The payouts to this group of customers are made on goodwill basis after thorough verification, taking into account the circumstances of each case, the bank said in a press release on Jan. 17.
To date, more than 30 customers have received the payments.
Particularly aggressive scam
OCBC said the scam was particularly aggressive and highly coordinated as it preyed on people’s fear that there was an issue with their bank accounts or credit cards.
Past cases of SMS phishing scams largely targeted consumers with "too good to be true" deals, OCBC said.
The bank’s investigation has confirmed that victims who had fallen prey had provided their online banking log-in credentials to phishing websites.
The scammers then acted very quickly by fraudulently transferring the monies out of the customers’ bank accounts.
Dedicated team set up to support victims
A dedicated team had been set up to support the victims.
The bank has reached out to affected customers to address their concerns and to assure them of the support in place, the bank said.
OCBC acknowledged that its customer service and response fell short of our customers’ expectations, especially at a time of stress and anxiety.
As the investigations into these cases are complex and extensive involving multiple checks and parties, the bank said it needed more time to get back to affected customers to address their concerns and to properly review and validate each case thoroughly.
Affected customers will be contacted as soon as the review and validation of their case is complete, OCBC said.
According to the bank, the scam first started in December 2021 and became increasingly aggressive over the year-end holiday period.
From the time the bank first detected it in early December 2021, it had, since Dec. 3, issued multiple alerts and warnings to its customers using multiple channels.
It had issued security alerts and advisories on its website, Internet and mobile banking log-in pages, through customer e-mails, as well as through its own social media channels.
Two media advisories were issued, one on Dec. 23 and another on Dec. 30, 2021.
SMS messages were sent to all customers on Dec. 30, 2021 and Jan. 4, 2022.
The bank has also proactively reached out to customers who might not be aware that their banking activities were susceptible to the scam, OCBC said.
This has helped to prevent more customers from falling prey to the Scam.
OCBC's group chief executive officer, Helen Wong, said: “We strongly condemn this scam as it preyed on consumers’ fear and was a highly-coordinated one. We fully understand the concerns and anxiety of our affected customers. We have begun making goodwill payouts since Jan. 8, 2022. I sincerely ask our customers to allow us the time to conduct a thorough review and validation before we inform them of the payouts. We seek our customers’ patience and understanding as investigations are complex, and we apologise that our response fell short of our customers’ expectations during their time of distress.”
How the SMS spoofing works by the fraudster
How the fraudster takes complete control of a victim’s bank account
Members of the public would receive SMSes that appear to be from the bank claiming there are issues with their bank accounts or credit cards, but were, in fact, sent by the scammers.
Scammers impersonate the bank through “spoofing” – cloning a legitimate sender ID (e.g. “OCBC”) or other sender IDs non-related to OCBC – via SMS.
When a legitimate sender’s ID is cloned, this enables the scammer’s SMS to appear as if it is originated from a legitimate sender, thus enabling their message to appear in the same thread as legitimate SMSes from the bank.
These SMSes contain a link to a phishing website disguised as a legitimate bank website requesting for banking information and passwords.
The scam messages claim there are issues with the customer’s bank accounts or credit cards and directs customers to a link embedded in the SMS to resolve these issues.
Upon clicking the link, customers would be redirected to the phishing website and asked to key in sensitive bank account log-in information like their username, PIN and One-Time Password (OTP).
Using this information, scammers can then gain access to the customer’s account and transfer monies out of the accounts.
Scammers often reroute the monies through various accounts, making it difficult to track their movement and even harder to recover the cash.
How customers can prevent falling victim to the scam
OCBC also issued reminders on what customers can do to protect themselves against the scam:
1. The bank will never send an SMS to inform customers about account closures or being locked out of their accounts. Instead, it will send physical letters with such requests to customers to prevent online fraud.
2. The bank will never send an SMS with a link to reactivate customers’ accounts. Accounts become dormant after 12 months of inactivity. Reactivation is done in person at branches or via internet banking.
3. Do not click on links in SMSes that purport to direct customers to the bank’s website. Instead, use OCBC’s official mobile banking app or type www.ocbc.com directly in the browser URL.
4. Do not provide sensitive information like log-in IDs, passwords or OTPs to anyone, or key these into unverified webpages.
5. Do not transfer money to strangers. When in doubt, get advice from a family member or friend.
6. If in doubt, call the OCBC hotline directly at (65) 6363 3333. Do not call any numbers provided in the SMS.
7. Customers can download the ScamShield app – a mobile app by the authorities in Singapore that blocks unsolicited messages and calls (only available on iOS devices). Visit https://www.scamshield.org.sg/ to find out more.
Were you scammed in the recent OCBC SMS phishing scam? Did you receive a full payout from OCBC? If you want to talk to us, email us at [email protected]
Top photo via Wikipedia