Skip to main content

Advertisement

Advertisement

OCBC phishing scam left victim broke and starving on Christmas Day

SINGAPORE — Being penniless and hungry on Christmas Day was not something that 33-year-old Trisha (not her real name), whose OCBC bank account was targeted by scammers through an SMS phishing scam on Christmas Eve last month, ever imagined could happen to her.

A phishing scam affected at least 469 OCBC bank customers and amounted to around S$8.5 million in losses altogether, making it one of the more widespread cases of bank-related fraud in 2021.
A phishing scam affected at least 469 OCBC bank customers and amounted to around S$8.5 million in losses altogether, making it one of the more widespread cases of bank-related fraud in 2021.
Follow TODAY on WhatsApp
  • Six scam victims said the fact that the fake message appeared in the SMS thread used by OCBC was why they mistakenly thought that the link in the message was credible
  • At least 469 bank customers were affected by the phishing scam, totalling around S$8.5 million in losses 
  • Some did not give scammers their one-time passwords, but their accounts were hijacked anyway
  • The bank has said it is rendering assistance to affected customers

SINGAPORE — Being penniless and hungry on Christmas Day was not something that 33-year-old Trisha (not her real name), whose OCBC bank account was targeted by scammers through an SMS phishing scam on Christmas Eve last month, ever imagined could happen to her.

Like many others who received a text message disguised as an official message from the bank, the Singaporean clicked on a link in the fake message that exhorted her to activate the bank’s OneToken authentication tool.

It brought her to another fake website, but one that, to her, looked convincingly like the bank’s internet banking login page.

Within minutes of her keying in her account information and one-time password (OTP), the scammers hijacked her OCBC bank account and drained it of S$68,000 — her entire savings. The bank could not reverse the fraudulent transactions.

For someone who works in the finance industry, is well-read in bank protocols and regulations, and is IT savvy, Trisha could not believe that she had fallen prey to a phishing scam. She declined to give her real name for this article.

“I had to borrow money from friends and family on Christmas just so I didn’t go hungry,” she recalled. “It was humiliating.”

The scam affected at least 469 OCBC customers and amounted to around S$8.5 million in losses altogether, making it one of the more widespread cases of bank-related fraud last year. Phishing attacks through emails and text messages have gone up last year, with the police warning last November about the rise of such tactics.

Among the many affected are those who are less shrewd with technology and are more likely to fall prey to such scams. But the latest scam targeting OCBC customers managed to fool executives and finance professionals as well.

One finance executive who lost nearly S$20,000 said he fell for the scammers’ tactics because they were able to spoof their SMS messages such that they appeared in the official SMS thread that OCBC uses, which meant that the fraudulent message would appear alongside other legitimate messages.

Based on the accounts of six victims who spoke to TODAY, this was the main reason they mistakenly thought that the link in the message was credible. The bank notified customers that it will no longer send web links in its SMS communication.

There were also questions about how the criminals were able to channel out large sums of money from bank accounts in a suspicious manner — in most cases emptying the account of funds — without the bank’s risk detection systems kicking in.

Some victims were frustrated that when they tried to contact the bank’s hotline while funds were being channelled out without their authorisation, they had been put on hold long enough for the scammers to empty their bank accounts.

One bank customer who lost around S$18,000 told TODAY he had gone to a physical bank outlet in person to stop the transactions, but he kept receiving phone notifications of money being funnelled to the scammers for around 15 minutes after bank officers told him they would freeze his internet banking service.

GUARDING AGAINST SMS PHISHING

OCBC said the success of scammers hinges on being able to obtain personal banking details from bank customers. Here are some mobile banking tips to guard against SMS phishing:

  • Do not disclose personal banking details to unverified sites
  • Mobile access to bank accounts should always be done using the official banking or payment app
  • Key in the bank’s website address directly into the phone browser, instead of using a link
  • Check that the website address is legitimate before submitting any sensitive account information
  • Update your mobile phone with the latest security patches
  • Use strong passwords for different websites and avoid reusing passwords
  • Keep up-to-date with the latest tactics by scammers
Collapse to view

In several cases, the victims could not understand how the scammers were able to quickly raise their transaction limits and conduct large local and overseas transactions to new payees without the need for an SMS-based OTP, which is a form of two-factor authentication.

One couple in their 40s, whose joint savings account was wiped of S$80,000, admitted that while they were at fault for compromising their bank account by divulging their account name and bank access code, they did not give the scammers any OTP or security token information.

The bank’s internal investigation officers had told them it was impossible for such large transactions to be made without the OTP.

“But my husband (who was phished by the scammers) did not surrender the OTP to the scam website because he was driving at the time… Yet, they were able to take over our account’s OneToken without an OTP, and then transact after that,” said the wife.

The couple, who have three young children, have not been on talking terms since the incident on Dec 29. The financial loss has significantly impacted their family’s savings and scuttled plans to travel overseas with the kids in 2022, she said.

TODAY understands that OTP passwords sent via SMS could have been rerouted or compromised through a known vulnerability. Last September, Singapore authorities warned of bank OTPs being diverted to malicious actors overseas to conduct fraudulent transactions, affecting 75 bank customers.

OCBC head of group corporate security Francisco Celio said the bank’s systems have not been hacked and remain safe and secure.

“Unlike other SMS phishing scams, the recent SMS phishing scam impersonated OCBC and preyed on the fears of consumers about their personal bank accounts. It is particularly aggressive and highly sophisticated in duping consumers into disclosing their personal banking details despite repeated bank warnings to be alert and not to do so,” said Mr Celio.

He added that the bank is rendering assistance to these customers and has set up a dedicated team to help them through the difficult period.

“We understand and share the anxiety of our customers who have fallen prey to these scammers,” he said.

Nevertheless, the scam victims who spoke to TODAY are worried that the money is as good as gone. Trisha said the bank officer handling her case had told her that she could likely bear the full liability of the S$68,000 loss, since it was she who gave up her login details and OTP to the scammers.

The issue of who bears the loss in such frauds, especially when the bank customer did not give up account details to the scammers, is still being reviewed by the authorities, according to an MAS circular sent to financial institutions last August.

In general, bank users who have suffered financial losses from fraudulent transactions are protected as long as they have acted responsibly, according to a parliamentary reply by Finance Minister Lawrence Wong last July.

“The recent SMS phishing attack is not the first and will certainly not be the last. We will continue to put in additional measures as new tricks are continuously deployed by scammers,” said Mr Celio.

“We strongly condemn the actions of these scammers. We have been working closely with the Singapore Police Force on this incident,” he added.

Related topics

OCBC scam phishing bank OTP

Read more of the latest in

Advertisement

Advertisement

Stay in the know. Anytime. Anywhere.

Subscribe to get daily news updates, insights and must reads delivered straight to your inbox.

By clicking subscribe, I agree for my personal data to be used to send me TODAY newsletters, promotional offers and for research and analysis.