This news about OCBC bank customers (at least 469) losing their savings from phishing scams sent shivers to many Singaporeans. What caught my attention is that this scam even fooled finance professionals. One of the victims worked in the finance industry, is well-read in bank protocols and regulations, and is IT savvy. If this can happen to her, it could easily have happened to me. Older folks who are not IT savvy will stand little chance against these scammers.
A piece of good news for the victims is OCBC has decided to cover the money lost as goodwill payouts. Do not assume banks will cover victims' losses in future out of goodwill. OCBC is not legally bound to cover the losses as their IT system was not hacked. The scale of this phishing is unusually large, caught the attention of the regulator and the entire nation. The sum lost SGD8.5m is tiny for OCBC to pay. It is a good PR exercise for OCBC to make the payout but only for this time.
I will assume that if I were to become a victim to these scams in future, the losses will be mine to absorb.
Here are the precautions I took and practices to adopt in future to protect myself from similar scams.
- Switch from SMS OTP(one-time password) authentication to mobile app OTP authentication
I have switched from using SMS OTP on all banking websites to mobile apps.
To cut a long story short, SMS OTPs can no longer be trusted and can even be diverted by fraudsters.
It is much harder to hack a bank's mobile app and if these apps are hacked causing losses to be incurred, then the bank is liable to make compensation because their systems have been hacked.
Bank mobile apps are good channels to receive information from the bank, particularly when SMS and emails cannot be trusted anymore. If fake information is provided in the mobile app and losses are incurred, then the bank is liable for compensation because their systems have been hacked.
- Transfer some money from banks to financial entities where withdrawals to 3rd-parties is forbidden
I have a SingLife account that provides a higher interest rate than banks with some insurance benefits. What I like about SingLife account, given the recent phishing attack, is that money in the SingLife account can only be withdrawn into a bank account that bears my name. Even if hackers manage to gain access into my SingLife account, they cannot withdraw money into their personal bank accounts because the name will not match.
The Singlife Account is protected up to specified limits by the Singapore Deposit Insurance Corporation.
For older Singaporeans who are near to an age when they can withdraw from CPF, it is a good idea to transfer some money to CPF to protect against hacking/phishing risk.
CPF is so safe that even you yourself cannot touch the money. Well, at least not until you are old enough and have some surplus in CPF to withdraw.
- Reduce maximum transfer limit of bank withdrawal per day, especially for overseas transfer
If a hacker wants to steal your money online, he will most likely be withdrawing to an overseas bank account that is out of Singapore's jurisdiction. Therefore, I have reduced the overseas transfer limit per day to the minimum.
- Enable alerts for banking transactions.
This is particularly important for detecting fraudulent credit card transactions early.
- Bookmark banking websites and log in to these bookmarked websites instead of googling for them
In the past, I have a bad habit of googling for the websites I want to log in to. It is possible for Google to return malicious websites on your search results.
For sensitive websites that I regularly log in to, I bookmark them and will only log in through these bookmarked links.
- Do not click on any links from SMS or emails
Some tell-tale signs of suspicious clickable links;
- Links that start with http:// instead of https://. Legitimate websites usually start with https://
All your banking websites start with https://
So does my website https://market-observer.addvaluedonoevil.com/ :)
2. Shortened URLs that look something like owa.ly/uK2f50A
Hackers like to use shortened URLs for phishing scams
I think out of the above measures taken, the most important one would be switching from SMS OTP to mobile apps. Please do this for yourself when you are free.