Singapore monetary authority threatens action on bank over widespread phishing scam

Updated The Monetary Authority of Singapore says it is considering supervisory action against Southeast Asia's second largest bank, Oversea-Chinese Banking Corporation (OCBC), which was criticised for its incident response to a widespread phishing scheme across the island nation.

"Monetary Authority Singapore (MAS) takes a serious view of the recent phishing scams involving OCBC Bank. They have significantly impacted several customers. OCBC has acknowledged that its incident response and customer service should have been better. MAS has been following up with the bank on these and broader issues relating to the incident," said MAS deputy managing director Ms Ho Hern Shin in a statement to The Register.

The phishing scheme first appeared at the start of December 2021 and became more aggressive through the holiday period. By the end of the month, the Singapore Police Department reported the scam had affected 469 customers and taken over SG$8.5m (US$6.3m/ £$4.62m).

Victims receive an unsolicited SMS that appears to be from the bank and asks the account holder to click a link to resolve account issues. Once that link is clicked, victims are redirected to a fake bank website where they provide their login details. They won't know they've been scammed until they receive a notification of unauthorized transaction charged to their account.

"Once the funds have been fraudulently transferred out of the victim's bank account, it would be challenging and difficult to recover the stolen monies," said the police in a canned statement.

A PSA starring a local influencer, Lee Kin Mun, also known as Mr Brown, describes the maneuver in great detail.

Kim Huat wants to warn you of a new bank scam.

A PSA from OCBC. pic.twitter.com/BXEMxuklHo

— mrbrown (@mrbrown) January 7, 2022

Those affected have told heartbreaking tales of losing their entire life savings with little hope of retrieving it. One mother of seven, understandably distracted by her children, clicked the link in haste and lost SG$100,000 (US$74,000) in a matter of minutes. She immediately called the bank, but as she claimed, "OCBC's hotline is not equipped to immediately handle scams which are in progress."

In July 2021, deputy chairman of MAS and minister for finance Lawrence Wong said in a reply in parliament:

A circular distributed to financial institutions last August by the MAS put some of the responsibility on banks and financial institutions to investigate scams. It also gave examples of what would qualify gross negligence on account holders, including not reporting fraud in a timely fashion or disclosing personal account details.

OCBC said it issued multiple alerts and warnings including SMS messages to all customers on 30 December 2021 and 4 January 2022.

The bank said it has also reached out to vulnerable customers who might not be aware of banking dangers. On Monday, OCBC said it has made over 30 goodwill payouts since January 2022 which accounts for around a paltry 6.4 per cent of December's victims alone.

"The payouts to this group of customers are made on goodwill basis after thorough verification, taking into account the circumstances of each case," said the bank.

Ho's statement acknowledged the goodwill payouts but threatened supervisory actions:

"I want to assure our customers and members of the public that our banking systems and digital banking platforms are safe and secure. Digital banking remains a convenient way to do banking. We do not want this scam to take that away from us," said OCBC CEO Helen Wong in the company's January 17th canned statement.

• Praise the lard! Police hook up with Microsoft to school us on National Phish and Chip Day
• Something phishy: Tech recruiters jabbed by fake COVID-19 Passport scam
• Spam is Chipotle's secret ingredient: Marketing email hijacked to dish up malware
• Google dishes out homemade SLSA, a recipe to thwart software supply-chain attacks

Findings from a government sponsored Cybersecurity Awareness Survey earlier this year said nearly 4 in 10 people in Singapore reported being victims of at least one cybersecurity incident last year.

Speaking yesterday at the signing of a collaboration between cybersecurity firm Acronis and nonprofit Cyber Youth Singapore (CYS), the Singapore's government's Infocomm Media Development Authority (IMDA) program director Mary Yong said that since Singapore has one of the highest rates of internet connectivity globally, running into a scam or cyberattack is "a probability."

The partnership between CYS and Acronis seeks to provide digital resilience training and cyber education to students in hopes of growing a culture where, among other digital skills, people just automatically know how to spot a malicious link that could bankrupt them. ®

Updated to add on 19 January:

Local news outlets are reporting that some of the OCBC customers affected by the recent SMS scams have been offered "full goodwill payouts."

In a statement to the Straits Times, OCBC group chief exec Helen Wong said: "We seek the understanding and patience of our customers as thorough validation of each case requires time to ensure accuracy. This process is necessary so that every case is fairly and properly treated."