'It was like fighting a war': OCBC group CEO on dealing with recent phishing scams
OCBC group chief executive Helen Wong said the decision to pay all customers their losses as a gesture of goodwill was made in early January and the bank has been doing so since Jan 8. ST PHOTO: JASON QUAH
Joyce Lim
Senior Correspondent
PUBLISHED
23 JAN 2022, 5:00 AM SGT
FacebookWhatsAppTwitter
SINGAPORE - In early December, staff at OCBC Bank started getting calls from frantic customers saying they appeared to be victims of a phishing scam.
As employees from Singapore’s second-largest bank worked to get to the bottom of this, more and more cases started popping up.
By Dec 30, nearly 470 customers had lost at least $8.5 million. Some had savings in the six figures wiped out.
“It was like fighting a war,” said OCBC group chief executive Helen Wong of the massive phishing scam that hit the bank.
The war escalated quickly as deposits drained from compromised bank accounts, even as bank staff scrambled to shut down transfers to mule accounts. “As we blocked the mule accounts, the fraudsters somehow managed to find new mule accounts for the money to be paid into,” said Ms Wong, in an exclusive interview with The Straits Times.
Describing the attacks which took place as “fast and furious” and well-strategised, she said some funds were immediately remitted overseas as the scammers had fraudulently added new payees abroad.
Police investigations are ongoing, and OCBC has said it will pay all victims their losses out of goodwill.
When the first phishing scams surfaced in early December at OCBC, there were only a few cases, but a team in the bank was already investigating this, said Ms Wong on Friday.
On Dec 3, the bank posted a security advisory on its website, warning customers of the phishing attacks. As more phishing websites were detected, the bank’s anti-fraud team alerted domain providers to take them down.
Further warnings were issued to customers, but the situation worsened in the days leading up to Christmas. The bank knew it had a crisis on its hands.
The fraudsters had picked a clever time to attack, when people were winding down for the Christmas holidays, with some victims travelling overseas and not paying attention to their accounts, said Ms Wong.
Between Dec 8 and 17, 26 customers lost a total of $140,000 to phishing scams sent by SMSes impersonating the bank.
OCBC issued text messages and pushed alerts to its one million customers to warn them of the attacks. A media advisory was also issued on Dec 23.
But over the Christmas weekend, another 186 customers fell prey, losing about $2.7 million.
Between Dec 8 and 17, 26 customers lost a total of $140,000 to phishing scams sent by SMSes impersonating the bank. ST PHOTO: JOYCE FANG
While the bank’s front-line staff tended to victims, much more was going on behind the scenes to manage the crisis.
By Christmas, more than 100 people were working to fight the scams, operating round the clock.
Staff from various departments including fraud risk, and operations and technology teams, were deployed. Leave was cancelled and staff were recalled. Some who had retired were asked to come back to help, said Ms Wong.
Besides working to detect and stop the fraudulent transactions, there were staff who spent whole days just trawling through clients’ portfolios to check if there were any suspicious transactions, said Ms Wong, who meets her top management team every day.
With all hands on deck, the anti-fraud team managed to detect and stop suspicious transactions in more than 200 customers’ accounts.
“Some customers did not even know that their accounts had been hacked when our officers called them,” she said, adding that the team also managed to trace and recover some of the lost amounts. She did not reveal further details on this.
OCBC introduces new security measures, including lower default PayNow amounts
How SMS phishing scams have affected OCBC customers and put text messaging security in focus
The bank’s hotline was jammed as worried customers called to make inquiries even though they did not receive the phishing messages. The volume of calls to the bank surged by 40 per cent, she said.
Staff from other departments were also deployed to help the call centre. Even so, some customers were unable to reach the bank in time.
“We feel very sorry about it, that they could not reach us promptly to report the scams. They do expect quick answers and assistance to stop the transactions that were occurring. And we fell short of their expectations and our own service standard,” said Ms Wong.
Apologising repeatedly during the interview at OCBC Centre, she said: “This truly bothers me. I feel truly sorry for the victims, and OCBC can and will do better. This is very important.”
Ms Wong, 60, became the first female chief executive to head a Singapore bank when she took over from Mr Samuel Tsien in April last year. The veteran banker was formerly the chief executive of HSBC in Greater China.
She said the decision to pay all customers their losses as a gesture of goodwill was made early this month, and the bank had been doing so since Jan 8.
By Dec 30, nearly 470 customers of the bank had lost at least $8.5 million, some with savings in the six figures wiped out. PHOTO: ST FILE
But there were several moral hazards the management team had to consider, which was why she did not announce it then.
One was whether customers might let their guard down, thinking they would get remediation if they were scammed.
The move could also invite alleged victims of past cases to call the bank now, when the focus was on the current scam.
And if scammers knew that banks in Singapore were willing to back their customers, would they focus more on Singapore banks, said Ms Wong, who felt that her decision could set a precedent for the banking industry.
With all that in mind, she said she still felt strongly about making good for the customers, knowing how many had lost their life savings. “I felt that we should help our customers,” she said.
Since early this month, about 30 employees have been on call to talk to victims of the phishing scams. Ms Susan Lim, 62, who retired as a bank teller in November last year, was one of several former employees who returned to help.
Why some OCBC customers in SMS scams did not get OTPs
Scam alert: From OCBC SMS scam to fake Iras e-mails, here's what you need to know
Ms Lim, who makes about 20 calls a day to update the victims on the situation, said: “I understand how the customers feel. They are all worried and want to get their money back. Even over the phone, I can sense how worried and stressed out they are. Some cry as they talk about their losses.”
As at Friday, more than 200 customers have received their full payouts from OCBC.
Last week, the Monetary Authority of Singapore said it expects all customers to be treated fairly and that financial institutions are expected to have in place “robust measures to prevent and detect scams as well as effective incident handling and customer service in the event of a scam”.
In a joint statement with the Association of Banks in Singapore, the regulator said banks in Singapore will have to put in place more stringent measures within two weeks to strengthen the security of digital banking, such as removing clickable links in SMSes or e-mails sent to retail customers. There should also be a delay of 12 hours before activation of a new soft token on a mobile device.
Ms Wong said OCBC has all seven measures in place. She will also beef up the bank’s customer service team and have a dedicated line for customers to report scams.
Among other things, the bank has also reduced the default daily limit for PayNow transactions from $5,000 to $1,000, and the amount allowed to be transferred per transaction has been reduced from the default of $1,000 to $200.
“We need to think how we can better anticipate a scam of this scale, speed and nature. We have to do better stress-testing, and also more drills,” she added.
She also hopes that the recent events will be a stark reminder to customers “to be very alert when handling their personal banking details”.
