I’m a S'porean man, 43. I lost S$500,000 of my life savings over 2 hours in the OCBC phishing scam.
A victim of the OCBC phishing scam has written to Mothership.sg to reveal what happened behind-the-scenes.
MothershipI lost S$500,000 in 2 hoursHence, I thought that it was a believable ask as some of my credit card transactions did not go through (I assumed that OCBC was blocking them at that time because I was overseas).The next morning when I woke up, I saw a chain of SMSes showing that my payment transfer limit had increased to S$300,000, new payees were added, and multiple transactions of up to S$50,000 had been transferred to new payee accounts, including PayNow.
It appeared that the scammers were able to set up the OneToken two-factor authentication feature easily on their own device without any verification.Worked for 20 years, scrimped and savedTo think that my life savings of S$500,000 were withdrawn by the scammers over two hours is utterly traumatic.Read more: Mothership.sg »
Warriors coach Kerr calls for gun control after Texas school shooting
BENGALURU — Golden State Warriors coach Steve Kerr refused to talk about basketball at a pre-game news conference on Tuesday (May 25) and instead called for stricter gun control after the killing of at least 18 children and an adult in a Texas school Read more >>
Letting in everyone from all corners of the world coming in to work open up cans of worms. They study our systems and... $500,000 in the bank and mobile phone is incompatible with OneToken? Just get a new phone, lah. 😆 Seems like it's a internal scam. User mistake,don't follow any link given in message,always typing manually in browser,download apps from store only. Your username,password,TAC is secret,don't give to anybody for what ever reason.
Just check the SSL Certificate of the website and see if it is valid. I am surprised to know that 99% of the people, including many 'security professional' don't know about this! You have yourself to blame when you lose everything in the phishing scam! Just 43 having 500k saving? Wow. scary Why there wasn't any alert from OCBC when so many cases of large transaction too place! Yes, the 1st place of preventing scamming is by us customer but if the security alert was not being prompt immediately. I'm suspecting this was done by internal staff.
OCBC = Only Can Bilk Customers I believed all the scams that has happened was done by an insider in the Bank. No matter how good the Banking System is there is always someone whose duties involved access to Customers records. This is the reason it kept reoccurring.
OCBC compensates more than 30 SMS scam victimsSINGAPORE - OCBC Bank said on Monday (Jan 17) that it has already been making goodwill payments to customers who lost funds from their bank accounts in a recent spate of SMS phishing scams. The bank said it has been doing so since Jan 8 and more than 30 customers have received them so far. 'The payouts to this group... Who are the “beneficiaries”? Let them get away scot-free? ZERO explanation from Head of Digital Business and Transformation? What about SGFinDEx? Conveniently expose depositors to all sort of risk and never said a word?
This happens across all banks, not just OCBC. But personal responsibility is also important. No one is more responsible for our wealth than ourselves. That said, banks need to get ahead of such and future scams. Not just stick to existing security protocols. OCBC not paying them but give them more problem. Why? Coz every other bank do the same. You lost your life saving, you cant claimed back...even police cannot do anything. That why we singaporean have trust issue litterally with everything. There is no save place here.
There should be segregated authorization for payee setting, linking/de-linking accounts, setting transfer limits etc. and not a single password to enable all functions. Banks are ill prepared for digitization despite MAS and ministers talking about digital economy. The truth is,they are not savvy enuf, their digital firewalls r not robust,n hackable.Telcos2, many scam calls use them, but they r impotent2prevent anytg. N blame consumers,joke!
1. Public awareness of scams is there, it is you aware or not. 2. Bank also should take some form of responsibility, but real life is that no one is monitoring online transaction. 3. Since there was online transaction, but it will take time to investigate. Teared up when reading this. At age 43 has half million cash! Not bad... Has he pay enough tax for past year?
OCBC needs to stop this NONSENSE asking parents to deposit money into account to keep a child's bank account active if not done so in a while. This is in the same league as access your banking website or your account will be locked BS! People got cheated because of such policies! Banks should be allowed to only contact us through the banking app. No need for SMS/Calls/Emails. Look at Grab's app for reference. Eliminate the avenues of exploitation!
