How SMS phishing scams have affected OCBC customers and put text messaging security in focus

Madam Siti Raudhah Mohd Ali, a mother of seven, lost about $100,000 to scammers after she fell for a bogus SMS. PHOTO: BERITA HARIAN

SINGAPORE - Dec 28 is not a day that housewife Siti Raudhah Mohd Ali, 33, remembers fondly. The mother of seven lost about $100,000 to scammers within minutes that day after she fell for a bogus SMS that had spoofed OCBC Bank as the sender.

Most of the money was meant for her children's expenses.

"It was like the whole world just crashed on me. I felt helpless inside," she said, recounting how she received multiple notifications of the fraudulent transfers on her phone.

She is one of nearly 470 OCBC customers who lost at least $8.5 million last month to SMS phishing scams. Over the Christmas weekend alone, 186 customers lost about $2.7 million, the bank said.

Madam Siti was so traumatised by the incident that, for a few days after that, she had difficulty going about her daily activities. She also suffered from gastric pain, likely due to the stress from the situation.

While OCBC eventually paid her back the amount she lost, much to her relief, she is still affected by the events of Dec 28 and is seeking help from a therapist.

Victims who contacted The Straits Times said they lost amounts ranging from about $3,000 to $500,000, which for some amounted to their entire life savings built up over the years for their families.

Some victims claimed that it took so long - 20 minutes or more in some cases - to get through to a person via OCBC's hotline that, by the time the bank was able to take action, the scammers had already siphoned much of their funds.

In desperation, one customer rushed down to a physical bank branch to try and stop the scammers but was too late, according to one account.

Amid more customers coming forward in the new year to share how the scams affected them, and more questions being raised about how safe digital banking is, OCBC and the authorities moved in quick succession last week to address the issue.

On Monday (Jan 17), the Infocomm Media Development Authority (IMDA) urged more businesses to sign up with an anti-SMS spoofing registry, which allows organisations to register SMS sender names they wish to protect from misuse.

The registry was launched as a pilot scheme in August last year with the Monetary Authority of Singapore (MAS).

Mrs Ong-Ang Ai Boon, director of the Association of Banks in Singapore (ABS), later said that for the registry to be effective, "all relevant stakeholders in the digital ecosystem need to be involved, particularly telecommunications companies to ensure scam messages cannot be sent through their networks".

MAS also said on Monday that it would consider the appropriate supervisory actions after OCBC conducted a thorough probe into the scams.

On Wednesday, OCBC said all affected customers would get full goodwill payments for the funds they lost.

Mrs Ong-Ang later assured that the banks here have been, and will continue to be, flexible in dealing with scam cases. They do make goodwill offers, taking into account the circumstances of each case, she said.

The banks and MAS are currently reviewing the responsibilities and liabilities of banks and consumers for fraudulent payment transactions.

MAS and ABS also announced on Wednesday that banks here have to, in the next two weeks, put in place more stringent measures to bolster the security of digital banking. This includes removing clickable links in SMSes sent to retail customers.

On Friday, the Smart Nation Digital Government Group said that all government agencies have to register with the anti-SMS spoofing registry to protect the names they use to send text messages to the public.

OCBC said moments later that it was introducing new anti-scam security measures such as sending instant fund transfer alerts to customers for any transaction.

The recent scams are not new. And despite years of education and warnings, people are still falling for them.

Similar SMS phishing scams originated some time between 2005 and 2006, said cyber-security experts.

The recent scams are not new. And despite years of education and warnings, people are still falling for them. ST PHOTO: KUA CHEE SIONG

The police had issued warnings about a resurgence in such scams in 2019, just before the Covid-19 pandemic struck.

In January that year, police said scammers had been posing as DBS Bank and POSB to send SMSes with phishing links to customers since September 2018.

Police advisories about SMS scams involving spoofed bank names ensued in April and July.

Bank name spoofing caused the fake SMSes to be grouped with real bank messages in the same chat thread, not unlike what many OCBC customers encountered in December last year. Victims said this caused them to think the fake messages were real.

Another reason why SMS scams are successful is because people tend to open SMSes, said experts. Reports have shown that people open 98 per cent of the SMSes they get, compared with about 20 per cent for e-mails.

Phishing links in the texts are also often shortened to disguise the actual URLs, which make it hard for victims to check if the links are valid, said Mr Jonathan Jackson, cyber-security firm BlackBerry's director of engineering for Asia-Pacific.

Furthermore, the links lead to fake sites that look genuine, allowing scammers to steal from unsuspecting bank customers who key in their login details.

Changes in lifestyles could have played a part too.

For one, many people are used to living their lives on mobile devices, Mr Jackson said. But these devices are not usually equipped with programs that can alert or block malicious activities or when suspicious sites are visited.

Criminals can use malware they tricked victims into installing on their phones to steal one-time passwords (OTPs) and SMSes as well, said Mr Jackson.

With the fast pace of life, people tend not to heed prior warnings, he added.

