OCBC customers affected by the recent SMS phishing scam

Industrial & Criminal cases

SINGAPORE: All OCBC customers affected by the recent SMS phishing scam will receive “full goodwill payouts” covering the amount they lost, the bank said on Wednesday (Jan 19).

More than 100 victims have received the money, it said in a statement, adding that arrangements for the payouts will be made with all affected customers by next week.

Our comments

Dr. Pavel Melnichenko

Chief Technology Officer

It was a very big attack on bank’s clients via SMS channel. The problem here is in SMS channel itself — it is vulnurable to many risks of security. Definietly, recommendation to the clients to avoid any SMS-link is good but obviously, not enough.

There are a lot of other ways to interact with your clients without SMS while strong authentication will protect from unauthorized account access or transactions.

Any attempt to make any operation using user’s credentials will generate a confirmation request on a user’s device, so such attempts will become obvious. Meanwhile, no-OTP principles of authentication process allow to perform visibility and strong integrity control checks — thus, “what you see is what you sign”

Moreover, if any malware is deployed on a smartphone of the user, this fact will be detected and provided to the anti-fraud system installed in a bank.

“We seek the understanding and patience of our customers as thorough validation of each case requires time to ensure accuracy. This process is necessary so that every case is fairly and properly treated,” said OCBC’s group CEO Helen Wong.

“We apologise for taking more time than expected to resolve the issues with our customers during this time of distress and anxiety.”

Ms Wong said the bank has also proactively reached out to customers who might not be aware that their banking activities were susceptible to the phishing scam.

“This has helped to prevent another 200 and more customers from falling prey to the scam,” she added.

OCBC first announced on Monday that it had begun making “goodwill payouts” to customers who had fallen prey to recent phishing scams involving the bank.

It did not specify then how much the payouts would be and whether all affected customers would receive the payout.

According to the police, nearly 470 people had fallen victim to the SMS phishing scams involving OCBC in December, with total losses amounting to at least S$8.5 million.

The victims received unsolicited SMSes claiming that there were issues with their banking accounts, asking them to click on a link to resolve the issue.

They were then redirected to a fake website that resembled OCBC’s and were asked to key in their ibanking account login details.

It was only after they received notifications informing them of unauthorised transactions charged to their bank accounts that victims discovered that they had been scammed.

In a separate statement on Monday, the Monetary Authority of Singapore (MAS) said it takes a “serious view” of the scam and will consider taking supervisory action against OCBC.

The authority added that it expects all financial institutions to have robust measures for fraud prevention, detection and remediation, and to provide prompt assistance to customers who have been victims of scams.