OCBC to fully reimburse all victims for money lost to SMS phishing scam; arrangements to be made by next week

SINGAPORE — OCBC will be making arrangements with all customers who were victims of a recent SMS phishing scam to fully reimburse them by next week for the money they lost.

The bank said on Wednesday (Jan 19) that these "full goodwill payouts" have been made to more than 100 victims since the bank started disbursing them on Jan 8 this year.

Ms Helen Wong, group chief executive officer of OCBC, said that she seeks the understanding and patience of customers because the bank needs to thoroughly validate each case to ensure accuracy, which takes time. 

"This process is necessary so that every case is fairly and properly treated."

Ms Wong also said that the bank has proactively reached out to customers who might not be aware that their banking activities were susceptible to the phishing scam.

This has helped to prevent another 200 and more customers from falling prey to the scam, she added. 

"We apologise for taking more time than expected to resolve the issues with our customers during this time of distress and anxiety.”

At least 469 customers were affected by the SMS phishing scam, with losses totalling at least S$8.5 million.

The fraudsters had sent out fake bank alerts that spoofed the bank's official SMS channel with the victims, duping many of them into giving up their personal account information last month.

Several victims previously described to TODAY about their heartbreak and anxiety over suffering such towering financial losses during the holiday season last year. 

Some also said that their OCBC accounts were hijacked and emptied by the scammers even though they did not provide the scammers with their one-time password or security token information.

On Monday, the bank revealed that they had started the process of reimbursing customers and more than 30 customers have received the payouts. 

Mr Candid Wuest, vice-president of cyber protection research at technology firm Acronis, told TODAY that OCBC's move to reimburse its customers who lost their life savings is not an industry precedent.

The National Australia Bank, for example, paid A$687,000 (about S$670,000) to its customers exposed in a data breach in 2019. 

He also said that companies are generally not obligated to compensate their clients in the event of a cyber attack, unless grossly negligent actions were taken that may have led to the cyber incident. 

"Nevertheless, the move by OCBC to reimburse victims will put extra pressure on those resolving future cases and how they'll be expected to help their client," Mr Wuest said. 

Mr Shahnawaz Backer, senior solutions architect of Asia Pacific, China and Japan at American IT consultancy firm F5, said that goodwill payments are not a sustainable solution in the long run if the frequency of such incidents increase. 

"Fraudsters are always on the lookout to monetise on security loopholes and will continue to do so, regardless of the bank's actions in the aftermath of these attacks," he said. 

"Greater emphasis needs to be placed on having the appropriate governance to avoid similar scams in the future, such as enabling push notifications on mobile banking apps.”