SINGAPORE - A couple in their 20s lost about $120,000 in a fake text message scam targeting OCBC Bank customers. They were among at least 469 people who reportedly fell victim to phishing scams involving the bank in the last two weeks of December in 2021.
The victims lost around $8.5 million in total.
Can such victims get their money back, or are they responsible for the funds lost? Should banks be made to pay for phishing scam losses? Meanwhile, how can you avoid being scammed in a similar way?
'It was like fighting a war': OCBC group CEO on dealing with recent phishing scams
In early December, staff at OCBC Bank started getting calls from frantic customers saying they appeared to be victims of a phishing scam.
As employees from Singapore’s second-largest bank worked to get to the bottom of this, more and more cases started popping up.
By Dec 30, nearly 470 customers had lost at least $8.5 million. Some had savings in the six figures wiped out.
Banks to tighten security, remove clickable links in SMSes after OCBC phishing scams
Banks in Singapore will have to put in place more stringent measures to bolster the security of digital banking, such as removing clickable links in SMSes or e-mails sent to retail customers, within the next two weeks.
These additional measures were introduced in view of the recent spate of SMS phishing scams targeting bank customers, the Monetary Authority of Singapore (MAS) and the Association of Banks in Singapore (ABS) said in a joint statement on Wednesday (Jan 19).
This comes after OCBC Bank said it would cover in full the losses suffered by its customers to SMS phishing scams last month and as other local banks, the Singapore Police Force and the Supreme Court issued warnings about phishing scams targeting their users.
All affected OCBC customers of recent SMS scams to get 'full goodwill payouts'
All OCBC Bank customers affected by a recent spate of SMS phishing scams will receive "full goodwill payouts" covering the amount they lost, the bank said in a statement on Wednesday (Jan 19).
More than 100 victims have already received the payouts and the bank will make arrangements for the payout with all remaining affected customers by next week, it added.
"We seek the understanding and patience of our customers as thorough validation of each case requires time to ensure accuracy. This process is necessary so that every case is fairly and properly treated," said OCBC group chief executive Helen Wong.
Why some OCBC customers in SMS scams did not get OTPs
Some OCBC Bank customers who lost money in the recent SMS scams were puzzled that they did not get one-time passwords (OTPs) in SMSes sent by the bank to verify the unauthorised transactions.
One possible explanation from OCBC is that the bank's digital authentication tool to verify transactions was activated on the scammers' phones with banking details phished from victims.
Cyber-security experts said it was possible that the SMS OTPs were intercepted by malware on victims' phones, or were diverted to overseas telcos that had been hacked.
Young couple lost $120k in fake text message scam targeting OCBC Bank customers
It took a man and his wife five years to save about $120,000, but in just 30 minutes, scammers using a fake text message stole the money they had kept in their OCBC Bank joint savings account.
"The SMS looked like it came from OCBC and entered the usual SMS chat history from OCBC used for authentic banking services," the husband said.
"The link took me to a site that looked exactly like the OCBC login page."
Mum of seven children scammed of $100,000, but ‘fault is not mine alone’
A victim said that after she keyed in her username, password and other relevant details, and checked into her account, she received a notification stating that her transfer limit had been increased to $100,000.
When she noticed that, she immediately called OCBC as she had not approved this. However, “OCBC's hotline is not equipped to immediately handle scams which are in progress”.
She had to navigate an automated system for a long time before reaching a person. In just a few minutes, almost $100,000 was gone.
OCBC continues with physical tokens, reversing plan to phase them out
OCBC Bank will now allow customers to continue using hardware tokens for security verifications after an earlier announcement said they would be axed.
The bank had planned to phase out the physical tokens on its online banking platform by March 31 and transition to a fully digital authentication process.
But it has reversed that position, as its head of global consumer financial services noted on Friday (Jan 7).
Improvements in digital banking security will restore customers' faith: Experts
Recent SMS phishing scams affecting local banks and consumers in Singapore may dent public confidence in digital banking transactions in the near term, but financial sector and cyber-security players believe that improved security processes will go some way in restoring consumers' faith.
Last week, the Monetary Authority of Singapore (MAS) and the Association of Banks in Singapore (ABS) introduced stricter measures for banks to put in place within the next fortnight, in response to the recent spate of scams targeting bank customers.
In one such large-scale incident, nearly 470 OCBC Bank customers lost at least $8.5 million.
Commentary: Make banks pay for phishing scam losses
If you receive an SMS from your bank telling you there is a problem with your account and that to fix it, you need to go to its website through the link provided, what would you do?
Okay, you have a suspicious mind and you do not ordinarily fall for the usual online scams like helping a Nigerian get his money out of the country.
You look at the SMS again and find that it comes from the same thread as previous bank messages.
Iras warns of tax reimbursement phishing scam website
The Inland Revenue Authority of Singapore (Iras) on Monday (Jan 24) warned of a scam involving a fake website that invites users to submit personal data to get a tax reimbursement.
