OCBC should have 'responded faster and more robustly' to first sign of SMS phishing scam: Lawrence Wong

SINGAPORE: OCBC should have “responded faster and more robustly” when it first detected signs of an SMS phishing scam in early December, Finance Minister Lawrence Wong said on Tuesday (Feb 15).

The scam, which saw nearly 800 customers losing a combined S$13.7 million mostly over the year-end festive period, was “by far the most serious phishing scam” involving spoofed SMSes impersonating banks, he added in a ministerial statement in Parliament.

Mr Wong noted that OCBC, Singapore’s second-largest bank, took various actions throughout December to stem the phishing scam.

This included warning customers about the spoofed SMSes through general advisories on its website and later on through SMS and emails. The bank also worked with authorities to block and take down the scam websites and stopped sending SMSes with clickable links to customers, among other efforts.

“These actions were taken at various stages during the month as the phishing scams built up. OCBC should however have responded faster and more robustly at the first sign of the scams, which the bank had picked up in early December,” the minister said.

By the time OCBC informed the Monetary Authority of Singapore (MAS) on Dec 24 that it had activated its incident response team, the bank’s call centre was “overwhelmed”.

“It faced a surge in calls – from affected customers as well as other worried customers who had not themselves received phishing messages. Despite the bank deploying additional resources, some affected customers experienced delays in reaching the bank to report the scams,” Mr Wong said.

Prior to this, MAS had received “only a few” complaints about customer service delays related to similar scams, he added.

OCBC has since apologised for falling short of expectations in customer service and response. It also said that all affected customers will receive “full goodwill payouts” covering the amount they lost.

To date, more than 90 per cent of customers have received these payouts, with the remaining reimbursements to be completed soon, Mr Wong said.

The minister stressed that the phishing scam was not a cyberattack on OCBC. “At no time was the bank’s own systems breached,” he told the House.

OCBC has engaged an independent external party to conduct a thorough review of its anti-scam processes, including fraud surveillance, incident management and customer service, as well as recommend necessary remedial actions on top of what it has already done.

“MAS will review these findings, take appropriate supervisory actions against the bank, and closely monitor the bank’s implementation of remedial measures,” said Mr Wong, who is also deputy chairman of the MAS.

GAPS FOUND IN RECENT INDUSTRY REVIEW

Mr Wong noted that a recent review of fraud control adequacy in the digital banking channels of the three local banks had “surfaced a number of gaps”.

The “focused supervisory review” was carried out by the MAS in the third quarter of 2021, in view of rising scam cases particularly in the last two years. In October, the financial regulator conveyed to each of the banks its specific findings and recommendations for remedial actions.

The three banks had committed to timelines to remedy these gaps, with most measures to be fully implemented by June this year, the minister said. Those that require extensive changes in IT systems were to be completed by December 2022 at the latest.

In agreeing to the timelines for implementation, MAS was “mindful that the banks had multiple priorities” such as ensuring business continuity and robust risk management amid the COVID-19 pandemic, said Mr Wong.

But when faced with the escalation in phishing scams in December, OCBC “fast-tracked” the roll-out of some of these measures.

For example, it extended the cooling period – where higher-risk transactions cannot be carried out – after a digital token is set up on a new mobile device.

Mr Wong noted that the latest scam involving OCBC marks a “step up in the persistence and deceptiveness” of phishing scams involving banks. Scammers had used “a combination of well-orchestrated tactics to achieve a level of realism not seen in previous phishing attacks”, he added.

To tackle this “enhanced threat”, additional measures, such as the removal of clickable links in SMSes or emails sent to customers, were announced by the MAS and the Association of Banks in Singapore last month “as an urgent first step”.

“These measures will substantially bolster the security of digital banking against scammers employing similar tactics as the OCBC scam cases,” Mr Wong said.

BANKS “CAN AND SHOULD DO MORE” TO SAFEGUARD CUSTOMERS

But banks “can and should do more to safeguard their customers”, said the minister as he laid out five key measures that are being considered.

First, banks are working to further strengthen their fraud surveillance capabilities to identify suspicious and anomalous transactions, including credit card transactions.

Most banks have some rule-based parameters to trigger suspicion, such as large transfers to new recipients, but these need to be expanded to take account of a broader range of scam scenarios, Mr Wong said.

Beyond pre-defined parameters, MAS will expect banks to develop more versatile algorithms employing artificial intelligence and machine learning to detect suspicious transactions.

Such algorithms should be based on multiple sources of information, including customer profile and vulnerabilities, past transaction patterns, account activity and mobile device identification.

“I must caveat that while these advances will help, fraud monitoring systems are not a silver bullet. It is not possible to detect every scam,” the minister said.

Second, banks should step up their ability to immediately block suspicious transactions and reach out to their customers to verify their authenticity.

The transactions will be unblocked and processed only upon confirmation by the customer.

Currently, banks have some of these capabilities but they are not consistent across the various types of transactions, Mr Wong said.

Authorities are also looking into enabling customers to trigger a freeze on their own accounts without having to contact the banks, if they suspect their accounts have been compromised, he added.

Third, MAS and the banks are looking to introduce additional customer confirmations, beyond just notifications, for significant changes to accounts or high-risk transactions.

These include changes in account holder details, activating a token on another device, fund transfers that are large relative to their overall balances and overseas transfers.

“This will introduce some friction to customers carrying out genuine transactions. But we will all need to adapt and get used to these inconveniences, in order to strengthen the security of digital banking,” the minister said.

Fourth, banks are exploring expanding the use of biometric technology, on top of the use of passwords and one-time passwords (OTPs) as a means of authentication. 

Mr Wong said this can help to add an additional layer of security that cannot be easily phished by scammers to access a customer’s account.

Fifth, banks will accelerate the shift towards the use of mobile banking apps for customer authentication, transaction authorisation and delivery of bank notifications.

If implemented well, it will be harder for scammers to abuse mobile banking apps, he said.

At the same time, MAS and the banks are reviewing the use of SMS to deliver OTPs, alongside the potential measures that should be taken to reduce risk if such a practice should continue.

That said, there “is no single measure that can guarantee the security of digital banking” amid evolving and increasingly sophisticated techniques employed by scammers, Mr Wong told the House.

“This is why in the fight against scams, banks need to employ a combination of measures in prevention, detection, response and recovery, and constantly review and recalibrate these measures. 

“Most of our banks already have many of these measures in place in one form or another. MAS will work with the banks to strengthen these measures and set minimum parameters,” he said.

“EQUITABLE” FRAMEWORK FOR SHARING OF LOSSES

Authorities are also looking into establishing a “common and equitable framework” on how losses from scams are to be shared among customers and financial institutions.

“No matter which bank you go to, you should still receive the same fair treatment,” said Mr Wong, while reiterating that OCBC’s goodwill payouts were a “one-off gesture and do not set a general precedent for future cases”.

Under such a framework, both banks and their customers will have their respective responsibilities. The share of losses each party bears will depend on whether and how the party has fallen short of its responsibilities, the minister added.

“Financial institutions should bear an appropriate share of losses arising from scams, but care must also be taken to ensure that any compensation paid to customers does not weaken their incentive to be vigilant.”

MAS aims to publish the framework for public consultation within the next three months.

Other than financial institutions, the players operating the communications infrastructure also play a key role in digital security against scams, said Mr Wong.

MAS and the Ministry of Communications and Information will consider the shared responsibilities of all key parties in the ecosystem to ensure there is proper accountability, he added.