Phishing Attacks in Singapore: How to Recognize and Avoid Them in 2026

Phishing attacks in Singapore have escalated into one of the most damaging forms of cybercrime, with victims losing over S$651 million to scams in 2023 alone, according to the Singapore Police Force. As phishing tactics become more sophisticated—mimicking banks, government agencies, and delivery services—every Singaporean needs to know how to spot and stop these attacks before they cause harm.

This guide explains what phishing looks like in the Singapore context, the most common scam patterns targeting locals, and the practical steps you can take to defend yourself, your family, and your business.

What Are Phishing Attacks?

Phishing is a cybercrime where attackers impersonate trusted organizations—such as DBS, OCBC, Singpost, IRAS, or MOM—to trick victims into revealing sensitive information like passwords, OTPs, NRIC numbers, or banking credentials. These attacks typically arrive via SMS, email, WhatsApp, phone calls, or fake websites.

In Singapore, phishing has evolved beyond simple email scams. Attackers now use AI-generated voices, deepfake videos, and highly localized lures referencing GST vouchers, CDC vouchers, MyInfo, and SingPass to appear legitimate.

Why Singapore Is a High-Value Target

• High digital adoption: Over 92% of Singaporeans use online banking, making credential theft lucrative.
• Wealth concentration: Singapore's high per-capita income attracts financially motivated attackers.
• Trust in institutions: Citizens are conditioned to trust government and bank communications—an exploitable trait.
• Multilingual environment: Scammers exploit English, Mandarin, Malay, and Tamil to broaden reach.

Common Types of Phishing Attacks in Singapore

1. SMS Phishing (Smishing)

Smishing remains the #1 phishing vector in Singapore. Victims receive SMS messages claiming to be from banks, SingPost, or government agencies, urging them to click a link to "verify" an account or "reschedule" a delivery.

Common red flags include shortened or unfamiliar URLs (e.g., dbs-secure-verify.com), urgent language, and requests for OTP codes.

2. Email Phishing

Email scams in Singapore often impersonate IRAS (tax refunds), MOM (work pass updates), or corporate IT departments. Many use spoofed sender addresses and convincing logos.

3. Voice Phishing (Vishing)

Scammers call victims pretending to be police officers, MAS officials, or bank fraud investigators. They claim the victim is involved in money laundering and pressure them to transfer funds to a "safe account."

4. WhatsApp and Telegram Phishing

Job scams, investment scams, and impersonation of friends/family on WhatsApp have surged. Attackers often hijack WhatsApp accounts by tricking victims into sharing 6-digit verification codes.

5. QR Code Phishing (Quishing)

Fake QR codes are placed over legitimate ones at hawker centers, parking machines, and even on flyers. Scanning leads to malicious payment pages or malware downloads.

6. Spear Phishing and Business Email Compromise (BEC)

Targeted attacks aimed at finance staff at SMEs, where attackers impersonate the CEO or a vendor to redirect invoice payments. BEC losses in Singapore exceeded S$90 million in 2023.

How to Recognize a Phishing Attack: 7 Warning Signs

1. Unusual sender address: Check carefully—support@dbs-sg.com is not the same as support@dbs.com.sg.
2. Urgency or threats: "Your account will be suspended in 24 hours" is a classic pressure tactic.
3. Requests for OTP, password, or NRIC: No legitimate Singapore bank or government agency will ever ask for these via SMS, email, or call.
4. Suspicious links: Hover over links before clicking. Legitimate Singapore government sites end in .gov.sg.
5. Generic greetings: "Dear Customer" instead of your actual name.
6. Spelling and grammar errors: Especially in emails claiming to be from major institutions.
7. Unexpected attachments: Especially .zip, .exe, or macro-enabled Office files.

Real Phishing Examples Targeting Singaporeans

Scam Type	Lure / Pretext	Common Red Flag
SingPost Delivery Scam	"Your parcel could not be delivered. Reschedule here."	Link to non-singpost.com.sg domain
Bank Verification Scam	"Unusual login detected. Verify your account."	Asks for full password and OTP
IRAS Tax Refund	"You are eligible for a S$540 refund."	IRAS never refunds via SMS link
SingPass Reactivation	"Your SingPass has been suspended."	Domain is not singpass.gov.sg
Job Scam (Telegram)	"Earn S$300/day reviewing products."	Requires upfront payment or crypto
Police/MAS Impersonation	"You're under investigation for money laundering."	Demands fund transfer to "safe account"

How to Protect Yourself From Phishing in Singapore

1. Enable the SMS Sender ID Registry

Since 2023, all organizations sending SMS to Singapore numbers must register their Sender IDs. Any SMS from an unregistered sender is automatically labeled "Likely-SCAM"—treat these as phishing by default.

2. Use the ScamShield App

Developed by the Singapore Police Force and the National Crime Prevention Council, ScamShield blocks known scam calls and SMS. It's free on both iOS and Android.

3. Turn On Money Lock and Transaction Limits

Major Singapore banks (DBS, OCBC, UOB) now offer Money Lock features that segregate funds and prevent online transfers—even if scammers obtain your credentials.

4. Verify Links Before Clicking

Always type bank or government URLs manually rather than clicking links. For shortened links you receive, use a link preview or expander tool to see the destination first. When sharing links yourself, use a trusted shortener with built-in malware scanning—platforms like Lunyb generate secure short URLs that protect both you and your recipients from malicious redirects.

