Cyber Incident Victim: National Commercial Bank Jamaica

Between mid to late April 2022, approximately 12 customers of Jamaica's National Commercial Bank (NCB) collectively lost around JMD $18 million (approximately USD $115,000 at the time) through a coordinated cyber fraud campaign. The attack occurred over a 10-day period through smishing (SMS phishing) and phishing techniques, where customers received fraudulent text messages and emails containing links disguised as legitimate NCB communications. Customers who clicked these links were directed to counterfeit interfaces where they unknowingly surrendered personal banking credentials. Following initial credential harvesting, victims received follow-up phone calls (vishing) from individuals falsely identifying themselves as NCB representatives. These callers requested token codes—authentication mechanisms customers used to access certain banking services—under false pretenses.

Attackers utilized the stolen credentials and token codes to add themselves as beneficiaries on the compromised accounts, enabling unauthorized fund transfers totaling the reported $18 million. NCB's Manager of Special Investigations, Dane Nicholson, publicly confirmed the incident by May 1, 2022, emphasizing that the bank's internal systems remained secure and uncompromised. The attack exclusively exploited customer interactions with fraudulent external channels rather than breaching NCB's infrastructure. Nicholson clarified the technical distinction between the attack vectors: phishing via email, smishing via SMS, and vishing via fraudulent voice calls. The confirmed financial impact was limited to the 12 identified customers, with no broader institutional financial loss disclosed. NCB did not publicly detail specific recovery efforts for affected customers or whether any funds were reclaimed, focusing instead on assuring customers of system integrity while highlighting the social engineering nature of the scam.