DBS, OCBC, UOB Phishing Scams in Singapore: The Complete Protection Guide

Singapore's banking system is one of the most advanced in the world, but that has not stopped it from being a prime target for phishing attacks. DBS, OCBC, and UOB — the three local banks that nearly every Singaporean has an account with — are consistently impersonated by scammers using SMS, email, phone calls, and fake websites.

The OCBC SMS phishing scam of late 2021 and early 2022 was a watershed moment. In just a few weeks, nearly 800 OCBC customers lost a combined S$13.7 million. The sophistication of the attack — where scammers manipulated SMS sender IDs to make fake messages appear in the same thread as legitimate OCBC messages — shocked the nation and triggered sweeping regulatory changes.

Understanding how these scams work is the best defense you have.

The OCBC SMS Scam: A Case Study

In December 2021, OCBC customers began receiving SMS messages that appeared to come from "OCBC" — showing up in the same conversation thread as legitimate OCBC messages on their phones. The messages warned of suspicious account activity and urged customers to click a link to "verify" their identity.

The link led to a convincing replica of the OCBC online banking login page. Customers who entered their credentials unknowingly gave scammers access to their accounts. The scammers then quickly transferred funds out using the captured credentials, sometimes draining entire savings accounts within minutes.

What Made This Attack So Effective

1. SMS Sender ID Spoofing: The fake messages appeared under the legitimate "OCBC" sender name, making them indistinguishable from real bank messages
2. Urgency and Fear: Messages warned of unauthorized transactions, triggering panic
3. Convincing Fake Websites: The phishing pages were near-perfect replicas of the OCBC login
4. Speed of Execution: Scammers transferred funds within minutes of obtaining credentials

Regulatory Response

The Monetary Authority of Singapore (MAS) and the Association of Banks in Singapore (ABS) introduced several measures after the OCBC scam:

• Banks removed clickable links from all SMS messages
• Default transaction notification thresholds were lowered
• A 12-hour cooling-off period was introduced for new payees
• The Shared Responsibility Framework (SRF) was established for scam losses

Common Banking Phishing Scams in Singapore

1. Fake SMS from Your Bank

Despite the removal of clickable links from legitimate bank SMS messages, scammers continue to send fake SMS using spoofed sender IDs. Messages claim your account has been locked, a suspicious transaction was detected, or your card is about to expire. Some messages now include phone numbers to call instead of links.

How to protect yourself: Banks will never send SMS asking you to click links or call unfamiliar numbers. If concerned, call the official hotline printed on the back of your bank card.

2. Fake Banking Websites

Scammers create near-identical replicas of DBS iBanking, OCBC Online Banking, and UOB Personal Internet Banking. These fake sites appear in Google search ads, SMS links, or email links. They capture your username, password, and OTP.

How to protect yourself: Never access your bank through search engines or links. Type the URL directly or use the official banking app.

3. Phone Calls Impersonating Bank Officers

You receive a call from someone claiming to be from DBS, OCBC, or UOB's fraud department. They know your name and partial account details (possibly from data breaches). They say your account has been compromised and walk you through "security steps" that actually give them access.

How to protect yourself: Banks will never ask for your full password, OTP, or PIN over the phone. Hang up and call the bank directly.

4. Fake DBS PayLah! and OCBC Pay Anyone Notifications

Scammers send fake push notifications or SMS messages about incoming payments via PayLah! or OCBC Pay Anyone. To "claim" the money, you are directed to a fake login page.

How to protect yourself: Incoming payments never require you to log in to claim them. Check your app directly.

5. Malware-Laden Banking Apps

Victims are tricked into downloading fake banking apps or "security apps" that contain malware. The malware intercepts SMS OTPs and captures screen input, giving scammers full access to the victim's banking sessions.

How to protect yourself: Only download banking apps from official app stores. Never install APK files from links sent via SMS or messaging apps.

Bank-Specific Phishing Indicators

Bank	Common Scam Patterns	Official Hotline
DBS	Fake iBanking login, PayLah! scam, fake DBS Remit notifications	1800-111-1111
OCBC	SMS sender ID spoofing, fake OCBC app updates, One Token scams	1800-363-3333
UOB	Fake UOB Personal Internet Banking pages, fake card renewal SMS	1800-222-2121

Banking Security Checklist

1. Never click links in SMS claiming to be from your bank — banks no longer send clickable links
2. Access banking only through official apps or by typing the URL directly
3. Never share OTP, PIN, or password with anyone, including bank staff
4. Enable transaction notifications for all amounts
5. Set up a lower daily transfer limit and increase it only when needed
6. Review your accounts regularly for unauthorized transactions
7. Use the bank's official security features — DBS Security Lockdown, OCBC Kill Switch, UOB Lock
8. Report suspicious messages to your bank and to ScamAlert.sg

What to Do If You Suspect a Phishing Attack

1. Do not interact with the suspicious message or caller
2. Call your bank immediately using the official hotline on the back of your card
3. Activate the kill switch if available (OCBC Kill Switch, DBS Security Lockdown)
4. File a police report as soon as possible
5. Contact the Anti-Scam Centre at 1800-722-6688
6. Change your banking passwords from a known secure device
7. Monitor your accounts closely for the following weeks

Share Banking Details Securely

There are legitimate situations where you need to share account numbers, PayNow details, or banking information with trusted parties — an employer for salary credit, a lawyer for a transaction, or a family member for emergencies. Sending these details through WhatsApp or iMessage in plain text creates a permanent record that can be compromised.

Use LOCK.PUB to share banking details through a password-protected, auto-expiring link. The recipient enters the agreed password, views the information once, and it disappears after the set expiration. No permanent record in your chat history, no screenshots to worry about.

The Bottom Line

Banking phishing is the most financially devastating scam category in Singapore. The OCBC SMS scam demonstrated that even sophisticated, tech-savvy users can fall victim when scammers exploit trust in familiar communication channels. The single most important rule: your bank will never ask you to click a link, provide your OTP, or share your password through any channel.

When you need to share financial details securely, use LOCK.PUB instead of plain text messages. Your bank accounts hold your life savings — protect them with the suspicion they deserve.