I’m a S'porean man, 43. I lost S$500,000 of my life savings over 2 hours in the OCBC phishing scam.

A victim of the OCBC phishing scam has written to Mothership.sg to reveal what happened behind-the-scenes.

Belmont Lay | Low Jia Ying | January 18, 2022, 09:53 PM

Follow us on Telegram for the latest updates: https://t.me/mothershipsg

Editor's note: Mothership has seen a copy of the police report filed by the victim.

I am an OCBC scam victim who lost S$500,000 of my life savings on Dec. 20, 2021.

Thank you Mothership for your coverage on the OCBC scam thus far.

It has raised public awareness of the scam, as well as pushed OCBC to improve their weak security system and processes.

I would also like to share my story anonymously.

I lost S$500,000 in 2 hours

I am a 43-year-old public servant.

Similar to the other victims, I got a SMS that looked like it came from an official OCBC SMS thread asking me to access the website or my account will be locked.

On the date of the scam, I was overseas and using my OCBC credit card for payments.

Hence, I thought that it was a believable ask as some of my credit card transactions did not go through (I assumed that OCBC was blocking them at that time because I was overseas).

The website that the phishing SMS led to looked exactly similar to the OCBC website.

I shared my login details and my OTP once.

I did not have a OneToken login as it is incompatible with my mobile device. I use a physical token.

The next morning when I woke up, I saw a chain of SMSes showing that my payment transfer limit had increased to S$300,000, new payees were added, and multiple transactions of up to S$50,000 had been transferred to new payee accounts, including PayNow.

There were 11 transactions ranging from amounts of S$17,000 to S$50,000.

These were transfers to new payees, including PayNow to phone number, PayNow to NRIC and bank transfers.

The total amount came up to S$500,000 in total.

It appeared that the scammers were able to set up the OneToken two-factor authentication feature easily on their own device without any verification.

I could not believe that OTPs were not subsequently needed for other transactions, and these transactions amounting to S$500,000 over 2 hours did not raise any alarms within the bank.

Unfortunately, due to the time zone difference, this had taken place while I was asleep and I was only notified of it in the morning when I woke up.

Needless to say, my world has spun upside down since that morning.

Worked for 20 years, scrimped and saved

I have spent 20 years of my working life to save up for the S$500,000.

Since young, I have worked hard, lived a simple lifestyle and practised saving hard for my retirement.

This was my retirement fund, and now without it, I will most probably have to work till I die - literally.

To think that my life savings of S$500,000 were withdrawn by the scammers over two hours is utterly traumatic.

Since the scam, my wife and I have been severely affected mentally and emotionally, and have both lapsed into depression.

When we talk about the scam, we will end up quarreling.

Thinking about the scam brings tears to my eyes, and media coverage of the scam and mentions of OCBC induce trauma.

I do not know whether I will be able to be happy again.

Communication with OCBC non-existent

Correspondence with OCBC has been extremely disappointing and almost non-existent.

When I first reported this S$500,000 loss to OCBC to suspend my account on the day of the incident on Dec. 20, the customer service officer who fielded the call was not empathetic despite the traumatic situation, which came across as tonedeaf.

When I updated my relationship manager on the same day, he sounded like he was not aware of the scams.

Hence, I would like to ask OCBC to show evidence on how they have been proactive on the security alert since early December, and if internal staff were also not aware?

Any large organisation with a marketing department would know that burying an update in the depths of their website does not count, as compared to more proactive paid and earned communications efforts, which it seems like OCBC only started to undertake from Dec. 30 onwards -- even though the scams started growing from Dec. 8.

Since the incident, there has been no proactive response from the bank except when I asked for an update.

When I did so, the standard response is that the case is still under investigation. There was no timeline communicated.

OCBC introduced my relationship manager's manager on Jan. 3, after the scam had by that time gained widespread coverage in mainstream media.

The RM's manager was to provide an additional contact point.

However, there is also no update from him unless I reach out first.

I messaged him after reading about the “goodwill payment” news in the media on Jan. 17, which was the first time I heard about it.

His response was that my case is still undergoing investigation.

I would appreciate Mothership’s help to ask OCBC, based on what criteria do they select the 30 victims, and whether this “goodwill payment” will extend to all victims?

We have heard that some victims do not qualify.

I hope that all victims will be treated fairly as guided by MAS.

No alerts, no warnings from bank

OCBC shared in a statement that they had since Dec. 3 issued multiple alerts and warnings to its customers using multiple channels, including security alerts and advisories on its website, Internet and mobile banking log-in pages, customers e-mails, as well as social media channels.

I disagree with this as on the date of my incident on Dec. 20, there was no such alert on the mobile app and nothing on this scam on their social media feeds.

When I had informed my relationship manager of the scam incident on Dec. 20, he responded over WhatsApp, “wa this one really never see before”.

If internal communications to staff were non-existent, I would like to question the bank: Show proof of their so-called security alerts and advisories since early December?

On Dec. 23, OCBC got a narrative published in an article in The Straits Times: “OCBC cautions public about SMS scams after customers lose $140,000 in 10 days”.

But these scams had taken place from Dec. 8 to 17 with a clear time lag for such a grave matter.

Public awareness of this scam only swelled on Dec. 30 when a police statement mentioned that S$8.5 million had been lost to scammers and victims started sharing their stories with the media.

Clearly, OCBC did not act fast enough and were not proactive enough to embark on more widespread paid and earned media communications that could have prevented scams that happened after early December -- until their reputation was affected.

SMS messages that were sent on Dec. 30 and Jan. 4 were clearly too little, too late.

The OneToken failure

It is notable that OCBC has stopped the compulsory rollout of their clearly flawed digital token OneToken since the scam.

In 2021, I had to replace my physical token because it expired.

As my mobile device was not compatible with the OneToken, OCBC had issued me a new physical token even though it was to be phased out as they knew I couldn’t activate the OneToken.

However, scammers were able to set up the OneToken on their device without additional verification from me, which allowed them to bypass my physical token security.

OCBC should have better processes (e.g. a physical one-to-one meeting, phone call) with the client to activate such significant changes to account access.

What goodwill payment?

While OCBC shared that they have begun to make goodwill payment to the victims (apparently 30 victims), it has not applied to my case, which I assume is one of the largest amount of losses.

For my case, the bank has shared that as it is “complex”, and it will need “more time to investigate”.

Just want to be compensated

It has almost been a month since I have lost the S$500,000, and I have not heard a single update from the bank on my case even though they claimed they have “a dedicated team set up to support the victims”.

While I am encouraged by the cases of the fellow 30 victims, I wonder how much these payments will be for large amount of losses like my case.

I hope that it is a genuine effort to treat victims fairly as per the latest statement by MAS on Jan. 17.

I sincerely seek MAS’ close attention on how all the individual cases are being investigated and compensated.

I hope that you can share my story so that there is more sustained public awareness to this scam and to encourage OCBC to expedite this remedial process for the victims so as to put an end to our trauma and distress.

Were you scammed in the recent OCBC SMS phishing scam? Did you receive a full payout from OCBC? If you want to talk to us, email us at [email protected]

Top photo via Google Maps