Victims lost at least S$8.5 million in SMS phishing scams involving fake SMS impersonating OCBC Bank, according to the Singapore Police Force (SPF).
SPF said scammers were sending SMSes to OCBC customers, informing them that they had issues with their bank accounts. The fraudsters requested the customers to click on a link embedded in the SMS to resolve the issues.
On obliging, the victims were redirected to a fake banking website that requested their banking login credentials like account usernames, PINs, and one-time passwords (OTPs). However, the victims would receive notifications about unauthorised transactions on their bank accounts.
OCBC warns of increased fake SMS phishing scams
About 26 customers lost S$140,000 to phishing scams in just ten days between Dec 8 and Dec 17, while another 186 customers lost S$2.7 million between Dec 24 and Dec 26.
Altogether, OCBC Bank customers lost about S$8.5 million to SMS phishing scams in December 2021, with a large amount being lost within two weeks. The bank also noticed a surge in banking phishing scams around the New Year weekend.
OCBC had initiated a takedown of 45 phishing websites in December 2021, eight times more takedowns than the average monthly figure.
According to OCBC, scammers send fake SMS by spoofing the bank’s name and shortcode. This strategy allows the scammers’ fake SMS to appear in the same thread as the bank’s legitimate text messages. Additionally, the fake SMS also bears the OCBC header, making it more believable.
OCBC skeptical about recovering money stolen through fake SMS phishing scams
OCBC said it was working with the Singapore Police Force Anti-Scam Centre to assist customers defrauded in the fake SMS phishing scams.
However, OCBC Bank and SPF acknowledged that recovering the stolen money was very challenging once the funds exited the owner’s account. The bank noted that avoiding falling victim to the fake SMS fraud was the first line of defense given the challenges of recovering stolen funds.
“Once the funds have been fraudulently transferred out of the victim’s bank account, it would be challenging and difficult to recover the stolen monies,” said Singapore’s police.
SPF advised members of the public to usually verify the authenticity of any information from the official bank website. Additionally, they advised citizens to avoid disclosing their internet banking details or any confidential information like passwords and OTPs to third parties. They also should report any fraudulent transactions to the bank immediately.
OCBC Bank reiterated that it does not send text messages to inform customers about an account closure or temporary suspensions. The bank also clarified that its official communication on serious account matters was via physical mail to prevent online fraud. Additionally, the bank does not send activation links because reactivation of dormant accounts can only be initiated in person at the bank branches.
The bank also advised customers to avoid clicking suspicious links in unsolicited emails or SMSes. Additionally, they should type the bank’s URL link directly to the browser address bar or use the official mobile banking app. Lastly, they should not disclose confidential information to unverified webpages and non-official websites.