Protecting Customers from Phishing Scams
Enhancing user experience & security of mobile transfers and payments experience
CLIENT & DURATION
Oversea-Chinese Banking Corporation (OCBC Bank)
Aug 2022 – Dec 2023
ROLE
Manager, Experience Design OCBC Bank
UX Design, User Interface Design, User Testing
CONTEXT
OCBC Bank, a leading financial services group in Southeast Asia, faced sophisticated phishing scams targeting customers. This project focused on designing user-facing security measures to help customers stay safe.
IMPACT
A series of anti-fraud measures have protected customers from various scams, preventing more than $12 million SGD losses since its inception.
PROBLEM
Customers struggled to identify sophisticated, deceptive phishing scams.
Phishing attacks were on the rise, targeting customers via text.
Widespread customer deception costing millions of dollars.
We needed a way to protect users before scams succeed.
APPROACH
Identify critical gaps
Map where customers are most vulnerable across key journeys, uncovering opportunities to strengthen protections.
Align stakeholders
Bring stakeholders together to clarify constraints, priorities, and immediate actions.
Balance business and user goals
Design user-focused solutions
Explore design approaches, ensuring security measures are intuitive and minimally intrusive.
Validate with users
Conduct user and stakeholders testing, iterating on pain points and refining flows to maximize safety, confidence, and adoption.
Identifying vulnerabilities across key user journeys
Aligning cross-functional teams to clarify constraints and priorities
Amid the urgency and uncertainty, I brought together business, legal, technical, and data stakeholders to establish shared understanding.
This alignment turned chaos into clarity—by consolidating fragmented inputs into a single “source of truth,” I helped teams focus on what mattered most, surfaced logic gaps, and assessed downstream impacts on both customers and internal teams. It clarified immediate priorities versus later-phase goals, ensuring design efforts were directed toward features that most effectively safeguarded users and reinforced trust in the bank.
Fig: Customer flows for pre, during, and post-fraud monitoring
Reassuring users, without alerting fraudsters
I mapped end-to-end communication flows of fraud monitoring stages to identify gaps.
Mapping the flows uncovered disjointed customer journeys that were overlooked. This allowed me to advocate for users while supporting business goals of reducing exposure to scams, preventing customer drop-off, and reinforcing trust in the bank.
Fig: "What goes on" communication flows
Navigating trade-offs between safety and seamlessness.
Interventions that could prevent large losses were prioritized—even at the expense of seamless UX—creating opportunities for the bank to step in when users couldn’t reliably detect fraud.
1
Prioritizing immediate defenses
When transitioning to a new system during the surge in scams, every minute mattered. I helped identify and prioritize essential security features for immediate release, while deferring lower-risk enhancements to later phases—ensuring the most critical safeguards were in place first.
2
Designing friction with empathy
At the same time, I recognized that these added layers of protection inevitably introduced friction. User research showed that while customers valued speed and ease, safety had to take precedence. My role was to balance these competing goals—refining the experience to keep new security checks intuitive and minimally disruptive, even as they introduced necessary pauses for fraud prevention.
SOLUTION
A scam-aware payment flow that builds user confidence.
PRE-TRANSACTION
Cooling periods
Cooling periods delay adding payees or increasing transaction limits, deterring fraud by allowing time for intervention.
Fig: Increase of transaction limit takes effect after 12 hours
PRE-TRANSACTION
Reduced transfer limits
Lowered default daily transfer limits with adjustable settings, and triggered notifications for all transfers from S$0.01.
Fig: Customers can adjust the transaction limits
DURING-TRANSACTION
Email authentication
Email authentication replaced SMS, using sender verification and spam filters to block phishing and ensure only verified emails reach recipients.
Fig: Customers must authenticate via email to complete transaction
POST-TRANSACTION
Flagging & verifying suspicious transactions
Algorithms flag suspicious transactions—such as blacklisted accounts or duplicate transfers—for review, and the bank confirms them with customers before processing.
Fig: Suspicious transactions will be flagged for further review
Validating critical flows and messaging through realistic scenario testing.
• Low-fidelity prototypes were tested with stakeholders to ensure the flow and content for flagged transactions aligned with business, legal, and operational priorities before moving to high-fidelity designs.
• High-fidelity prototypes were then tested with customers across two-factor authentication and suspicious transaction scenarios to gauge sentiment, verify usability, and ensure messaging was clear, calm, and effective.
Testing revealed that users wanted to know what happened with flagged transactions, but full disclosure could aid fraudsters. To balance these needs, I refined the messaging to emphasize next steps over causes and set clear expectations, reassuring users while maintaining safety.
Fig: Artefacts from customer interviews
IMPACT
Over S$12M in customer losses were prevented
Since launching in December 2021, the platform has continuously evolved, integrating customer feedback from surveys and app stores to refine its features.
Anti-fraud measures have prevented over S$12 million in potential losses, directly safeguarding users and supporting the business goal of maintaining customer trust and reducing exposure to scams.
REFLECTIONS
Designing for trust requires balancing empathy, security, and real-world trade-offs.
Navigating strategic trade-offs
The nature of the phishing surge prompted urgent security measures that, at times, compromised user experience to safeguard customers’ assets. Navigating strategic trade-offs between security and experience reminded me that urgent solutions can protect users today but limit them tomorrow. As behaviors evolve, these decisions must be continually reassessed to maintain both safety and trust.
Listening to users uncovers hidden friction
Reflecting on trade-offs also made me more attentive to how real users experience our designs. As part of broader security initiatives, the bank launched the Digital Silvers Programme to help older customers bank and pay safely online. I volunteered as a digital ambassador, teaching elders digital banking skills on weekends. Observing their struggles with small text, navigation, and document access uncovered frictions I hadn’t anticipated. It reminded me that designing for safety isn’t just about preventing scams, it’s about ensuring every user feels confident, capable, and supported in a digital environment.