.

The above is for general information only and provided solely as a convenience to you. No representation or warranty (whether on adequacy or usefulness or otherwise) is given by OCBC. You confirm that you are responsible for the security of your computer and mobile devices and OCBC assumes no responsibility to you in relation thereto. We refer you to our online banking safe security practices at Safeguarding Your Online Banking Access. Your usage of our OCBC Online Banking Service is subject at all times to the Electronic Banking Terms & Conditions and the Terms & Conditions Governing Deposit Accounts.