OCBC has begun making goodwill payouts to customers who fell prey to the recent SMS phishing scam. The payouts, which started on 8 January 2022, are given to affected customers after thorough verification, taking into account the circumstances of each case, OCBC said in a statement. Affected customers will be contacted as soon as the review and validation of their case is complete. Over 30 customers have received the payouts to date.
According to OCBC, customers were subjected to a "particularly aggressive and highly coordinated" phishing scam since 3 December last year. The scam involved sending customers messages with "too good to be true" deals. OCBC's investigations had confirmed that victims who had fallen prey had provided their online banking log-in credentials to phishing websites. After which, the scammers quickly transferred money out of the customers’ bank accounts.
According to Channel NewsAsia, the Monetary Authority of Singapore (MAS) also plans to conduct a thorough probe to identify the deficiencies in OCBC's processes and implement the necessary remedial measures. MAS will then consider appropriate supervisory actions against the bank.
Just yesterday MAS also announced that new measures will be put in place to bolster security of digital banking services such as the removal of clickable links in emails or SMSes sent to retail customers. MAS said the growing threat of online phishing scams calls for immediate steps to strengthen controls, “while longer-term preventive measures are being evaluated for implementation in the coming months”. It added that financial institutions have to place robust measures to prevent and detect scams as well as effective incident handling and customer service in the event of a scam. "The growing threat of online phishing scams calls for immediate steps to strengthen controls, while longer-term preventive measures are being evaluated for implementation in the coming months," it added.
Ravi Menon, managing director, MAS said, “MAS is deeply concerned about the recent spate of scams and the financial losses suffered by victims. The threat of scams will not go away, but we can reduce our vulnerabilities. This requires a multi-pronged response across the ecosystem. MAS, together with the Police, IMDA and other relevant government agencies, is working closely with the financial industry, the telco industry, consumer groups, and other stakeholders to strengthen our collective resilience against scam attacks. We will ensure that digital banking remains secure, efficient, and trusted.”
MAS added that banks must now have dedicated and well-resourced customer assistance teams to deal with feedback on potential fraud cases on a priority basis.
In the case of OCBC, despite setting up a separate team to support the victims, OCBC said in its statement it acknowledges that its customer service and response fell short of customers’ expectations, especially at "a time of stress and anxiety". "As the investigations into these cases are complex and extensive involving multiple checks and parties, the bank needed more time to get back to affected customers to address their concerns. OCBC seeks the patience and understanding of all affected customers to allow it the time to properly review and validate each case thoroughly," it added.
Since OCBC detected the scam last month, it has issued multiple alerts and warnings to its customers using multiple channels. These included issuing security alerts and advisories on its website, internet and mobile banking log-in pages, and through customer emails.
On its social media channels, the bank posted tips on how to differentiate its messages from scammers', as well as a public service announcement video created in partnership with local influencer mrbrown.
OCBC also delivered two media advisories, on 23 and 30 December 2021, which it says, was "well covered by the media". SMS messages were also sent to all customers on 30 December 2021 and 4 January this year to garner more awareness on scam incidents.
Additionally, OCBC had ceased using clickable links in its SMS messages since earlier this month. The bank also sends out notifications to customers when transactions occur, and implements a 24-hour delay prior to activating a new soft token on a mobile device - twice the recommended duration recently announced by MAS.
OCBC Bank’s group CEO, Helen Wong re-emphasised in a statement that despite the scams, its banking systems and digital banking platforms are safe and secure. She also urged customers and members of the public to do their banking only at the bank's official websites and on the official mobile apps. "Digital banking remains a convenient way to do banking. We do not want this scam to take that away from us, but scammers are increasing in sophistication. Together with the Association of Banks in Singapore and MAS, the industry will review to further strengthen the anti-fraud detection and prevention measures," she added.
Will customers forgive and forget?
According to CARMA, the OCBC phishing scams garnered 138 pieces of coverage and mentions in the local online media since December 2021, of which up to 80% made headlines. As the scam issue escalated in January, so too did the coverage on the matter. From 12 to 18 January, there were 84 pieces of news around the scams, up by 500% from the week before, CARMA reports detailed.
Additionally, a study by Callsign last year revealed that 45% of consumers said their trust in businesses such as banks, retailers, mobile network operators and delivery companies, decreased due to persistent scams spoofing brand names. Consumers surveyed also claimed to have received scams through email (67%), SMS (57%), phone (46%), messaging apps (33%) and social media (23%) in the last year. Over 42% of global consumers are asking mobile network operators to do more to stop scammers, and 33% asking the same of banks.
While phishing and online fraud is not a challenge unique to OCBC, the incident does put a dent on the bank's reputation, and PR industry professionals MARKETING-INTERACTIVE spoke to said that the bank's road to brand recovery may be a long one.
Pamela Tor Das, managing director of Team Lewis Singapore said that trust is a key pillar in the banking and financial services world. Today, while convenience has become a way of life – trust still remains highly critical for brands in this space. "The incident here is a reminder of the importance of crisis preparedness and how it isn’t just ensuring the communications team and senior management are well-trained, but employees managing key customer touch points as well," she said. Das added that whilst efforts are now being undertaken to recover the brand from the incident, the show-not-just-tell adage is perhaps even more critical.
Beyond security features being innovated and put into place, customers have to be at the core of solutions created by brands.
"How are existing customers being cared for? How is the brand having empathy towards those affected? These are critical points to consider and word-of-mouth plays an important role too in regaining brand confidence. The road to brand recovery will not be a short one. Following that, it would be important to ensure the team continues to build that bank of trust," she said.
Ginny-Ann Oh, director at APRW added on that factors such as speed of response and proposed recovery actions taken by the bank will also determine the reputational recovery of the brand. In this digital age, many consumers also take their problems to social media in order to obtain a response. While this may further affect the brand trust, Oh said, well executed follow-ups and announcements on what the bank is doing and will continue to do to secure their system can help them to regain trust. "Timeliness minimises damage and could retain the confidence of customers," she added.
Commenting on OCBC bank's "goodwill payouts" to customers who fell prey to the recent phishing scams will also help the brand retain some form of trust from their customers, Oh added. However, what is more crucial at this stage is for the bank to regain their customer's confidence by reassuring them on what the bank is prepared to do to secure their current system and how fast they are able to do it.
Oliver Budgen, founder and CEO of Bud Comms added that unfortunately this situation highlights the need for building a robust cyber resilience , not just for small companies, but big ones too. “ Given the exposure to customers, OCBC was right to escalate their communications to the highest level, emphasising their escalated response and the seriousness of the situation,” he added.
DBS uses unconventional video approach to apologise and update consumers around disruption
Ex-OCBC CMO Yvonne Low pushes through with resistance bands venture
OCBC's digital marketing lead Cedric Dias joins Bank Jago as CMO
Study: Brand trust dips with fraudsters impersonation scam texts and calls
Geneco caught in social media impersonation scam for CNY initiative