Follow us on Telegram for the latest updates: https://t.me/mothershipsg
If it seems like there’s more and more news about scams lately, it’s probably because there are actually more scams lately.
Crime trends released by the Singapore Police Force do indicate that this is the case.
One of the recent incidents involved S$8.5 million getting stolen from over 460 OCBC customers, including some who lost their whole life savings.
It might also seem that scammers are getting more advanced, as they were able to transfer huge sums out of the victims’ accounts after overcoming bank safeguards such as two-factor authentication (2FA) — unlike in past cases where victims were fooled into disclosing one-time passwords (OTPs), inadvertently giving away their money.
Could things have turned out differently?
How the OCBC scams worked: Spoofed SMSes with links to phishing websites
Part of why the recent OCBC scams stood out to many people was the fact that the phishing SMSes appeared in the same thread as legitimate SMSes from OCBC.
But there is nothing novel about this. It is a technique known as SMS spoofing, which has been employed by scammers for years.
Back in 2019, phishing links were sent in SMSes that managed to spoof the sender’s name as “SingPost”. The SMSes appeared together with legitimate notifications sent by SingPost.
SPF also publicised this as a “re-emerging trend” in Apr. 2021.
Image via SPF website.
And as one data scientist demonstrated to Mothership, it’s a method of scamming that’s apparently “extremely easy” to employ and does not require sophisticated technology.
Another aspect of the OCBC scam — confirmed by the bank's investigations — is the use of a phishing website, designed to closely resemble the bank’s actual website to fool eventual victims into divulging their login details and passwords.
Again, this is not a new practice.
For the OCBC scam, we don’t know what the phishing site looked like, or how closely it resembled the bank’s real website.
But a police advisory from Dec. 2020 containing multiple examples of phishing websites included one that closely resembled another local bank’s internet banking login page — close enough that it would have been easy to mistake it for the real one if a customer was not careful.
Screenshot of a phishing website. Image via SPF.
So, could there have been a different outcome in the OCBC case?
The recent scams targeted OCBC customers specifically. This was not a case of random people getting random calls from scammers impersonating the authorities, or calls about Covid-19 contact tracing.
Thus, the scammers likely had access to a list of OCBC customers and their contact details.
With access to this information, things could have been much worse.
A recent episode of scamming, which was publicised last September, involved hackers hijacking OTPs that had been requested by customers.
They gained access to overseas telecommunication operators' systems and rerouted the OTPs to the overseas networks, something which involved "highly sophisticated expertise", according to a joint statement on the matter by the authorities.
Thus, we should be on the lookout for future scams that are similar to the recent OCBC phishing scam, but we must also be prepared that there are many other scammers out there and many more different methods they could employ.
Still, even if scammers use different tactics/methods, the OCBC scam gives us some important learning points about scams in Singapore, and suggests that there are steps we can take to avoid them.
1. Not everyone will get payouts in future scams.
As lawyer and law lecturer Alexander Woon explained, victims of scams have rather limited legal options.
While the scammers are legally liable for taking the money, it can be difficult or even impossible to identify them, or even trace the movement of their ill-gotten gains, which tend to be quickly dissipated.
And, as Woon pointed out, even if the authorities get involved, this does not mean that victims will be compensated.
It is banks who decide on payouts
Thus, scam victims are often left at the mercy of their banks, who decide whether they want to give their affected customers a payout, as there is no legal requirement for them to do so.
In some cases, where the bank (or its rogue staff) are responsible for the customers’ losses, the bank will likely compensate the affected customers.
But if they don’t, their customers have to successfully sue the banks — and prove wrongdoing or negligence — before getting court-ordered compensation.
That being said, OCBC has already promised to make “full goodwill payouts” to all the recent victims.
But this has not always been the case in past incidents.
In fact, it may not even have been OCBC’s intention at first.
Initially, on Jan. 17, OCBC said that payouts to customers would be made on a goodwill basis after thorough verification, taking into account the circumstances of each case.
It was only on Jan. 19 that OCBC said it would make “full goodwill payouts” to all the victims.
It’s worth noting that the earlier announcement did not specify whether all of the victims would receive payouts. It also did not say how much was being paid out.
It is now known that some customers were made to sign a non-disclosure agreement as a condition to receiving their payouts, and were not allowed to disclose whether the payouts covered their losses in full or in part.
OCBC’s decision to give all affected customers a full payout thus seems like a move to prevent further reputational damage, rather than a standard procedure.
Future payouts may not be so forthcoming
For future victims of scams, payouts may not be so forthcoming.
For one, there is no legal requirement for banks to compensate scam victims the amount they lost, whether in part or in full.
MAS’s Jan. 17 statement about possible “supervisory actions” it would take against OCBC noted that the bank had started to make payouts to affected customers, and said that the regulator “expects all affected customers to be treated fairly”, though it did not set out an expectation of full payouts for all customers.
OCBC’s own response to the scams — which has been critiqued as less-than-ideal — was probably part of the reason why it decided to pay out in the end.
The timeliness of OCBC’s response was one major issue.
