Here is a close look into the details of the OCBC phishing scam, how it happened, the damage it caused, how OCBC handled it, and the masterminds behind it.
Singapore’s central bank asked OCBC (Overseas Chinese Banking Corporation Ltd.) in May 2022 to keep an extra $240 million in the capital following the infamous OCBC phishing scam in December 2021.
OCBC, the second largest lender in Singapore, reported losses from the OCBC phishing scam and reportedly made goodwill payouts of the total amount to all the 790 phishing scam victims. Here are the details of the OCBC phishing scam and how it happened.
The Aftermath of OCBC Phishing Scam
Singapore’s central bank asked OCBC to keep an extra $240 million with the MAS (Monetary Authority of Singapore) stating, “OCBC is required to apply a multiplier of 1.3 times to its risk-weighted assets for operational risk. It translates to an additional amount of approximately S$330 million in regulatory capital.”
Helen Wong, the Group’s CEO, said, “The SMS phishing attacks impersonating OCBC in December 2021 was unprecedented in that the tactics reached a level of realism not seen in previous phishing scams. While we took various actions in December to stem the scam, we should have responded faster and better to early signs of the attacks.”
OCBC Phishing Scam Targets Victims: What Actually Happened?
Singapore police announced on December 30, 2021, about a massive SMS phishing campaign where SMS impersonating the OCBC Bank were sent to innocent individuals, duping and stealing S$13.7 million from them.
The threat actors sent phishing messages to customers of OCBC. The messages contained information regarding multiple problems the customers were facing in their accounts and lured them via malicious embedded URLs to fake portals purportedly to solve the problem.
The counterfeit messages were also accompanied by the bank’s header, creating a bubble of legitimacy, affecting 790 OCBC users.
These malicious links redirected OCBC customers to a fake OCBC Bank website where they followed the login procedure of entering their credentials, followed by PINs and OTPs, all of which were recorded by the threat actor who used these accounts to make transactions.
When Did the OCBC Phishing Scam Occur?
The OCBC phishing scam hit its customers in December 2021 and went on for a month. Multiple attacks occurred between December 8 and 17, 2021, where 26 customers lost $103,492. The attack volume surged a week later when nearly $2 million was lost by 186 customers between December 24 and 26.
Initially, it was reported by the OCBC in a January 30th update that $8.5 million were stolen by the threat actors. However, the number rose to $13.7 million afterward. The difference in figures was based on the victims who reported the incident to the authorities and those who did not.
Nearly 80% of the phishing scam amount was stolen between December 23 and 30, with the number of affected OCBC customers rising from 469 to 790.
Image sourced from earthlink.net
What did OCBC Do to Stop the Phishing Scam?
December 2021 was devastating for OCBC Bank as it hunted down nearly 45 phishing websites and identified scammers that spoofed the bank’s messages using its name and shortcode. OCBC released a public notice to inform its customers about the phishing scam campaign and worked with the Singapore police’s anti-scam center.
On January 19, OCBC announced that it would reimburse all affected customers. Calling the initiative the “full goodwill payout,” the bank started reimbursing all affected customers whose balances were wiped from their accounts. An independent consultant reviewed the case and concluded that OCBC did not suffer an attack on its IT systems.
The Masterminds Behind the OCBC Phishing Scam
Police investigations revealed that Peh and Tan Shu Kai received the OCBC phishing scam funds and conducted raids, arresting 16 people. Multiple threat actors were identified and were linked to the OCBC phishing scam. These included Brayden Cheng Ming Yan, a 19-year-old, 32-year-old Mark Teo Sin Yan, and 21-year-old Leong Jun Xian.
Two 20-year-olds, Kong Jia Quan and Muhammad Khairuddin Eskandariah, were also found guilty. The group shared the details of 16 bank accounts to syndicates in Telegram group chats between December and February, receiving nearly $600,000 from multiple ruses, including the phishing scams involving OCBC customers.
The court documents by Deputy Public Prosecutors Ronnie Ang and Jason Chua stated, “The accused and co-accused persons had worked together as a group to provide money-laundering services to various unknown persons believed to be linked to overseas syndicates by sourcing for and providing control of bank accounts to these unknown persons.”
Final Words
With such an advanced and sophisticated phishing scam campaign at such a time, the story of OCBC is among the top online scams, like phishing scams, shopping scams, crypto phishing scams, and more.
Even though OCBC reimbursed the customers, all organizations might not do so, which is why individuals need to stay vigilant against the latest threats and implement proper phishing protection measures.