Comment: OCBC’s internal probe into phishing scam is not enough. Why stop there?

Follow us on Telegram for the latest updates: https://t.me/mothershipsg

I cannot imagine of a worse fate in modern Singapore than to lose all of one's life savings.

Short of death or disease, it must be the most emotionally and psychologically traumatising event that one can experience in this country.

This is a society where hard work and frugality are prized as core virtues. The accepted wisdom is that if someone works hard, saves up, and keeps their nose clean, they will be rewarded with a decent retirement in their golden years.

Countless authority figures, from government ministers on down, have repeatedly emphasised these ethos.

In fact, the Central Provident Fund, the compulsory savings scheme, arguably hinges on this premise -- Singaporeans need to save their money for their own good.

S$8.5 million stolen

But as we've seen in the recent bank scams that have drained the bank accounts of unsuspecting locals, that can all go out of the window in a second.

Some 469 OCBC customers (as of Dec. 29, 2021) have reported losing about S$8.5 million in phishing scams.

This means that each customer on average lost nearly $20,000 ($18,123) of their savings.

Many have lost their entire life savings.

For these victims, they did everything that society asked them to do, and lost everything to crooks.

Restitution will be made

As of Jan. 17, about 30 customers received goodwill payments from OCBC.

At the time, the bank said the payouts to this group of customers will be made on goodwill basis after thorough verification, taking into account the circumstances of each case.

A dedicated team was set up to support the victims, and the bank has reached out to affected customers.

On Jan. 19, the bank announced that all affected customers will receive "full goodwill payouts".

About 100 victims have received payouts so far. Group CEO Helen Wong added:

"We seek the understanding and patience of our customers as thorough validation of each case requires time to ensure accuracy. This process is necessary so that every case is fairly and properly treated. Arrangements will be made with all affected customers by next week for the full goodwill payout.
We have also proactively reached out to customers who might not be aware that their banking activities were susceptible to the phishing Scam. This has helped to prevent another 200 and more customers from falling prey to the Scam. We apologise for taking more time than expected to resolve the issues with our customers during this time of distress and anxiety."

Their fault - really?

The sad truth is that in today's increasingly digital world, our parents and older folks in general may be more vulnerable to the predations of scammers.

Some people have sneered at the plight of these victims. "Just don't click on the links, lah."

But they may not realise that the phishing links were sent in the official SMS thread of previous, genuine OCBC messages.

It's one thing to receive a dodgy-looking message from an unknown number or email address. But when the dangerous message appears to come from a "trusted source", then it's much easier to fall into the trap.

The fake messages are also calculated to induce fear and panic among potential victims. By telling them that their account is being threatened, they would be more likely to trust a message from the "official source", which is the real threat.

A local data scientist named ZP Lee, who goes by the moniker Captain Sinkie, recently demonstrated how easy it is to fake a message to make it look like it comes from a trusted source.

In horror movie terms, it's like running from the masked killer, turning to your boyfriend for help, and then getting stabbed by him as part of the plan all along.

Government's role?

Much as been made of what OCBC should do, now that the damage has been done.

Former Nominated Member of Parliament Calvin Cheng has called for OCBC to compensate all the victims "100 per cent", and immediately.

Straits Times (ST) editor Han Fook Kwang, in his Jan. 16 column, called on the bank to make restitution for the losses, as they may be complacent otherwise:

"Under existing laws, they are not obliged to, as they will argue that the customers were negligent in falling for the scam.
In fact, they are always quick to say that their security systems were not compromised. No one hacked into and broke through their defences.
In other words, they were not at fault as all the trickery took place outside of the bank and inside their customers' own mobile phones.
But this is not satisfactory, and it is unfair for unsuspecting people to have to bear all the burden of having to look out for devious crooks who know everything about what makes a person vulnerable to these tricks."

While these are good first steps, I feel the government needs to step in and take a more active role quickly.

Authorities have started to intervene

According to a statement on Jan. 19, the Monetary Authority of Singapore (MAS) and the Association of Banks in Singapore (ABS) are introducing a set of additional measures to bolster the security of digital banking within the next two weeks.

These measures include:

Removal of clickable links in emails or SMSes sent to retail customers.

Threshold for funds transfer transaction notifications to customers to be set by default at $100 or lower.

Delay of at least 12 hours before activation of a new soft token on a mobile device.

Notification to existing mobile number or email registered with the bank whenever there is a request to change a customer’s mobile number or email address.

Additional safeguards, such as a cooling-off period before implementation of requests for key account changes such as in a customer’s key contact details.

Dedicated and well-resourced customer assistance teams to deal with feedback on potential fraud cases on a priority basis.

More frequent scam education alerts.

It can be observed that quite a number of measures relate to more safeguards digitally.

What if there's an insider?

Another small possibility but one that cannot be dismissed is that someone in the bank may be working with the scammers.

As described in this Carnegie Mellon University report:

"Insiders pose a substantial threat to financial services companies by virtue of their knowledge of and access to proprietary systems and their ability to bypass security measures through legitimate means.
Insider fraud is perpetrated by a malicious insider, which is a current or former employee, contractor, or other business partner who has or had authorised access to an organisation’s network, system, or data and intentionally exceeded or misused that access..."

In Dec. 2021, nine men were charged in court with conspiring to cheat Citibank into disbursing more than S$206,000 in fraudulent personal loans.

