OCBC phishing attacks were 'fast and furious' and 'well-strategised', says group CEO

OCBC group chief executive Helen Wong said the decision to pay all customers their losses as a gesture of goodwill was made in early January and the bank has been doing so since Jan 8.
PHOTO: The Straits Times

The phishing attacks on OCBC customers last year and the bank's efforts to shut down the rapid fraudulent transfers has been described by the bank's group chief executive as akin to "fighting a war".

In an interview with The Straits Times, CEO Helen Wong, 60, described the massive phishing scam which occurred in December last year as "fast and furious" and "well-strategised".

She recounted how deposits were drained quickly from compromised accounts in escalating numbers as the days passed. Even as bank staff tried to shut down mule accounts created for the money to be paid into, "the fraudsters somehow managed to find new mule accounts for the money to be paid into".

Some of the funds were also automatically remitted overseas after scammers had fraudulently added new payees abroad, said Wong.

She added that the bank had started investigating the attacks in early December, when a few cases were reported. Despite steps taken to curtail the attacks, such as alerting domain providers to take down phishing websites and putting up a security advisory, the situation gradually worsened in the days leading up to Christmas.

Wong noted during the interview that the fraudsters had picked an opportune time to attack — during the holiday season when people may be overseas or not paying attention to their accounts.

She shared that over the Christmas weekend alone, 186 OCBC customers had lost a total of $2.7 million.

By then, the bank had operationalised more than 100 people to work on fighting the scams. Even those who had retired were asked to come back and help, Wong said.

According to The Straits Times, Wong apologised repeatedly during the interview that customers were unable to connect to the bank in order to stop the scams in time. This had happened even though additional staff were deployed to call centres.

"We fell short of their expectations and our own service standard," said Wong.

In total, nearly 470 OCBC customers lost at least $8.5 million in the phishing attack. OCBC has said it will be compensating customers for the amount that they lost out of goodwill.

The Straits Times reported that as of Friday (Jan 21), more than 200 customers have received their full payouts from OCBC.

Moral hazards

Wong shared that there were moral hazards the team had to consider before announcing that they would provide customers with payouts for the scammed amount.


One of the considerations was whether the move would lead customers to be complacent about cybersecurity risks in future, with the belief that they would be compensated if they ever fell victim to scams.

Another was whether scammers would target Singapore banks if they knew that banks here are willing to back their customers.

But in the end, knowing that many had lost their life savings, "I felt that we should help our customers," said Wong.

For the full interview, go to The Straits Times.


This website is best viewed using the latest versions of web browsers.