With Singapore’s digital bank licensees expected to begin operations this year, a spate of online scams wiping victims of their life savings serves as yet another wakeup call and demonstrates regulations sometimes are the only way to shake organisations out of complacency.
Where cybersecurity is concerned, governments and businesses often tout the importance of “shared responsibility”, with consumers urged to also practise good cyber hygiene to help stave off attacks and protect their own assets. A recent spate of online scams in Singapore, however, reveals that blame will be placed on individuals when possible and demonstrates that regulations sometimes are the only way to shake organisations out of complacency. People, process, and technology. How often has this trinity been preached as the three fundamentals of any successful digital adoption and the holistic approach to ensure good security posture? Which of the three, though, bears greater weight? Does technology play the biggest role in cybersecurity? Or are processes the most critical component of this equation? When it comes to blame, it appears that significant onus is placed on consumers to safeguard their personal data and bear the consequences should they fall for online scams. A recent series of online scams involving at least 469 customers of OCBC Bank resulted in losses of more than SG$8.5 million ($6.32 million), with S$2.7 million scammed over the recent three-day Christmas weekend alone. Several of the victims reportedly lost their life savings, including a 43-year-old man whose account was wiped of S$500,000, a 38-year-old software engineer who lost S$250,000, and 33-year-old finance executive who had her account emptied of S$68,000. In these cases, which first surfaced December 1 last year, scammers manipulated SMS Sender ID details to push out messages that appeared to be from OCBC. These SMS messages prompted the victims to resolve issues with their accounts, redirecting them to phishing websites and instructing them to key in their bank login details, including username, PIN, and One-Time Password (OTP). Because OCBC’s legitimate Sender ID was successfully cloned, and spoofed, these messages appeared in the same thread as previous alerts or notifications from the bank, leading victims to believe they were legitimate. In its statement released December 30, OCBC made clear that customers were “the first line of defence” against such scams and that once funds were moved from their account, the possibility of recovery was “very low”. The bank said it had issued its first advisory on December 23, warning the public about the scams and cautioning customers against clicking on links embedded in the SMS messages. Upset over how the breach was handled, affected OCBC customers expressed frustration over the lengthy time they were put on hold in their efforts to contact the bank’s hotline and have their accounts locked to stem the leaks. Several noted a lack of urgency amongst OCBC’s customer agents when told about the security breach. In his interview with local media platform Mothership, the 43-year-old male victim added that the bank staff he corresponded with did not even appear to be aware of the ongoing scams. Noting that his account was breached on December 20, he questioned whether OCBC had done enough to alert its own staff and customers of the growing security risks when the attacks had been escalating since early-December. Inundated with the bad press that followed, OCBC on Wednesday said all customers affected by the scams would receive “full goodwill payouts” comprising the amount they lost. This came after its previous statement on Monday that it had begun to make “goodwill payouts” since January 8, but did not specify if this applied to all customers or whether they would receive the entire amount they lost. OCBC probably sees this $8.5 million writeoff as a necessary cost in crisis management, but it will likely take much more before the bank is able to regain the trust of its customers and brand reputation.