5. Use Multi-Factor Authentication (MFA)

Enable MFA on all critical accounts: SingPass, banks, email, and social media. Prefer authenticator apps or hardware keys over SMS-based OTPs where possible.

6. Keep Devices and Apps Updated

Most phishing-related malware exploits known vulnerabilities. Enable automatic updates on your phone, browser, and antivirus software.

7. Educate Family Members—Especially Seniors

Elderly Singaporeans are disproportionately targeted by impersonation scams. Walk them through ScamShield, money lock, and the rule: never share OTPs with anyone, ever.

What to Do If You've Been Phished

1. Act immediately—every minute counts. Call your bank's 24/7 fraud hotline to freeze accounts and reverse transactions if possible.
2. Change passwords on all affected accounts, starting with email and banking.
3. Report to the Singapore Police Force via the i-Witness portal or call the Anti-Scam Helpline at 1800-722-6688.
4. Report to ScamShield so the scam number/URL is added to the national blocklist.
5. Notify the PDPC if personal data of others (e.g., customers) was compromised in a business context. Singapore's PDPA requires breach notification within 72 hours for notifiable breaches.
6. Monitor credit and accounts for unauthorized activity over the following weeks.

Phishing and Singapore Law

Phishing is a criminal offence under multiple Singapore statutes:

• Computer Misuse Act: Unauthorized access to computer material carries fines up to S$10,000 and/or 3 years' imprisonment.
• Penal Code (Cheating): Section 420 covers fraud, with penalties up to 10 years' jail.
• Personal Data Protection Act (PDPA): Organizations whose negligence enables phishing-related data breaches face fines up to 10% of annual Singapore turnover. For deeper context, see our guide on PDPA vs GDPR key differences.
• Online Safety Act: Provides additional powers to take down scam content. Read our complete guide to the Singapore Online Safety Act 2026.

Phishing Defenses for Singapore Businesses

Technical Controls

• Implement DMARC, SPF, and DKIM to prevent email spoofing of your domain.
• Deploy email security gateways with sandbox detonation for attachments.
• Use endpoint detection and response (EDR) tools across all employee devices.
• Enforce MFA company-wide, ideally with phishing-resistant methods like FIDO2 keys.
• Use branded, trackable short links from reputable providers when sending customer communications—see our roundup of the best URL shorteners with custom domains for trustworthy options.

Human Controls

• Run quarterly phishing simulations and track click rates.
• Train finance teams to verify payment changes via a second channel (e.g., phone call).
• Establish a clear internal reporting channel (e.g., "phishing@yourcompany.sg").
• Maintain an incident response plan aligned with PDPA breach notification requirements.

Emerging Phishing Trends in 2026

• AI-generated deepfakes: Scammers clone executives' voices and faces for video calls authorizing fraudulent payments.
• Hyper-personalized lures: Attackers scrape LinkedIn and Telegram to craft messages referencing real colleagues and projects.
• Browser-in-the-browser attacks: Fake popup windows that mimic SingPass or Google login screens within legitimate sites.
• Adversary-in-the-middle (AiTM) phishing: Real-time proxying that bypasses traditional MFA by stealing session cookies.
• Multi-channel scams: Coordinated SMS + WhatsApp + phone call sequences to build false credibility.

Frequently Asked Questions

How do I report a phishing SMS or email in Singapore?

Forward suspicious SMS to 7726 (the universal short code for spam reporting), report to the ScamShield app, and lodge a report at the SPF i-Witness portal. For phishing emails impersonating your company, also notify the Singapore Cyber Emergency Response Team (SingCERT).

Will my bank refund me if I fall for a phishing scam?

Under Singapore's Shared Responsibility Framework (SRF), which took effect in December 2024, banks and telcos share liability for phishing scam losses if they fail to meet their duties (e.g., not blocking unauthorized SMS senders). However, victims who voluntarily share OTPs may bear partial or full responsibility. Always report immediately to maximize chances of recovery.

Are HDB and CDC voucher scams common?

Yes. Scammers regularly impersonate the People's Association or HDB, sending SMS about voucher "claims" that lead to fake login pages. Genuine voucher claims are made only through go.gov.sg/cdcv via SingPass—never through SMS links.

What should I do if I shared my SingPass credentials with a scammer?

Immediately log in to SingPass and change your password, revoke any active sessions, and contact the SingPass Helpdesk at 6643-0555. Then file a police report and check your CPF, IRAS, and HDB accounts for unauthorized activity.

Can businesses be fined for phishing-related data breaches in Singapore?

Yes. The PDPC can impose fines of up to S$1 million or 10% of annual Singapore turnover, whichever is higher, on organizations that fail to protect personal data. Notifiable data breaches must be reported within 72 hours. Businesses operating across jurisdictions should also review breach reporting in other regions, such as our guide on reporting data breaches to the ICO in the UK and ePrivacy compliance in Ireland.

Final Thoughts

Phishing attacks in Singapore are growing in both volume and sophistication, but they remain preventable with awareness and the right tools. The fundamentals haven't changed: verify before you click, never share OTPs, enable MFA, and report anything suspicious. Combine these habits with ScamShield, Money Lock, and your organization's technical controls, and you'll dramatically reduce your risk.

Stay vigilant, stay updated, and when in doubt—pause, verify, and report.