KINGSTON, Jamaica— At least $22 million have been defrauded from the accounts of National Commercial Bank (NCB) customers in smishing attacks since the start of the year.

More than half of this amount was defrauded a little over a week ago, Dane Nicholson, Manager for Special Investigations in the bank’s Fraud Unit, said.

“So, over the last 10 days or so we have seen close to $18 million, but for the year starting from January 1 to current, is about $23 million thereabout that customers have lost to smishing and phishing attacks,” Nicholson revealed.

Smishing is the type of scam in which fraudsters send fraudulent messages by text message to trick people into handing over delicate information about their bank accounts. Phishing is a similar scam via emails.

Nicholson told OBSERVER ONLINE that the money taken over the last 10 days was from the accounts of about a dozen customers.

He said the police are on board with the bank’s investigations and so far, one person has been arrested in connection with the attacks. He expects more arrests.

The attacks have forced the bank to enact new policies. “We have implemented a no click, no link policy,” Nicholson explained. “So once customers get these SMS or email messages with a link in there asking them to click on it, please we are advising the customers not to click on them because we have a no click, no link policy.”

Explaining the scam, Nicholson said the fraudsters would send customers messages purporting to be from NCB. The messages would ask them to click a link to either regain access to their accounts, reset passwords about to be expired, or verify info because of a suspicious transaction on their accounts.

Once they click, it takes them to a page resembling NCB’s login page and asked them to provide their username or password. After doing this, the link would time out or they get an error message.

“So, they would have submitted their username and password in that phishing attack. That is where the fraudster would gain sufficient information now on the customers and would now call them back to pretend to be an employee of the bank,” he explained.

“And we have seen where they have called customers pretending to be me, Dane Nicholson, asking customers to verify suspicious transactions and to stop the fraud they need to provide them with their token number. Once the customers provide their taken code, that is when fraudsters would have sufficient information to add beneficiaries to their account to execute the fraudulent transactions.”

Nicholson said in some instances, based on investigations, the page also takes them to another page that asks them for their 16-digit credit card number, CVV number and the expiry date.

He said the bank identified some customers who fell victim to the attacks. “Others reached out to us to say that they have clicked on the link and persons would have called them and they would have divulged information. So those customers have reported the matter to us,” he said.