OCBC phishing scam left victim broke and hungry on Christmas day

In several cases, victims could not understand how the crooks were able to quickly increase their transaction limits and complete large local and foreign transactions with new beneficiaries without the need for an SMS-based OTP, which is a form of two-factor authentication.

A couple in their forties, whose joint savings account was wiped out of S $ 80,000, admitted that although they were guilty of compromising their bank account by disclosing their account name and bank code banking access, they didn’t give the crooks any OTP information or security tokens. .

The bank’s internal investigators told them that it was impossible to conduct such large transactions without the Office of the Prosecutor.

“But my husband (who was phished by the crooks) did not return the OTP to the scam website because he was driving at the time … Yet they were able to take the OneToken from our account without OTP, then transact after that, “the woman said.

The couple, who have three young children, have not spoken since the incident on December 29. The financial loss had a huge impact on their family’s savings and frustrated their plans to travel abroad with the children in 2022, she said.

TODAY understands that OTP passwords sent via SMS could have been redirected or compromised by a known vulnerability. In September, Singapore authorities warned against the diversion of bank OTPs to malicious actors overseas to conduct fraudulent transactions, affecting 75 bank customers.

OCBC group corporate security chief Francisco Celio said the bank’s systems had not been hacked and remained safe and secure.

“Unlike other SMS phishing scams, the recent SMS phishing scam impersonated OCBC and fed on consumers’ fears about their personal bank accounts. He is particularly aggressive and very sophisticated in getting consumers to disclose their personal banking information despite repeated warnings from banks to be vigilant and not to do so, ”Celio said.

He added that the bank is providing assistance to these customers and has set up a dedicated team to help them get through this difficult time.

“We understand and share the anxiety of our customers who have fallen prey to these scammers,” he said.

Still, scam victims who spoke to TODAY fear the money is basically gone. Trisha said the bank officer handling her case told her that she could probably take full responsibility for the loss of S $ 68,000 as she was the one who gave out her login details and OTP. to crooks.

According to a MAS circular sent to financial institutions last August, the question of who bears the loss of such frauds, especially when the bank’s customer did not disclose his account details to crooks, is still open. review by the authorities.

In general, bank users who have suffered financial losses due to fraudulent transactions are protected as long as they acted responsibly, according to a parliamentary response from Finance Minister Lawrence Wong last July.

“The recent SMS phishing attack is not the first and certainly will not be the last. We will continue to put additional measures in place as new tricks are continually being deployed by scammers, ”Celio said.

“We strongly condemn the actions of these crooks. We worked closely with the Singapore Police Force on this incident, ”he added.

Comments are closed.