National Commercial Bank Jamaica

National Commercial Bank Jamaica, operating as NCB, is a financial institution headquartered in Jamaica. The organization provides banking services to its customer base. In late April 2022, NCB experienced a significant incident involving a coordinated cyber fraud campaign targeting its customers. Approximately twelve customers were affected, with total losses reaching around eighteen million Jamaican dollars. The fraudsters employed a multi-channel social engineering strategy, beginning with deceptive text messages (smishing) and emails (phishing) that impersonated the bank. These communications tricked customers into clicking malicious links and subsequently divulging their personal and account credentials. Following this initial data compromise, the attackers conducted follow-up telephone calls (vishing) to the same victims, specifically targeting them to obtain one-time authentication token codes. With this combination of stolen credentials and active authentication tokens, the fraudsters were able to register themselves as beneficiaries on the compromised accounts. This unauthorized access enabled them to initiate and execute fund transfers, siphoning money from the victims' accounts over a ten-day period. The accumulation of these small, unauthorized transfers resulted in the substantial reported loss.

NCB's investigation into the incident concluded that its internal banking systems and infrastructure remained secure and were not breached. The bank officially attributed the entire financial compromise to the customers inadvertently providing their sensitive information through the external social engineering schemes. This distinction highlights the attack's reliance on human manipulation rather than a technical exploit of the bank's own networks or software vulnerabilities. The fraud campaign demonstrates a sophisticated, persistent approach where attackers used multiple communication vectors to build enough trust and gather sufficient data to bypass standard customer-facing security measures. The incident serves as a case study in how financial institutions can be impacted by attacks that circumvent technical defenses by targeting the end-user, emphasizing the critical role of customer awareness in overall financial security. The bank's public statements focused on this external attribution, clarifying that the vulnerability originated with customer actions in response to fraudulent communications, not from any failure in the bank's operational security protocols.