Of the nine men, three were contract workers seconded to the bank. It demonstrates the vulnerability of a potential malicious insider with access to technical information and documents.

In horror movie terms, it's as if the call is coming from inside the house.

How the government can protect consumers further

According to a statement by the MAS on Jan. 17, it noted that OCBC is currently conducting a probe to identify the deficiencies in their processes and implement the necessary remedial measures. MAS will also consider "appropriate supervisory actions" following this review.

The Jan. 19 statement from MAS and ABS said that banks will continue to work closely with MAS, the Singapore Police Force, and the Infocomm Media Development Authority (IMDA) to tackle the threat.

However, I believe the scale of the attack and the impact on the victims requires a firmer hand from the government, instead of letting OCBC conduct their own internal investigation.

Precedent for government to step in has been established

Some may argue that the government does not have a role to play, as the attack was likely conducted by crooks overseas, out of their jurisdiction. Others may also say that the government should not look into the internal processes of a private company.

However, there is precedent for inquiries by the government in both of these situations.

In 2018, a Committee of Inquiry was convened to investigate the cyberattack on SingHealth, where the records of 1.5 million medical patients were stolen.

The authorities found that the attack was the work of an advanced persistent threat group typically linked to foreign governments, although they stopped short of naming names.

In Feb. 2021, the government set up a COI to investigate an explosion in an industrial complex in Tuas at Stars Engrg Pte Limited, that left three workers dead and others badly injured.

While I am not saying that the damage in one case is equivalent to the other, it does show that the government will not hesitate to conduct a public inquiry if it believes there is a need, even if it involves a private company.

Government's active role in Lehman Brothers Minibond saga

Importantly, the government has also demonstrated a willingness to get involved in a case with victims of financial losses, even if it wasn't strictly due to a crime.

Hence, an inquiry by the regulators can investigate the attack, identity potential lapses and recommend or even impose follow-up actions.

During the Global Financial Crisis of 2008-2009, Lehman Brothers bank collapsed, leaving about 10,000 retail investors in Singapore in the lurch. The total amount sunk into structured investment products linked to the American bank was over S$500 million.

Although MAS reminded the public that investors were ultimately responsible for their financial choices and should be careful, it nevertheless took on an active role in helping those affected and launching investigations.

MAS also drew up a timeline that the distributors had to follow in the handling of the customers' complaints, requiring them to complete their review of each complaint within four weeks of receiving it.

As a result, the regulatory framework for marketing investment products was reviewed to better safeguard investors, and penalties were imposed on the financial institutions that distributed the products.

What else can the government do?

The Lehman Brothers minibond debacle may provide a roadmap for the authorities to handle this latest fiasco.

One major concern is victims can do little once a scam is successful.

Currently, the customer's avenues for recourse is through Financial Industry Disputes Resolution Centre (FIDReC) or the courts.

However, while FIDReC can mediate all eligible disputes between consumers and financial institutions, there is a limit of S$100,000 per claim for adjudication of disputes.

The victims may not be successful in seeking any kind of compensation through the courts.

Suing the bank itself requires evidence that proves the bank is liable in the first place, and legal proceedings may be difficult and expensive for the man on the street.

OCBC is giving out payments out of goodwill and perhaps with one eye on their reputation, but they are under no legal obligation to do so.

Lawyers also said that the the OCBC goodwill payout is unlikely to set a precedent.

An inquiry may result in legislation to codify a legal avenue for victims to seek compensation, as we are currently in a grey area and practices may differ from bank to bank.

Another related issue is whether the authorities would want to consider adapting the legislation to redefine how such cases should be handled in future.

For instance, another measure that would be helpful is the ability to freeze one's account quickly, within minutes, if such transactions occur.

Restoring confidence in Singapore's public image, both at home and abroad

Singaporeans are not inherently more gullible or naive than any other group of people. Scams are worldwide, and crooks are getting more and more sophisticated.

Scammers have struck on a national scale, stealing US$81 million (S$109 million) from the Bangladesh Central Bank in 2016. Only sharp-eyed employees in both Dhaka and New York prevented the heist from being much bigger.

But it could happen here.

And as Han pointed out in his ST column, the authorities have constantly pushed for greater digitalisation as a way of maintaining Singapore's competitive advantage.

It seems only fair that the government demonstrates equal zeal for ensuring that the public does not fall prey to the increased risks that comes with increased digitalisation, beyond a few tepid public reminders not to click on suspicious links.

Apart from investigating what went wrong, the government can work with OCBC to figure out better preventive strategies to reduce the likelihood of future scams.

While I am sure the bank has the best of intentions, it would be more reassuring to the public to know that whatever safeguards proposed were created with the government's help and advice, with respect to its greater resources and experience.

In the meantime, the government can also work with community organisations such as the National Crime Prevention Council to ramp up education and public awareness of scams for those who are less tech-savvy.

If Singapore truly wishes to establish itself as a global financial hub, with both the trust of locals and international partners in our financial system, the authorities' response to the OCBC scam attack needs to be decisive and thorough. More can be done.

Top image from Google Maps.

Follow and listen to our podcast here

If you like what you read, follow us on Facebook, Instagram, Twitter and Telegram to get the latest updates.

Comment: OCBC’s internal probe into phishing scam is not enough. Why stop there?

Events