Former OCBC financial consultant admits to cheating clients of S$170,000 in fake time depositsSINGAPORE: A former financial consultant with OCBC Singapore cheated five of his clients of S$170,000 in fake time deposits, picking existing clients whom he knew were not technologically savvy and who would trust his explanations. Hoi Wei Kit, 34, pleaded guilty on Monday (Jan 17) to seven charges of chea
Ex-OCBC financial consultant cheated 5 people of $170k to settle gambling debtsIn a move to obtain money to settle his gambling-related debts, a financial consultant with OCBC Bank hatched a plan to dupe five of its clients of $170,000 in total. Read more at stomp.straitstimes.com
2 OCBC SMS scam victims share losing life savings within minutesSINGAPORE - OCBC Bank customers who were scammed have felt great pain, with some losing life savings that they had built up for their children and families painstakingly over the years. OCBC said its banking systems have not been hacked and remain secure. It also reversed its plan to phase out physical tokens for e-banking. In a letter to The...
Some SMS scam victims receive goodwill payments from OCBC but cannot disclose amountsSo secretive...haizzz..
S'porean man shows how easy it is to spoof SMSes like those in OCBC scamMethod is 'extremely easy' for scammers to exploit. Wow that is pure evil, he needs to be locked up for life. The lesson learnt here is that, sometimes its better to have the mentality of prepare to lose a few tens to hundreds of dollars to an unauthorised 'graab' or 'lazardae' deduction, rather than to react immediately to a fake notification of unautho deduction , and lose lifesavings Please teach. We can spoof the bank accounts from the white party so they will enforce new laws and safety net because it hurt them.
Mothership has seen a copy of the police report filed by the victim. I am an OCBC scam victim who lost S$500,000 of my life savings on Dec. 20, 2021. Thank you Mothership for your coverage on the OCBC scam thus far. It has raised public awareness of the scam, as well as pushed OCBC to improve their weak security system and processes. I would also like to share my story anonymously. I lost S$500,000 in 2 hours I am a 43-year-old public servant. Similar to the other victims, I got a SMS that looked like it came from an official OCBC SMS thread asking me to access the website or my account will be locked. On the date of the scam, I was overseas and using my OCBC credit card for payments. Hence, I thought that it was a believable ask as some of my credit card transactions did not go through (I assumed that OCBC was blocking them at that time because I was overseas). The website that the phishing SMS led to looked exactly similar to the OCBC website. I shared my login details and my OTP once. I did not have a OneToken login as it is incompatible with my mobile device. I use a physical token. The next morning when I woke up, I saw a chain of SMSes showing that my payment transfer limit had increased to S$300,000, new payees were added, and multiple transactions of up to S$50,000 had been transferred to new payee accounts, including PayNow. There were 11 transactions ranging from amounts of S$17,000 to S$50,000. These were transfers to new payees, including PayNow to phone number, PayNow to NRIC and bank transfers. The total amount came up to S$500,000 in total. It appeared that the scammers were able to set up the OneToken two-factor authentication feature easily on their own device without any verification. I could not believe that OTPs were not subsequently needed for other transactions, and these transactions amounting to S$500,000 over 2 hours did not raise any alarms within the bank. Unfortunately, due to the time zone difference, this had taken place while I was asleep and I was only notified of it in the morning when I woke up. Needless to say, my world has spun upside down since that morning. Worked for 20 years, scrimped and saved I have spent 20 years of my working life to save up for the S$500,000. Since young, I have worked hard, lived a simple lifestyle and practised saving hard for my retirement. This was my retirement fund, and now without it, I will most probably have to work till I die - literally. To think that my life savings of S$500,000 were withdrawn by the scammers over two hours is utterly traumatic. Since the scam, my wife and I have been severely affected mentally and emotionally, and have both lapsed into depression. When we talk about the scam, we will end up quarreling. Thinking about the scam brings tears to my eyes, and media coverage of the scam and mentions of OCBC induce trauma. I do not know whether I will be able to be happy again. Communication with OCBC non-existent Correspondence with OCBC has been extremely disappointing and almost non-existent. When I first reported this S$500,000 loss to OCBC to suspend my account on the day of the incident on Dec. 20, the customer service officer who fielded the call was not empathetic despite the traumatic situation, which came across as tonedeaf. When I updated my relationship