SINGAPORE, Jan 18 — OCBC has started reimbursing customers who were affected by the recent SMS phishing scam, the bank announced yesterday.

More than 30 customers have already received “goodwill payouts” since the bank began giving them out on January 8, while the validation process is still ongoing for the others affected by the scam, OCBC said in a statement.

“The payouts to this group of customers are made on a goodwill basis after thorough verification, taking into account the circumstances of each case,” the bank added.

OCBC did not say whether the victims will be fully or partially reimbursed, or how many of the victims will not be eligible for these payments. TODAY has asked the bank for more details.

Advertisement

The bank also “acknowledged that its customer service and response fell short of our customers’ expectations, especially at a time of stress and anxiety”, and added that it has set up a dedicated team to support the victims.

“As the investigations into these cases are complex and extensive involving multiple checks and parties, the bank needed more time to get back to affected customers to address their concerns,” it added.

“The bank seeks the patience and understanding of all affected customers to allow it the time to properly review and validate each case thoroughly.

Advertisement

“Affected customers will be contacted as soon as the review and validation of their case is complete.”

At least 469 customers had been affected by the SMS phishing scam, with losses totalling at least S$8.5 million.

The fraudsters had sent out fake bank alerts that spoofed the bank’s official SMS channel with the victims, duping many of them into giving up their personal account information last month.

Several victims previously described to TODAY about their heartbreak and anxiety over suffering such towering financial losses during the holiday season.

Some also said that their OCBC bank accounts were hijacked and emptied by the scammers even though they did not provide the scammers with their one-time password or security token information.

On Monday, three victims told TODAY that the bank has reached out to them regarding the goodwill payouts, instructing them to meet bank officers with a copy of their police report. They were not informed about how much they would be reimbursed yet.

“It is possible that the payouts may not be in full, but I am hoping that won’t be the case,” one victim who declined to be identified.

OCBC warned early this month that people should not access their bank accounts through these messages, and that the bank will no longer send web links through SMS.

On Monday evening, the Monetary Authority of Singapore (MAS) said in a statement that it takes a “serious view” of the scam and will consider taking supervisory action against OCBC.

“MAS expects all financial institutions to have robust measures for fraud prevention, detection, and remediation, and to provide prompt assistance to customers who have been victims of scams,” it added.

How the scam happened

OCBC described the scam as “particularly aggressive and highly coordinated”, becoming increasingly frequent over the year-end holiday period.

Scammers were able to impersonate the bank through the SMS thread that it uses with customers, by cloning a legitimate sender ID  —  OCBC, in this case  —  via SMS. Sender IDs are names that identifies the sender of an SMS message so that a word or phrase, instead of a number, is displayed on the recipient’s mobile phone.

OCBC said that this enables the scammer’s SMS to appear as if it originated from a legitimate sender, thus enabling the message to appear in the same thread as legitimate SMSes from the bank. 

“From the time the bank first detected (the scam) in early December 2021, it had, since December 3, 2021, issued multiple alerts and warnings to its customers using multiple channels.

“It had issued security alerts and advisories on its website, internet and mobile banking log-in pages through customer e-mails, as well as through its own social media channels,” OCBC said.

These included two media advisories on December 23 and 30, and SMS messages to all customers on December 30 and January 4.

“The bank has also proactively reached out to customers who might not be aware that their banking activities were susceptible to the scam. This has helped to prevent more customers from falling prey to the scam,” it said.

The scale of the phishing scam has since attracted calls for banks and financial institutions to take greater responsibility for the losses of customers who are conned by such nefarious scams.

Based on an MAS circular sent to financial institutions last August, the issue of who bears the loss in these cases is still being reviewed by the authorities.

Ms Helen Wong, OCBC’s group chief executive officer, apologised yesterday for the bank’s response, adding that its banking systems and digital banking platforms are safe and secure.

“Digital banking remains a convenient way to do banking. We do not want this scam to take that away from us. But scammers are increasing in sophistication,” she said.

“Therefore, I urge everyone to stay alert and do your banking only at the bank’s official websites and on the official mobile apps.

“Together with the Association of Banks in Singapore and the Monetary Authority of Singapore, the industry will review to further strengthen the anti-fraud detection and prevention measures.”  —  TODAY