Online Report
Standard Chartered Bangladesh (SCB), the largest multinational bank operating in the country, has been hit by a sophisticated fraud scheme that has siphoned Tk27 lakh from 54 customers’ credit cards.
The scam surfaced in late August when several SCB customers received one-time passwords (OTPs) on their phones despite attempting no transactions.
Within seconds, Tk50,000 was withdrawn from their accounts via mobile financial service (MFS) platforms such as bKash and Nagad. The fraudsters then quickly transferred the funds to other MFS accounts and withdrew the cash.
The Business Standard Google News Keep updated, follow The Business Standard’s Google news channel
Following the incidents, SCB suspended the “Add Money” feature on MFS platforms like bKash and Nagad. Around Tk2.5 lakh was later recovered.
SCB reviewed the bank’s security and found no system breaches. It also reported the matter to Bangladesh Bank and law enforcement agencies.
In response, the central bank launched its investigation, with preliminary findings pointing to possible involvement of mobile network operators and third-party service providers in the fraud.
The investigation found no weaknesses on the customers’ part.
A central bank official from the payment systems department said their initial findings suggest the fraudsters accessed both credit card details and OTPs simultaneously.
“The leaked OTPs likely occurred between the aggregator (third party) and telecom operators, suggesting possible collusion,” the official said, requesting anonymity.
Standard Chartered refunds money clients lost in credit card fraud
He explained that third-party aggregators, also known as value-added service providers (VAS), include entities providing SMS gateway, bulk SMS, IVR, and mobile app integration. Early findings indicate that only SCB customers were targeted.
Meanwhile, SCB has refunded all affected clients. In a statement on Friday, CEO Naser Ezaz Bijoy said, “A team from Bangladesh Bank is visiting each stakeholder’s office to review their systems.”
He said the bank had reported the issue to law enforcement with supporting data.
How OTPs work during MFS transactions
When customers use an MFS app’s “Add Money” option, they must enter their credit card details and the amount. The request is sent to the card network (Visa, Mastercard, Amex, UnionPay), which forwards it to the issuing bank.
The bank’s security server generates an OTP and sends it via a third-party aggregator, which then delivers the code to the registered mobile number through mobile operators.
According to the investigation, after transferring funds to their own accounts, the fraudsters broke the amount into smaller sums across multiple MFS accounts registered in one district but licensed in another to avoid detection.
Cenbank response
Bangladesh Bank has already met with top officials from six banks, three MFS providers, and card networks Visa and Mastercard. It has also formed a special inspection team that will continue investigations over the next few days.
Next week, meetings chaired by a deputy governor will be held with banks and MFS providers. The central bank is preparing a circular restricting customers to use their credit cards only to add money to their own MFS accounts, not to others’.
How the issue surfaced
In recent weeks, several SCB customers took to social media claiming Tk50,000 was withdrawn from their accounts seconds after receiving an OTP, even though they did not share it or perform any transaction.
Victim Hasin Haider wrote on Facebook: “Tk50,000 was suddenly deducted from my SCB Visa card to a bKash account. I didn’t share the OTP with anyone, yet within 20 seconds the money was transferred.”
Another victim, Sadia Sharmin Brishti, said she lost Tk50,000 in a similar way despite using her card for over seven years without issues.
SCB officials said a total of Tk27 lakh was stolen from 54 customers’ credit cards. Local and global technical teams reviewed the bank’s security and found no system breaches.
SCB Managing Director Lutful Habib said 54 customers had filed complaints.
“We’ve informed law enforcement and Bangladesh Bank. Their investigation will reveal the truth and identify those responsible,” he said.
He added, “No weaknesses were found in our tech system. The fraud originated from MFS apps, which is why we’ve temporarily disabled credit card transfers to MFS.”
BB orders probe into Standard Chartered credit card scam
Md Abed-Ur-Rahman, head of cards at Midland Bank, told The Business Standard that stronger barriers could reduce online fraud.
“Multiple OTPs or fingerprint authentication could be required for large transactions. Both the initiating and acquiring countries should be inbound for extra security.”
He said most such incidents happen due to customer unawareness and urged clients to remain vigilant during digital transactions.
Following the incident, several banks have imposed limits on the amounts that can be transferred to MFS accounts through credit cards.