manager on the same day, he sounded like he was not aware of the scams. Hence, I would like to ask OCBC to show evidence on how they have been proactive on the security alert since early December, and if internal staff were also not aware? Any large organisation with a marketing department would know that burying an update in the depths of their website does not count, as compared to more proactive paid and earned communications efforts, which it seems like OCBC only started to undertake from Dec. 30 onwards -- even though the scams started growing from Dec. 8. Since the incident, there has been no proactive response from the bank except when I asked for an update. When I did so, the standard response is that the case is still under investigation. There was no timeline communicated. OCBC introduced my relationship manager's manager on Jan. 3, after the scam had by that time gained widespread coverage in mainstream media. The RM's manager was to provide an additional contact point. However, there is also no update from him unless I reach out first. I messaged him after reading about the “goodwill payment” news in the media on Jan. 17, which was the first time I heard about it. His response was that my case is still undergoing investigation. I would appreciate Mothership ’s help to ask OCBC, based on what criteria do they select the 30 victims, and whether this “goodwill payment” will extend to all victims? We have heard that some victims do not qualify. I hope that all victims will be treated fairly as guided by MAS. No alerts, no warnings from bank OCBC shared in a statement that they had since Dec. 3 issued multiple alerts and warnings to its customers using multiple channels, including security alerts and advisories on its website, Internet and mobile banking log-in pages, customers e-mails, as well as social media channels. I disagree with this as on the date of my incident on Dec. 20, there was no such alert on the mobile app and nothing on this scam on their social media feeds. When I had informed my relationship manager of the scam incident on Dec. 20, he responded over WhatsApp, “wa this one really never see before”. If internal communications to staff were non-existent, I would like to question the bank: Show proof of their so-called security alerts and advisories since early December? On Dec. 23, OCBC got a narrative published in an article in The Straits Times : “OCBC cautions public about SMS scams after customers lose $140,000 in 10 days”. But these scams had taken place from Dec. 8 to 17 with a clear time lag for such a grave matter. Public awareness of this scam only swelled on Dec. 30 when a police statement mentioned that S$8.5 million had been lost to scammers and victims started sharing their stories with the media. Clearly, OCBC did not act fast enough and were not proactive enough to embark on more widespread paid and earned media communications that could have prevented scams that happened after early December -- until their reputation was affected. SMS messages that were sent on Dec. 30 and Jan. 4 were clearly too little, too late. The OneToken failure It is notable that OCBC has stopped the compulsory rollout of their clearly flawed digital token OneTaken since the scam. In 2021, I had to replace my physical token because it expired. As my mobile device was not compatible with the OneToken, OCBC had issued me a new physical token even though it was to be phased out as they knew I couldn’t activate the OneToken. However, scammers were able to set up the OneToken on their device without additional verification from me, which allowed them to bypass my physical token security. OCBC should have better processes (e.g. a physical one-to-one meeting, phone call) with the client to activate such significant changes to account access. What goodwill payment? While OCBC shared that they have begun to make goodwill payment to the victims (apparently 30 victims), it has not applied to my case, which I assume is one of the largest amount of losses. For my case, the bank has shared that as it is “complex”, and it will need “more time to investigate”. Just want to be compensated It has almost been a month since I have lost the S$500,000, and I have not heard a single update from the bank on my case even though they claimed they have “a dedicated team set up to support the victims”. While I am encouraged by the cases of the fellow 30 victims, I wonder how much these payments will be for large amount of losses like my case. I hope that it is a genuine effort to treat victims fairly as per on Jan. 17. I sincerely seek MAS’ close attention on how all the individual cases are being investigated and compensated. I hope that you can share my story so that there is more sustained public awareness to this scam and to encourage OCBC to expedite this remedial process for the victims so as to put an end to our trauma and distress. Were you scammed in the recent OCBC SMS phishing scam? Did you receive a full payout from OCBC? If you want to talk to us, email us at Top photo via Google Maps If you like what you read, follow us on