SMS Phishing Scam: OCBC Bank’s Customers lost $8.5 Million

On 30th December 2021, Singapore police made an announcement that a widespread phishing scam occurred through SMS. These messages were impersonated on behalf of OCBC Bank, which incurred a financial loss of $13.7 million.

It is shocking to witness that users are still getting tricked by SMS phishing attacks. This attack created havoc in the security systems and security guidelines of banks and the country of Singapore as a whole. The bank observed an increase in the number of SMS phishing scams around New Year’s Eve.

SMS Phishing Scam at OCBC Bank

The Singapore police force found that threat actors were sending phishing text messages (SMS) to the clients of OCBC. These messages consisted of information regarding the problems that clients were having in their accounts. The scammers lured users to click on the embedded links in SMS to resolve the problem. The fake SMS had a bank’s header which created an impression of its legitimacy. In total, 790 account holders became victims of the attack.

When clients became convinced of the situation, they clicked on the links which redirected them to a fake OCBC bank website. The customers typed in their credentials along with username, PINs, OTPs, etc. All this information was recorded by scammers which they used to make transactions. Though, all the victim customers received a notification for unauthorized transactions made from their accounts.

There were multiple attacks found between 8th December and 17th December, when 26 customers lost $103,492, and between December 24 and December 26, when another 186 customers lost $2 million.

Actions Taken by Bank

During the month of December, when such attacks were happening on a regular basis, OCBC Bank hunted down 45 phishing websites. This number was eight times the monthly average. Banks also identified that scammers spoofed messages using the name of the bank and shortcode.

The bank notified its users that they are working with the anti-scam center of the Singapore police. However, both the Singapore Police Force (SPF) and OCBC bank admitted that recovering the stolen funds would be difficult. After this major attack, OCBC Bank warned its users of fake SMS on their website.

Singapore police also admitted that not much could be done after the fraudulent transfer had been made. They issued statements for the users to verify the authenticity of the information before taking any stated steps. They also advised people to avoid sharing credentials for whatever reason that might be.

The Bank Has Announced Remittance

On January 19, the bank announced that it would reimburse the victims’ lost amount. The bank calls it the “full goodwill payout” and they have started reimbursing the customers since January 8th. The bank intended to reimburse all the money by next week. The total number of victimized customers is 790, whose complete balances have been wiped out.

What is an SMS Phishing Scam?

SMS phishing, or smishing, is a type of cyberattack where cybercriminals send a text message to victims to lure them into revealing private and confidential information. Most SMS phishing scams involve asking victims to click on a link that takes them to a fake website where they are asked to input their sensitive information. This allows the cybercriminals to have the victims’ private information that they can use to make fraudulent financial transactions or data theft.

The fundamental concept of a smishing attack is a social engineering tactic that is used by cybercriminals to trap target users. The scammers manipulate the users to lure them to carry out steps or take action. The objective of these actions is to get credentials or monetary transactions.

Examples of SMS phishing scams

There are some key phrases that have been statistically found to be quite prevalent in most cyberattacks. They are –

• Any kind of “urgent” message related to your debit/credit card. They often claim to be from a bank or credit card company.
• Any kind of message containing the phrase “you have won a prize, click here to claim it!” This is the most common and widely used phrase, either in the subject or the message itself.
• Any text that contains “your bank account is locked” is more likely to demand the user to take a set of steps by creating a panicky situation.
• Any message that contains a phrase like “unusual account activity” demands the user take steps to secure their account.

SMS Phishing Scam Statistics

• According to a news article, among all the SMS phishing scams in Q4 of 2021, 55.94% of them were executed to incur fraud.
• According to Infosecurity magazine, 67.4% of all texts have been reported as spam in the United Kingdom.
• In the same article, it was mentioned that 22.6% of the reported SMS scams were from banks and financial institutions.
• According to the FBI’s report for 2020, the total number of victims of smishing/phishing is 241,342 and the cost incurred by it is $54,241,075.
• Smishing attacks have increased by 328% in 2020, and that is up to the third quarter of the year.

Recent Cases of SMS Phishing Scams

KYC Scam in Mumbai

On Republic Day of India, that is on January 26, 2022, a woman who is a manager in a nationalized bank lost $800 to a KYC fraud. The scammer sent her a text message when she was unable to upload her PAN. The scammer took the initiative to resolve the issue by taking bank details along with the OTP and scamming the manager by making a fraudulent transaction.

NatWest Scam

In March 2021, fraudsters carried out a series of phishing attacks through SMS by impersonating NatWest Bank. In the scammed messages sent to victims, the fraudsters claim that a new payee has been added to their account and that immediate action is required to secure the account. This led the victims to a phishing website where they had to provide credentials.

How to Prevent SMS Phishing Scams?

The SMS phishing scam is a risk and hazard for both organizations and consumers. One must carry out the following steps to prevent smishing attacks:

1. For organizations, it is important to educate their employees about the kinds of smishing attacks and precautionary steps that can be taken.
2. Always do primary research on the number and content of the messages. Try to find out the whereabouts of the number as well as the content of the message on the web to check whether anything suspicious about it is there or not. One can also reach out to the institution through their verified calling the number to confirm the truthfulness of the message.
3. If there are messages that you can directly identify as being suspicious, then block the number immediately or report spam. Responding to such texts or calling such numbers should be avoided.
4. If you happen to identify that a particular text message is spoofing a company, then you must inform the company about such an occurrence.
5. Don’t click on the links that are embedded in the suspicious texts. If you click for research purposes, never reveal any private information or credentials.

Aware Your Employees and Customers about Smishing

International communities and security organizations are emphasizing cybersecurity awareness training for their employees. Apart from this, it is the responsibility of financial organizations such as banks and NFBCs to increase the awareness of their users about different types of phishing attacks.

The organization needs to educate its employees specifically to prevent phishing through phishing awareness training. On the other hand, organizations can specifically choose to educate and train their employees on specific attack vectors such as smishing awareness training and vishing awareness training.