Helping you bank safely and securely, our No.1 priority
Phishing scams happen when cyber criminals try to trick victims into disclosing confidential information (e.g. their NRIC number, online banking or Singpass credentials, card details, passwords) either by pretending to be someone they are not or by offering something that is not real.
Pretend to be from a legitimate organisation
The scammer contacts their targets under the guise of an employee or representative of a legitimate organisation (e.g. bank, government organisation, e-commerce website, social media platform). This may be done via email, social media, SMS or phone calls.
Make claims of problems that require immediate attention
The scammer will often start the conversation by claiming that their target must provide his/her personal or banking details in order to continue the conversation and/or handle the purported urgent ‘problem’. For example, the scammer may claim to need access to the target’s online banking account on the pretext of investigating fraud).
Set up sham websites
Some scammers use the latest technology to set up fraudulent phishing websites that look identical to the websites of legitimate organisations, albeit with a slightly different web address. Their targets’ personal/banking details and money become at risk when they enter their details into these fake websites.
Tempt victims with the promise of rewards
Preying on people’s desires, some scammers will call their targets and claim that the targets have won a reward or a giveaway which they did not enter. The calls would be unsolicited and from unverified organisations.
When questioned, the scammers may claim that another person had entered the victim into the giveaway on his/her behalf.
The scammers may also offer highly attractive deals (e.g. tax rebates) or talk about a surprise inheritance. They may ask targets to fill out a survey (designed to steal personal information) in exchange for a participation prize.
The scammers will make the fake prize sound very enticing. This is to lure their victims into revealing their personal details, which they will claim are necessary to verify their identity and obtain the prize.
Use fear to get their victim’s attention
Other scammers prey on people’s fears. Under the guise of a bank, they will send emails or SMSes claiming to have identified an ‘unauthorised transaction’ or ‘suspicious activity in the account’ that needs urgent attention.
The emails or SMSes will include links to bogus websites or phone numbers for their target to contact. They may contain threats of ‘deactivating’ the target’s account if the target does not comply with their instructions to, for example, provide his/her banking details.
The target may be told that a large purchase has been made under his/her account, sometimes in foreign currency, and asked if the payment was authorised by him/her. Once the target says no, the scammer will get him/her to confirm his/her bank account or credit card details – supposedly so that the case can be ‘investigated’. In some instances, the scammer has already obtained their target’s credit card number; they may then ask the target for the 3 digits on the back of his/her card (i.e. the card’s security code).
Impersonate the government to seem legitimate
Other scammers may impersonate members of the government or the Courts. They will contact their targets with claims of serious legal issues that the targets must resolve immediately (e.g. a court summons against them or a fine they must pay to avoid imprisonment).
They will ask for the target’s personal details, including his/her NRIC number. They will claim that these details are needed to verify the target’s identity so that they can provide more details on the supposed issue to the victim.
Impersonate e-commerce websites and delivery businesses
Some scammers target online shoppers and will claim to be from delivery companies or e-commerce sites.
They will email, SMS or even call their targets with claims that they are experiencing delivery issues relating to orders that were never placed. They will claim that their targets must confirm certain personal and account details (e.g. their online banking credentials or login credentials for the e-commerce site) before the delivery can be made.
Use seasonal events to widen their target pool
Phishing activity tends to increase during newsworthy and seasonal events. This includes natural disasters, epidemics, health scares, periods of economic downturn or crisis, major political elections and holidays.
Copy legitimate communications to trick victims
Most often, the emails and SMSes will mimic the look of messages that originate from legitimate banks or organisations. At times, the imitation may be so good that it will be almost impossible to differentiate the legitimate and the bogus.
There are tell-tale signs. Scammers usually cannot properly identify themselves. The emails and SMSes they send will not address their target by name and may also contain typographical and grammatical errors.
How a phishing scam might look
Here is an example of a phishing scam.
A scammer may use a victim’s details for a number of criminal activities once a victim reveals them. For example, the scammer might transfer money out of the victim’s bank account(s) to an untraceable destination or use their stolen card details to make purchases (including purchases of illegal products).
Do not trust lofty promises, deals that seem too good to be true, or individuals who call or message you – unsolicited – to ask you to divulge personal information over the phone.
Do an online search using the names or exact text from the suspicious email or SMS sent to you – you may discover that others have received similar scam messages. This can help you identify common scams.
Do not give in to pressure
Never make financial decisions, give away sensitive details about yourself or anyone you know or sign any documents under pressure.
Ignore, block and report
When contacted, hang up immediately if the caller cannot properly identify themselves.
Do not call any numbers or click on any links in SMSes that claim to be from OCBC. OCBC will never send you SMSes or emails with clickable URLs. Block and report the number used to contact you.
Do your checksAlways verify the authenticity of the information shared with you, or requests made to you, by contacting the organisation directly (e.g. at their website or email address, or via their app or hotline).
To ensure you are on the correct website, personally enter the URL of the organisation’s website that you intend to visit into your browser’s address bar. View a list of OCBC’s official contact and banking channels.
If in doubt, seek a second opinion from someone you trust.
Enable transaction alerts for your bank accounts and credit cards. Learn more about transaction alerts from OCBC, discover how to set up transaction alerts for card and deposit transactions via the OCBC Digital app, and select your preferred notification channels and threshold limits.
To ensure you receive OCBC alerts and notifications, let us know immediately if you change your mobile number or email address. Learn how to update your contact details.
Always read your bank notifications carefully and notify us immediately if any transactions shown are not made by you.
Keep your accounts secure
Do not key your personal information and banking details into unverified webpages.
Stay vigilant and never give out your Online Banking login credentials (i.e. Access Code and PIN), card details or One-Time Password (OTP) to anyone, including people claiming to be from OCBC. OCBC employees will never ask you to reveal your PIN/OTP or transfer funds to personal accounts.
Log in to OCBC Internet Banking by typing out www.ocbc.com directly into your browser, or via the OCBC Digital app to make sure that your log in is secure. If you suspect that your account has been compromised, call us at 1800 363 3333 (or +65 6363 3333 if you are overseas) and press 9 to report fraud. To temporarily freeze all your accounts, you can activate the emergency kill switch via the OCBC Digital app, selected OCBC ATMs or our hotline (press 8).
Protect your money
Do not send money to someone whom you have not met.
Be responsible for all banking transactions involving your account and do not allow others to perform transactions on your behalf. You may be unknowingly laundering money for criminals – this is a criminal offense that carries hefty fines and prison time.
Never authorise a transaction or login unless you know its purpose.
Set daily transaction limits for payments and transfers according to your preference via OCBC Internet Banking or the OCBC Digital app.
Enable two-factor authentication (2FA) for each of your online accounts for services such as email, social media, and online shopping, to list a few. This provides your accounts and personal data with an additional layer of protection.
Be wary of any calls with the ‘+65’ prefix and of international calls with the ‘+’ prefix where the caller claims to be from a legitimate business, government, or organisation such as your bank, especially if you are not expecting an international call. When in doubt, verify the identity of the person(s) and the organisation(s) by calling their hotline numbers.
The +65 prefix was implemented by Singapore’s Ministry of Communication and Information with telcos in 2020. The purpose is to alert the public that these are calls coming from overseas and that the public should not pick up such calls if they are not expecting anyone calling from overseas.
Keep yourself up to date
Visit the National Crime Prevention Council’s ScamAlert.sg website to learn – and take a short quiz – about the latest scams and how to avoid being a victim.