On Jan 19, OCBC said all affected customers would get full goodwill payments for the funds they lost. PHOTO: JOYCE FANG

Mr James Lee, cyber-security firm F5's security solution architect for the Asia-Pacific, China and Japan, said that with Covid-19 "impacting the way we play and pay, many customers have had to turn to digital banking overnight - relying on SMS alerts for things like OTPs to authenticate transactions".

The crooks are learning from their past mistakes to launch successful attacks, with campaigns by organised groups instead of individual hackers, he added.

For instance, the latest SMSes aimed at OCBC customers had fewer typographical errors, and used more professional sounding and less alarmist language than past scams. These made the fake texts seem more legitimate.

Another problem is that spoofing SMSes is very easy. Mr Jackson said that businesses may tap companies called SMS aggregators to generate SMSes to be sent to customers. But these aggregators can be misused by criminals to spoof names and numbers of legitimate organisations to send scam texts.

While an anti-SMS spoofing registry will help cut the volume of fake SMSes, Mr Jackson warned that recent studies in Australia and Britain showed that such registries are not foolproof.

"SMS technology is almost three decades old, and it wasn't necessarily built with security, as we know it today, in mind," he said. "Organisations need to move away from mobile platforms that do not come with anti-phishing in SMS applications."

Mr Lee suggested using push notifications on mobile banking apps or commercial messaging software instead.

Educating the relevant authorities, financial institutions and consumers on the risks and how to spot an SMS phishing attack will also be key, said Mr Jackson.

However, ABS' Mrs Ong-Ang said that SMSes are preferred by a large proportion of customers for its convenience, "and that is why banks continue to use them despite SMS being one of the most costly modes of customer notifications".

But she said that banks are increasingly turning to banking app notifications, which do not have the same spoofing vulnerabilities as SMS.

For victims like Madam Siti, the scams have taught her to be more careful with bank notifications. She is now determined to carefully read SMSes or e-mails that claim to be from a bank, and consult someone before acting on them, just to be safe.

"Even if it's about my bank account getting suspended, it's okay - consult someone about it first," she said.

How the OCBC Bank SMS phishing scams unfolded

SMS phishing scams targeting OCBC Bank customers rose sharply in frequency and aggressiveness last month, especially over the festive period. Almost 470 customers lost $8.5 million to the crooks, but all of them will receive full goodwill payouts from the bank. Rei Kurohi looks at the key developments so far.

Dec 3, 2021

OCBC posts a security advisory on its website, as well as its online and mobile banking login pages, warning of SMS phishing scams offering fixed-deposit placements. The advisory includes a sample of the phishing SMS.

Dec 7

The bank posts a warning on Facebook stating that the number of reported scam cases in the first week of November was three times higher than usual. It advises customers to exercise caution, especially when making online purchases.

Dec 8-17

At least 26 OCBC customers fall prey to SMS phishing scams, losing a total of $140,000 over a 10-day period.

On Dec 10, OCBC posts another warning on Facebook about fake pages, sponsored ads and phishing sites impersonating the bank.

On Dec 16, the bank updates its security advisory to include more information on SMS phishing scams.

Dec 20-23

OCBC issues several more warnings on its Facebook page and through direct messages and push notifications to some 966,000 customers.

Dec 23

The bank issues a statement warning of a sharp rise in the number of SMS phishing scams targeting its customers, adding that such attacks had become “particularly aggressive” in recent weeks.

It says more than 20 times the average number of customers had contacted the bank regarding such scams over the previous week.

The bank also says it had taken down 45 phishing websites in December so far, which is about eight times more than the average number of monthly take-down requests.

Dec 30

In a media statement, OCBC gives an update stating that 469 customers had reported a total loss amounting to $8.5 million, as at Dec 29.

The bank also sends SMS messages to 1.1 million customers warning of the scam.

The police also issue a warning, urging the public to adopt crime prevention measures.

Jan 7, 2022

OCBC reverses its position on phasing out hardware tokens for security verifications.

It had previously announced plans to phase out the use of the tokens for online banking by March 31.

Jan 8

OCBC begins making payouts on a goodwill basis to reimburse customers who lost their savings to the scammers.

Jan 17

The Monetary Authority of Singapore (MAS) says it will consider supervisory actions against OCBC following a thorough investigation by the bank to identify and address deficiencies in its processes.

OCBC says more than 30 customers had received goodwill payments since Jan 8. Noting this, the MAS states that it expects all affected customers to be treated fairl

Jan 19

OCBC says all affected customers will get full goodwill payouts covering the amounts they lost.

Meanwhile, the MAS and the Association of Banks in Singapore (ABS) announce stringent new measures that banks will have to implement within two weeks to bolster the security of digital banking.

These include removing clickable links in SMS messages or e-mails sent to retail customers and implementing a delay of at least 12 hours before the activation of a new soft token on a mobile device.

Join ST's Telegram channel and get the latest breaking news delivered to you.