Singapore monetary authority threatens action on bank over widespread phishing scam

Scam has claimed 469 victims in December alone, of which OCBC has issued goodwill payments to 30

Updated The Monetary Authority of Singapore says it is considering supervisory action against Southeast Asia's second largest bank, Oversea-Chinese Banking Corporation (OCBC), which was criticised for its incident response to a widespread phishing scheme across the island nation.

Customers waiting to be served in OCBC Bank in Singapore on 18 April, 2015

Customers waiting to be served in OCBC Bank in Singapore, pre-pandemic

"Monetary Authority Singapore (MAS) takes a serious view of the recent phishing scams involving OCBC Bank. They have significantly impacted several customers. OCBC has acknowledged that its incident response and customer service should have been better. MAS has been following up with the bank on these and broader issues relating to the incident," said MAS deputy managing director Ms Ho Hern Shin in a statement to The Register.

The phishing scheme first appeared at the start of December 2021 and became more aggressive through the holiday period. By the end of the month, the Singapore Police Department reported the scam had affected 469 customers and taken over SG$8.5m (US$6.3m/ £$4.62m).

Victims receive an unsolicited SMS that appears to be from the bank and asks the account holder to click a link to resolve account issues. Once that link is clicked, victims are redirected to a fake bank website where they provide their login details. They won't know they've been scammed until they receive a notification of unauthorized transaction charged to their account.

"Once the funds have been fraudulently transferred out of the victim's bank account, it would be challenging and difficult to recover the stolen monies," said the police in a canned statement.

A PSA starring a local influencer, Lee Kin Mun, also known as Mr Brown, describes the maneuver in great detail.

Those affected have told heartbreaking tales of losing their entire life savings with little hope of retrieving it. One mother of seven, understandably distracted by her children, clicked the link in haste and lost SG$100,000 (US$74,000) in a matter of minutes. She immediately called the bank, but as she claimed, "OCBC's hotline is not equipped to immediately handle scams which are in progress."

In July 2021, deputy chairman of MAS and minister for finance Lawrence Wong said in a reply in parliament:

Generally, consumers who have suffered financial losses from fraudulent transactions are protected as long as they have acted responsibly.

A circular distributed to financial institutions last August by the MAS put some of the responsibility on banks and financial institutions to investigate scams. It also gave examples of what would qualify gross negligence on account holders, including not reporting fraud in a timely fashion or disclosing personal account details.

OCBC said it issued multiple alerts and warnings including SMS messages to all customers on 30 December 2021 and 4 January 2022.

The bank said it has also reached out to vulnerable customers who might not be aware of banking dangers. On Monday, OCBC said it has made over 30 goodwill payouts since January 2022 which accounts for around a paltry 6.4 per cent of December's victims alone.

"The payouts to this group of customers are made on goodwill basis after thorough verification, taking into account the circumstances of each case," said the bank.

Ho's statement acknowledged the goodwill payouts but threatened supervisory actions:

MAS expects all affected customers to be treated fairly. We note OCBC has begun to make payouts to the victims of this phishing scam, following a review of each case.

OCBC will conduct a thorough probe to identify the deficiencies in their processes and implement the necessary remedial measures. MAS will consider appropriate supervisory actions following this review.

MAS expects all financial institutions to have robust measures for fraud prevention, detection, and remediation, and to provide prompt assistance to customers who have been victims of scams. We are working with the Association of Banks in Singapore on industry-wide measures that may need to be taken to ensure that digital banking remains secure, efficient, and trusted.

"I want to assure our customers and members of the public that our banking systems and digital banking platforms are safe and secure. Digital banking remains a convenient way to do banking. We do not want this scam to take that away from us," said OCBC CEO Helen Wong in the company's January 17th canned statement.

Findings from a government sponsored Cybersecurity Awareness Survey earlier this year said nearly 4 in 10 people in Singapore reported being victims of at least one cybersecurity incident last year.

Speaking yesterday at the signing of a collaboration between cybersecurity firm Acronis and nonprofit Cyber Youth Singapore (CYS), the Singapore's government's Infocomm Media Development Authority (IMDA) program director Mary Yong said that since Singapore has one of the highest rates of internet connectivity globally, running into a scam or cyberattack is "a probability."

