Search the Community

Let's start with this https://www.straitstimes.com/singapore/courts-crime/ocbc-bank-customer-lost-120k-in-fake-text-message-scam-another-had-250k-stolen Young couple lost $120k in fake text message scam targeting OCBC Bank customers SINGAPORE - It took a man and his wife five years to save about $120,000, but in just 30 minutes, scammers using a fake text message stole the money they had kept in their OCBC Bank joint savings account. The couple in their 20s were among at least 469 people who reportedly fell victim to phishing scams involving OCBC in the last two weeks of December last year. The victims lost around $8.5 million in total. The husband works in the e-commerce sector, while his wife is in the hospitality industry. The man said he received the phishing message with a link at around noon on Dec 21 last year. A 38-year-old software engineer who fell prey to the same scam on Dec 28 told ST that he lost about $250,000 he had been saving since 2010. The father of a young child with special needs said the loss has been devastating, and he has been hiding it from his family. The bank said it has since halted its plans to phase out physical hardware tokens by the end of March this year, and has also stopped sending SMSes with links in them in the light of the spate of phishing incidents. Cyber security expert Anthony Lim, who is also a fellow at the Singapore University of Social Sciences, said scammers have advanced software enabling them to spoof telecommunications services and send SMSes that appear in the same threads used by real organisations. He added that even if victims did not provide their one-time passwords (OTPs), they would have sealed their fate when they entered other bank details on the fraudulent sites. "Once the victim unwittingly responds by entering the bank account credentials, the hackers' technologies can divert and capture a copy of the SMS OTP issued by the bank," he said.

https://m.facebook.com/story.php?story_fbid=10157731133872610&id=572922609 OTP FRAUD So this happened months ago, in January 2021, and has dragged on long enough to wear us out. At this point, we are helpless and have no idea how to move forward. It seems the last resort is to refer the case for adjudication and risk DBS retracting their offer of waiving 30% of the amount (and having to pay a 5-figure sum). Here’s what happened: Sometime in early January 2021, I tried using my supplementary credit card to make a purchase online but the transaction could not go through. I thought there was a glitch and simply used another card to make the purchase. A few days later, I tried using the same card and was told that my card was declined. Curious, I called DBS to find out why I hadn’t been able to use my card. It was then that I found out that I had almost exceeded the credit limit. Baffled, I asked for details of the transactions charged to my card since I only recalled using it for some items we needed for our new home. To my horror, I learnt that a total of SEVEN consecutive transactions were charged to my card, each amounting to approximately $1,400. The total damage was $10,150. Note that we had not received the hard copy of our credit card statement then. I informed the staff that I most definitely did not carry out these transactions and requested that they look into the case. Unfortunately, the bank told us that there is no way they are able to refund the money because these were secure transactions, made with OTP. But guess what? I did NOT receive any OTP for these seven transactions at all. The bank claimed I could have keyed in the OTP by mistake. But seven times?! Did the bank seriously think I would be tricked into giving the OTP to a stranger seven times? Long story short, we are liable for the charges. We were advised to lodge a police report so the police could investigate the matter, and were told that an investigation could help with our request for a refund. Imagine being told that there’s nothing you can do but to pay $10,150. I was heavily pregnant then, and was sooo flustered 😭 We rushed to the nearest police station to lodge a police report. So these seven transactions were made to TransferWise (now Wise), a website for monetary transfers abroad. Neither of us knew of TransferWise until this incident. The following morning, I called TransferWise to see if there was anything they could do. The transactions had gone through and there was no way they could reverse the transactions. By the time I called, they had suspended the account used to process these transactions. I was told that the bank had brought to their attention that the account could possibly have been used in a case of fraud, so they acted on the bank’s suspicion and suspended the account. A check showed that the transactions were wired to a Malaysian company, CWP Global Enterprise. The transactions were transferred and processed in ringgit. I then called the police officer assigned to our case and told her of what I had learnt and was asked if I could make a trip down to the station to add these details to my statement. The police has since concluded the case with no favourable outcome. We were told that there were no more leads so her superior advised her to conclude the case. She interviewed the TransferWise account user and found that it was a case of identity theft. Someone had used this person’s personal details to create an account on TransferWise. The transactions were not carried out by this person. A dead end is what we’ve come to. The bank refuses to do anything about the case and insists that we pay the sum of $10,150. In fact, they were unwilling to waive the monthly interest while the police investigation was ongoing. We explained that we had lodged a police report and were waiting for the police to get back to us. Still, they did not want to waive the interest of a few hundred bucks despite my husband putting in an appeal. If we had done nothing, the amount would have snowballed in no time. So I told hubby to go to our MP to see if he could get the bank to waive the interest for us. Days after Ethan’s birth, N went to see our MP, Mr Gan Kim Yong. His assistant helped send an email to Monetary Authority Of Singapore and DBS. The following day (yes, all it took was a day), a manager from DBS called N and told him that the bank would waive the interest for us while the investigation was ongoing. How efficient. Fast forward today.. We acted on the officer’s recommendation to bring our case to FIDReC, an independent and impartial alternative dispute resolution institution. The result? The bank explained that all the disputed transactions were deemed authorised by me since they could only go through with SMS OTPs. There were apparently SMS alerts sent to my mobile number once each disputed transaction was completed. At this point, I wish to reiterate that I did NOT receive a single SMS OTP or alert regarding any of the seven transactions, so help me God.. We are clearly victims of a fraud case. What do we do now? 😭 StarHub says they are only able to track incoming and outgoing calls, and outgoing messages — basically, “anything chargeable”, according to the customer service representative I spoke with. I asked if receipts of text messages are recorded in their system, and was told that Singapore Police Force would have to approach StarHub HQ for access to this data (still unsure at this point if they even have this data). This was communicated to the police officer but as I have said above, there is no favourable outcome — to be honest, I am not sure if she tried. Has any of you experienced something similar? Or do you know of someone who experienced something similar? If it’s not too much trouble, please help to share this post. Thank you 🙏🏼 EDIT: We did try to escalate the case to a higher authority i.e. the head of credit cards. Was told he would get the frauds team to look into the case, and that they’ve not encountered bypassing of OTP before. Frauds team concluded it isn’t fraud because the transactions are “secure with OTP”. I realised I didn’t mention that a total of 10 transactions were made and 7 went through because DBS only started to reject after the 7th transaction and sent a message or email to Wise warning of possible fraudulent activity. Yet they are telling me this isn’t fraud 🙄🤷🏻‍♀️ This, I found out through Wise, not DBS. The bank did not inform me about the attempt to charge 10 transactions to my card. https://mothership.sg/2021/06/dbs-credit-card-fraud-bypass-otp-sms/