I am quite certain that I am not the only one who was surprised that OCBC decided to give “goodwill payouts” to the victims of the phishing scam. Despite what their ads say, banks are fair-weather friends who offer you loans when the sun shines only to turn into merciless debt collectors when the rain comes.
So what prompted OCBC to offer these payouts?
I must caveat that I am not a security expert and neither am I a lawyer. But as a layman, I believe that OCBC is more liable for the losses than they want to publicly admit.
If this happened to a few clients, the responsibility can lie squarely on the individual and the bank can deny responsibility. Unfortunately, when it happened to 469 customers, responsibility shifts. And, responsibility shifts even further if the scammers' actions were repeated, demonstrating an obvious pattern, and the bank did not identify it and allowed it to perpetuate.
From the various news reports I have read online after the victims had clicked on the link in the SMS and provided their login details, the scammers apparently used the information to request for change in mobile numbers (to receive the OTPs), request for new 2FA tokens, raise transfer limits, and transfer large amounts of money overseas. While I do not know for a fact, and I am only speculating here…