The first set of 26 customers reported losses of about S$140,000 between Dec. 8 and Dec. 17. Although OCBC sent out a media advisory on Dec. 23, flagging a sharp rise in these scams, the warning did not stop 186 customers from losing up to S$2.7 million over the Christmas weekend from Dec. 24 to 26.
Some victims also said that they were not able to get through to the bank’s hotline when they tried to report the scams, and suspected that this may have led to bigger losses.
OCBC later acknowledged that its customer service and response fell short of its customers’ expectations, especially at a time of stress and anxiety.
In view of this, trying to regain customer confidence was likely deemed more valuable to the bank than the S$8.5m to be paid out. This may not always be the case in future scam cases.
While OCBC’s very costly offer was unprecedented, it is not likely to set a precedent.
2. There is a psychological element to many scams
A lot of scams rely on people wanting to get a good deal or secure an advantage. For example, an offer of too-good-to-be-true prices for consumer goods which turn out to be counterfeits, or the classic Nigerian Prince scams promising a share of a foreign monarch’s estate.
Other scams rely on fear to get people to act, with the common factor being a psychological element: convincing victims to do something which they otherwise would not.
Part of why the OCBC scam worked is that it capitalised on fear.
Ironically, it was fear of getting scammed that led the victims to take the very actions that made them victims.
Screenshots show that the phoney SMSes that victims received seemed to be messages alerting them to a ”MR C JONES” — who had allegedly been added as a payee.
The victims’ fear that their accounts might be compromised in some way, together with their misplaced trust in the fact that the SMSes seemed to come from OCBC, was strong enough that they were moved to click on the provided link and enter their login details.
Similarly, Google Search scam advertisements, another scam tactic the police warned of recently, may well net victims who think that they are acting fast to avoid getting scammed.
With the benefit of hindsight, one past scam victim told Mothership that even though scammers will make a situation seem “very urgent", just taking 10 minutes to verify the information you are receiving could make all the difference. She said:
"10 minutes, sitting down and taking a step back and thinking. 10 minutes doesn't change, even if [your security] actually [has been] compromised."
Understanding the psychological tricks that scammers employ can help us to be on the lookout for them.
After all, fear is an instinct that can protect us, but only if we know what we are facing before we react to it.
3. By the time you find out, or your bank warns you, it’s probably too late to change the outcome.
In the OCBC case, a large chunk of the total S$8.5m worth of losses was taken out of customer accounts over a three-day period.
Customers experienced difficulty in contacting the bank, but, as covered above, there is often very little that banks can do once the funds are transferred out. Funds can move near-instantaneously, thanks to PayNow and other initiatives that allow for more seamless inter-bank transactions.
And while the authorities have powers to stop scammers in their tracks by freezing bank accounts before the stolen funds can be withdrawn or transferred, this is something which “boils down to luck and speed”, according to an officer from the Anti-Scam Centre (ASC).
Therefore, there is a need to take pre-emptive measures against getting scammed.
Stay updated
One of the things that can be done is to stay updated on news about scams, scammers’ tactics, and the advice given by companies, banks, and the authorities.
Understanding the ways that scammers might get through to you means that you can take action to reduce your chances of becoming a victim.
To counteract the psychological element of a scam, which capitalises on the exciting prospect of potential gains, or the alarming prospect of potential losses, one could prepare a list of questions to ask themselves, if/when approached with such information.
For example, “Is this offer too good to be true?” or “What can I do to verify that this bad news is true, before I act on it?"
Check your blind spots
Just as drivers need to be watchful of their blind spots, we can also check for any areas where our security may be compromised or vulnerable.
For example, we may pre-save credit card information on e-commerce sites.
This may be unavoidable to some extent, for convenience, and to cash out limited-time deals more quickly.
But it is possible to set transaction limits on credit cards used for this purpose, so as to minimise the impact should that credit card’s information be compromised.
Damage control
It may also be wise to avoid having all of your eggs in one basket.
Spreading out your funds across a few accounts, or even a few banks’ accounts, can put a cap on your losses, since it is unlikely that multiple banks will be compromised at the same time.
Having different passwords for each of your accounts works the same way.
Banks need to improve processes constantly, but users must also stay alert
The OCBC incident revealed certain shortcomings in the bank’s anti-scam measures, some of which have been addressed with new measures — such as the imposition of a minimum 12-hour delay before the activation of a new soft token on a mobile device, and a cooling-off period before key account changes can be made.
Banks will need to constantly improve their anti-scam measures, as scammers will no doubt be on the lookout for their next victims.
While regulators and banks can easily impose more onerous restrictions in the name of security, there is no perfect system, and there will always be scammers in some shape or form.
As an extreme example, customers could be required to verify their identity in person, or at an ATM, for every single transfer. Those born in the 90s and before can probably recall that this was the case not so long ago, in the days before online banking.
Even then, something along the lines of the good old fashioned Nigerian Prince scam — where a victim is lulled into acting against their best interests — could still happen to someone who is sufficiently fooled.
The responsibility of preventing scams has to be one shared by both banks and their customers.
Top photo from Getty Images.