The partnership between CYS and Acronis seeks to provide digital resilience training and cyber education to students in hopes of growing a culture where, among other digital skills, people just automatically know how to spot a malicious link that could bankrupt them. ®

Updated to add on 19 January:

Local news outlets are reporting that some of the OCBC customers affected by the recent SMS scams have been offered "full goodwill payouts."

In a statement to the Straits Times, OCBC group chief exec Helen Wong said: "We seek the understanding and patience of our customers as thorough validation of each case requires time to ensure accuracy. This process is necessary so that every case is fairly and properly treated."

Similar topics

Broader topics

Other stories you might like

  • Verizon: Ransomware sees biggest jump in five years
    We're only here for DBIRs

    The cybersecurity landscape continues to expand and evolve rapidly, fueled in large part by the cat-and-mouse game between miscreants trying to get into corporate IT environments and those hired by enterprises and security vendors to keep them out.

    Despite all that, Verizon's annual security breach report is again showing that there are constants in the field, including that ransomware continues to be a fast-growing threat and that the "human element" still plays a central role in most security breaches, whether it's through social engineering, bad decisions, or similar.

    According to the US carrier's 2022 Data Breach Investigations Report (DBIR) released this week [PDF], ransomware accounted for 25 percent of the observed security incidents that occurred between November 1, 2020, and October 31, 2021, and was present in 70 percent of all malware infections. Ransomware outbreaks increased 13 percent year-over-year, a larger increase than the previous five years combined.

    Continue reading
  • Slack-for-engineers Mattermost on open source and data sovereignty
    Control and access are becoming a hot button for orgs

    Interview "It's our data, it's our intellectual property. Being able to migrate it out those systems is near impossible... It was a real frustration for us."

    These were the words of communication and collaboration platform Mattermost's founder and CTO, Corey Hulen, speaking to The Register about open source, sovereignty and audio bridges.

    "Some of the history of Mattermost is exactly that problem," says Hulen of the issue of closed source software. "We were using proprietary tools – we were not a collaboration platform before, we were a games company before – [and] we were extremely frustrated because we couldn't get our intellectual property out of those systems..."

    Continue reading
  • UK government having hard time complying with its own IR35 tax rules
    This shouldn't come as much of a surprise if you've been reading the headlines at all

    Government departments are guilty of high levels of non-compliance with the UK's off-payroll tax regime, according to a report by MPs.

    Difficulties meeting the IR35 rules, which apply to many IT contractors, in central government reflect poor implementation by Her Majesty's Revenue & Customs (HMRC) and other government bodies, the Public Accounts Committee (PAC) said.

    "Central government is spending hundreds of millions of pounds to cover tax owed for individuals wrongly assessed as self-employed. Government departments and agencies owed, or expected to owe, HMRC £263 million in 2020–21 due to incorrect administration of the rules," the report said.

    Continue reading
  • Internet went offline in Pakistan as protestors marched for ousted prime minister
    Two hour outage 'consistent with an intentional disruption to service' said NetBlocks

    Internet interruption-watcher NetBlocks has reported internet outages across Pakistan on Wednesday, perhaps timed to coincide with large public protests over the ousting of Prime Minister Imran Khan.

    The watchdog organisation asserted that outages started after 5:00PM and lasted for about two hours. NetBlocks referred to them as “consistent with an intentional disruption to service.”

    Continue reading
  • Suspected phishing email crime boss cuffed in Nigeria
    Interpol, cops swoop with intel from cybersecurity bods

    Interpol and cops in Africa have arrested a Nigerian man suspected of running a multi-continent cybercrime ring that specialized in phishing emails targeting businesses.

    His alleged operation was responsible for so-called business email compromise (BEC), a mix of fraud and social engineering in which staff at targeted companies are hoodwinked into, for example, wiring funds to scammers or sending out sensitive information. This can be done by sending messages that impersonate executives or suppliers, with instructions on where to send payments or data, sometimes by breaking into an employee's work email account to do so.

    The 37-year-old's detention is part of a year-long, counter-BEC initiative code-named Operation Delilah that involved international law enforcement, and started with intelligence from cybersecurity companies Group-IB, Palo Alto Networks Unit 42, and Trend Micro.

    Continue reading

Biting the hand that feeds IT © 1998–2022