469 OCBC customers lost S$8.5 million in phishing scams, a bulk of it over 3 days

S$2.7 million was lost from Dec 24-26 alone.

Matthias Ang | December 31, 2021, 02:44 PM

Follow us on Telegram for the latest updates: https://t.me/mothershipsg

As of Dec. 29, 469 customers have reported a total loss of about S$8.5 million to phishing scams involving OCBC bank, a press release by the bank stated.

In particular, the Christmas weekend from Dec. 24 to 26 saw 186 customers lose up to S$2.7 million from these three days alone.

An additional 26 customers also reported a loss of about S$140,000 between Dec. 8 and Dec. 17.

OCBC added that it sent out its first media advisory on Dec. 23 to warn of a surge in these scams.

It also sent out a second advisory on Dec. 30, to warn of a potential surge in attacks over the New Year weekend.

The bank said:

"Once the funds have left the customer’s account, the possibility of recovery is very low. As such, customers remain the first line of defence against such scams."

How do the scams work?

According to OCBC, members of the public will receive SMSes from the bank claiming that there are issues with their bank accounts or credit cards.

This is known as "spoofing" in which the scammers typically impersonate the bank by cloning a legitimate sender’s name and short code — in this case, OCBC — via SMS.

This enables the scammer’s SMS to appear as if it originated from a legitimate sender, thus enabling their message to appear in the same thread as legitimate SMSes from the bank.

Screenshot by Fiona Tan. Only the message with the blurred OTP on Dec. 24 and the warning on Dec. 25 is confirmed to be from OCBC.

These SMSes contain a link to a fraudulent website disguised as a legitimate bank website requesting for banking information and passwords.

The scam messages also usually claim that there are issues with the customer’s bank accounts or credit cards and directs customers to a link embedded in the SMS to resolve these issues.

Upon clicking the link, customers will be redirected to an illegitimate website and asked to key in sensitive bank account log-in information like their username, PIN and OTP.

Using this information, scammers can then transfer monies out of the affected customers’ accounts.

The transferred money is often rerouted through various accounts, making it difficult to track their movement and even harder to recover the cash.

How should customers avoid falling to the scams?

According to the bank's advice to customers:

    • The bank will never send an SMS to inform customers about account closures or being locked out of their accounts. Instead, it will send physical letters with such requests to customers – these ensure avoidance of doubt and prevent online fraud.
    • The bank will never send an SMS with a link to reactivate customers’ accounts. Accounts become dormant after 12 months of inactivity. Reactivation is done in person at branches or via internet banking.
    • Customers should not click on links in SMSes. Instead, they should use OCBC’s official mobile banking app or type in the website directly in the browser URL.
    • They should not provide sensitive information like log-in IDs, passwords or OTPs to anyone, or key these into unverified webpages.
    • If they are in doubt, they should call the OCBC hotline directly at (65) 6363 3333, not any of the numbers provided in the SMS.

Follow and listen to our podcast here

Top collage left image via OCBC Facebook, right screenshot by Fiona Tan