The fake website at iras.gov-sg.web.do uses the Iras logo and claims to be a "tax reimbursement form".
It offers a tax refund of about $1,000 and asks for a user's full name, e-mail address and credit or debit card details.
Iras warns of scam e-mail telling recipients to buy pass to receive funds from Bill Gates
The Inland Revenue Authority of Singapore (Iras) on Friday (Jan 21) warned of a scam e-mail where recipients are told to buy an "approval pass" to receive funds from billionaire Bill Gates.
The e-mail would purportedly be from Iras, signed off in the name of the Commissioner of Inland Revenue, Mr Ng Wai Choong.
The e-mail would inform the recipients that their bank accounts had been blocked from receiving an unverified international funds transfer of $20 million from Mr Gates, co-founder of software giant Microsoft. He has a foundation named after him and former wife Melinda Gates that does philanthropic work.
DBS Bank warns of SMS phishing scam
DBS Bank on Wednesday (Jan 19) warned its customers about a fake SMS being sent to users claiming to be from the bank.
The scam involves a message claiming that a user's account has been temporarily suspended and inviting users to visit a fake website designed to steal their log-in details and one-time passwords (OTPs).
DBS urged customers not to click on links sent through SMS messages.
Supreme Court warns against phishing e-mails containing false court letters
There has been a series of phishing e-mails purportedly sent from the courts asking people for personal information like NRIC numbers and names, warned the Supreme Court on Wednesday (Jan 19).
The e-mails informed recipients that they were being served a letter from the court, with the document shared via file hosting service Dropbox Business.
The phishing e-mail is sent from email@example.com by the "Supreme Judiciary Council" and contains a PDF attachment named "GOV.SG-LETTER011822.PDF".
Police warn of fake bank hotlines in Google search advertisements, victims lost $495,000
The police have warned of scam advertisements on Google search where fake bank hotlines appear when users search for banks' contact numbers.
Since last month, at least 15 victims have fallen for such scams, the police said in a statement on Wednesday (Jan 19).
The losses amounted to at least $495,000.
How to protect yourself
Is contactless payment safe? 5 tips to protect yourself in the wake of OCBC SMS scams
Digital transactions promise convenience but recent scams have exposed some risks.
Until liabilities are calibrated to legally oblige financial institutions to compensate consumers affected by scams, people need to protect themselves from the scourge that has seen tens of millions of dollars wiped out of bank accounts every year.
The most recent large-scale incident affected nearly 470 OCBC Bank customers who lost about $8.5 million in SMS spoofing scams last month.
4 common types of scams and how to recognise them
Scams are on the rise. Nearly 470 OCBC Bank customers lost at least $8.5 million to a spate of SMS phishing scams last month, and other banks such as DBS and UOB recently warned of similar scams impersonating bank employees.
Here are some of the most common types of scams going around.
Can bank stop funds transfer by scammer if you immediately report incident to it?
While technology has made faster transfers of money possible, it has also facilitated scammers in carrying out fraudulent transactions.
In the first six months of this year, $102 million was lost to various scams.
Bank-related phishing scams are of particular concern as the number of cases surged more than 20-fold to 898 in the first half of this year, from just 34 in the same period last year.
Is it time to phase out SMS OTPs to stem scam scourge?
The recent OCBC Bank SMS scams in which nearly 470 customers lost at least $8.5 million in December last year have raised questions about how the scam scourge can be dealt with to protect consumers.
Many victims of the latest scams were fooled because the fake SMSes were grouped in the same SMS thread with genuine ones sent previously by OCBC for one-time passwords (OTPs) and transaction alerts. The SMS sender name "OCBC" was spoofed by scammers, who lured victims to click on fraudulent links to access a fake banking website.
Some spooked consumers are considering not using Internet banking. This could hamper wider moves to go digital.
Anti-SMS spoofing: What is it? Why no mandate for it yet?
Victims of a massive bank scam rampant last month were fooled because fake SMS messages appeared in the same SMS thread as genuine ones sent previously by the bank for one-time passwords (OTPs) and transaction alerts.
It turns out the SMS sender name "OCBC" was spoofed by scammers, who lured victims to click on fraudulent links to access a fake banking website. Nearly 470 customers lost at least $8.5 million, making it one of the largest scams to date involving a single bank.
Anti-SMS spoofing registry is not a cure-all for setting banks' liability for funds lost to scams
A new registry that organisations, including banks, can sign up for could help reduce the spoofing of names used for sending SMSes, which happened in recent SMS phishing scams that caused many OCBC Bank customers to lose funds.
Some banks are already on the registry, with OCBC understood to have joined it recently.
But lawyers told The Straits Times (ST) that having the registry, which was launched by the Government in August last year as a pilot scheme, might not increase banks' liability for the money customers lose.