Singapore — The last two weeks of December saw at least 469 OCBC customers fall victim to phishing scams, with a total of S$8.5 million lost from their bank accounts. Ho Ching, a Director of Temasek Trust, shared the story of one of them.
In a Facebook post on Saturday (Jan 15), one John Tan wrote that the entire ordeal started when his wife received “a strange message from OCBC, telling her someone was trying to access her account. It was the phising (sic) message, she clicked it”.
He added that when they managed to get OCBC on the line, they were told that the bank would try to get their money back in nine days, but the money was gone, and the chances were slim.
“I immediately took out my calculator and bashed in all the cash I had lying around. What if I can’t pay my bills? How will my kids eat? Alas, it wasn’t enough”, wrote Mr Tan. The day after they lost all their savings, Mr Tan’s wife came down with Hand-foot-and-mouth disease (HFMD) and was on bed rest for two days.
Mr Tan wrote that he was devastated.
On Christmas Eve, he said: “I collapsed back in bed – but not long after, I got up. Somehow, I had gained a little perspective. I had the cash, nobody would starve, what was I really upset about? I asked myself how I wanted to be remembered, especially by the girls. It was never going to be about how rich daddy was. I wanted to be remembered as a generous person with integrity, always doing what was right even in adversity”.
Mr Tan’s parents were there for them, and he updated that after the new year, OCBC managed to retrieve two of the five transactions.
Without divulging exactly how much they lost, Mr Tan added: “It was quite a bit but in all seriousness, it’s not really about how much. Most likely, those that lost less in absolute terms are likely to be impacted more”.
Most of the victims of the phishing scam had clicked phishing links from SMSes that were spoofed to look like they came from OCBC, with the messages appearing in the same chat history as official OCBC messages.
In response to media queries, OCBC’s head of group corporate security, Francisco Celio said:
We understand and share the anxiety of our customers who have fallen prey to this recent SMS phishing scam which impersonated OCBC and preyed on the fears of consumers about their personal bank accounts.
We have set up a dedicated team to help our affected customers through this difficult period. We have also contacted all the affected customers and are rendering assistance to them.
This SMS phishing scam is particularly aggressive and highly sophisticated in duping consumers into disclosing their personal banking details to fake websites despite repeated warnings from the bank to be alert and not to do so.
The use of the digital soft token or hard token for two-factor authentication is effective as an added layer of protection to access codes and PINs for logging in to a bank account. While most customers use the digital soft token, based on customers’ feedback, the hard token continues to be available.
Our first-level investigation into this particular SMS phishing scam has revealed that victims who had fallen prey had unknowingly provided their bank account information and internet banking login credentials, including SMS OTPs, to fake websites. This allowed scammers to take over their accounts and the scammers were then able to make fraudulent transactions in the guise of the customer.
Investigations into each report of this particular SMS phishing scam is complex and involves multiple checks, parties and systems. We seek our customers’ understanding to allow us to review every case very carefully and fairly. We will contact the affected customers again as soon as the investigation and review is complete.