SINGAPORE: It took a man and his wife five years to save about S$120,000 (RM372,620), but in just 30 minutes, scammers using a fake text message stole the money they had kept in their OCBC Bank joint savings account.
The couple in their 20s were among at least 469 people who reportedly fell victim to phishing scams involving OCBC Bank in the last two weeks of December last year.
The victims lost around S$8.5mil (RM26.39mil) in total.
Speaking to The Straits Times, the couple, who declined to be identified, said they had been saving up to start a family. They have not been able to get their money back.
The husband works in the e-commerce sector while she is in the hospitality industry. The man said he received the phishing message with a link at around noon on Dec 21 last year.
It claimed that an unknown payee had been added to their account, and instructed him to click on the link if it was not approved by him.
“The SMS looked like it came from OCBC and entered the usual SMS chat history from OCBC used for authentic banking services,” he said.
“The link took me to a site that looks exactly like the OCBC login page.”
He then entered his account details, unwittingly handing over control of the whole account to scammers.
They realised they had been scammed only when the man received SMSes from the bank informing him of changes and transactions involving the account that had taken place earlier that afternoon.
He showed ST his text message history. According to the timestamp, the bank sent him the alert at about 2pm, only for him to receive it past 6pm.
“Had we received the notifications on time, we would have been able to react faster, and perhaps been able to reach the relevant teams during the same business day to stop the transactions,” said the man.
After news broke that others had also been scammed, the couple decided to start a group for victims in an attempt to collectively seek answers.
Theirs was not the largest sum stolen.
A 38-year-old software engineer who fell prey to the same scam on Dec 28 told ST that he lost about S$250,000 (RM776,293) he had been saving since 2010.
The father of a young child with special needs said the loss has been devastating, and he has been hiding it from his family.
“It’s a horrible situation that impacts my whole life,” he said.
“I didn’t know there was a scam going around... how would I have known?”
Eight victims have contacted ST to share their frustration.
Responding to queries from ST, Francisco Celio, head of group corporate security at OCBC Bank, said it has been assisting those affected.
“The recent SMS phishing scam impersonated OCBC and preyed on the fears of consumers about their personal bank accounts,” he said.
“It is particularly aggressive and highly sophisticated in duping consumers into disclosing their personal banking details despite repeated bank warnings to be alert and not to do so.”
The bank said it has since halted its plans to phase out physical hardware tokens by the end of March this year, and has also stopped sending SMSes with links in them in the light of the spate of phishing incidents.
OCBC launched its fraud surveillance system in 2016, and uses machine learning to assist in detecting and immediately flagging fraudulent transactions which are then reviewed by a fraud analyst.
It also implemented its anti-financial malware system in 2019. It is able to identify what device its banking services are accessed from.
Celio added that OCBC’s banking systems remain safe and secure and have not been hacked.
A group of victims issued a statement to ST, alleging that the bank had not responded fast enough, failed to ensure the security of its SMS channel, and that remediation for customers was lacking.
“While the attack may have been particularly aggressive, it is OCBC’s duty to their customers to be ready for this,” they said.
Cybersecurity expert Anthony Lim, who is also a fellow at the Singapore University of Social Sciences, said scammers have advanced software enabling them to spoof telecommunications services and send SMSes that appear in the same threads used by real organisations.
He added that even if victims did not provide their one-time passwords (OTP), they would have sealed their fate when they entered other bank details on the fraudulent sites.
“Once the victim unwittingly responds by entering the bank account credentials, the hackers’ technologies can divert and capture a copy of the SMS OTP issued by the bank,” he said.
He also said there is a limit to how much a consumer can be protected, and that consumers need to be aware and protect themselves.
“Quite unfortunately, with regard to such message scams, there is only so much technology can do (to protect consumers),” he said.
“The best way to avoid falling prey to these is still awareness, and the accompanying scepticism.”
Tips to avoid being scammed
With scammers using more advanced technologies and software, the simplest advice may work best – be suspicious of messages sent via SMS or WhatsApp asking for personal details.
Cybersecurity expert Anthony Lim said consumers should take the following precautions when dealing with online transactions and banking details:
• Do not act in a hurry or under duress
• Do not respond to messages asking for personal credentials, passwords or PINs
• Be suspicious of messages sent via SMS or WhatsApp asking for personal details
• Never click on links in such messages
• Never download any attached file in such messages, however interesting or attractive it may be made out to be
Separately, OCBC Bank advises consumers not to access their bank accounts through SMS links.
Mobile access to bank accounts should always be done using the official banking or payment app, or by keying in the bank's URL directly into the browser. – The Straits Times (Singapore)/Asia News Network