News and resources on cyber and physical threats to banks and fintechs worldwide.
OCBC capital limits raised over flawed response to SMS phishing scams

OCBC capital limits raised over flawed response to SMS phishing scams

The Monetary Authority of Singapore (MAS) has imposed an additional capital requirement of approximately S$330 million on OCBC Bank (OCBC), over deficiencies in the bank’s response to a wave of spoofed SMS phishing scams in December 2021.

Nearly 470 customers lost at least $8.5 million in December after scammers posed as OCBC and sent SMSes with links to phishing sites to victims.

Following the scams, OCBC engaged an independent firm to review its systems and processes. Deficiencies were noted in the bank’s mitigation of identified risks, pre- and post-transaction controls, incident management and complaints handling, resulting in delays in containment measures and customer response time.

Marcus Lim, assistant managing director, MAS, states: “Financial institutions have a duty to put in place robust measures to prevent, detect and respond to scams. This means ensuring that their controls remain effective against evolving scam tactics, and prompt actions are taken as soon as a scam is detected. Consumers must also remain vigilant against persistent attempts by scammers to deceive them into divulging their log-in credentials or initiating transfers themselves. MAS is working closely with the industry and other agencies to further strengthen our collective defences against scams.”

MAS has pushed the industry to take more proactive measures to ward off the threat. In addition to removing clickable links in e-mails and text messages, banks will be required to set a threshold for funds transfer transaction notifications to customers to be set by default at $100 or lower.

There will also be a delay of at least 12 hours before activation of a new soft token on a mobile device, while a notification will be sent to existing mobile numbers or emails registered with the bank whenever there is a request to change a number or address.

OCBC, for its part, has begun making goodwill payouts to victims and rolled out a kill switch that enables customers to immediately freeze all their current and savings accounts in an emergency.

OCBC Group CEO Helen Wong, says: “As digital banking becomes a way of life in today’s world, scammers are using increasingly well-orchestrated tactics to convince, mislead and steal. Therefore, the integrated defences that a bank must have in place to prevent, detect and respond to scams are expected by customers. The SMS phishing attacks impersonating OCBC in December 2021 was unprecedented in that the tactics reached a level of realism not seen in previous phishing scams. While we took various actions in December to stem the scam, we should have responded faster and better to early signs of the attacks."

In February, the Monetary Authority of Singapore raised capital requirements for DBS Bank by S$930 million following the widespread unavailability of the lender's digital banking services in November.

Comments: (0)