Phishing Attacks in Singapore: How to Recognize and Avoid Them in 2026
Phishing attacks in Singapore have become one of the most serious cybersecurity threats facing residents, businesses, and even government agencies. According to the Singapore Police Force, scam-related losses crossed S$1.1 billion in recent reporting periods, with phishing scams consistently ranking among the top three threat categories. Whether you bank with DBS, OCBC, or UOB, shop on Shopee, or use SingPass, you are a target.
This guide explains how phishing works in the Singapore context, walks through the most common attack types you'll encounter locally, and provides a clear, actionable framework to protect yourself and your organization.
What Is a Phishing Attack?
A phishing attack is a form of social engineering where criminals impersonate trusted entities — banks, government agencies, delivery companies, or telcos — to trick victims into revealing sensitive information such as passwords, OTPs, NRIC numbers, or credit card details. The goal is usually financial theft, identity fraud, or unauthorized access to digital accounts.
In Singapore, phishing is uniquely dangerous because attackers exploit local trust signals: SingPass logins, MAS-regulated bank branding, IRAS tax notices, and even Ministry of Health (MOH) communications. A well-crafted phishing message can look almost identical to the real thing.
Why Singapore Is a Prime Target for Phishing
Several factors make Singapore an attractive market for phishing syndicates:
- High digital adoption: Over 92% of Singaporeans use online banking, and SingPass underpins access to more than 2,000 government and private services.
- High average wealth: Successful scams yield larger payouts compared with many other markets.
- Multilingual population: Attackers craft messages in English, Mandarin, Malay, and Tamil to maximize reach.
- Trust in institutions: Singaporeans tend to trust SMS and email from banks and government bodies, which scammers exploit.
- Cross-border syndicates: Many operations are run from outside Singapore, making prosecution difficult.
Common Types of Phishing Attacks in Singapore
1. SMS Phishing (Smishing)
Smishing is the most prevalent phishing vector in Singapore. Victims receive an SMS pretending to be from DBS, POSB, OCBC, UOB, Singtel, StarHub, or SP Group, often warning of a suspicious transaction, unpaid bill, or locked account. The SMS contains a shortened or lookalike URL leading to a fake login page.
Although the Singapore SMS Sender ID Registry (SSIR) has reduced spoofing of legitimate sender IDs, scammers now use random local and overseas numbers, or sender IDs like "INFO" and "BANK-ALERT".
2. Email Phishing
Email phishing in Singapore commonly impersonates:
- IRAS — fake tax refunds or outstanding tax notices
- SingPost — undelivered parcel notifications
- Shopee, Lazada, and Amazon — fake order confirmations
- MOH and ICA — fake health declarations or immigration notices
- Microsoft 365 and Google Workspace — fake password expiry alerts
3. Voice Phishing (Vishing)
Vishing calls often spoof numbers belonging to the Singapore Police Force, MAS, or local banks. Scammers claim the victim is involved in money laundering or that their bank account has been compromised. Calls from overseas numbers now show a "+" prefix warning, but many victims still fall for follow-up SMS or WhatsApp messages.
4. WhatsApp and Telegram Phishing
Job scams, investment scams, and fake e-commerce deals proliferate on WhatsApp and Telegram. Victims are added to groups, sent shortened links to fake trading platforms or cloned bank login pages, and pressured to act quickly.
5. QR Code Phishing (Quishing)
The infamous 2023 bubble tea survey scam in Singapore involved a malicious QR code that installed malware capable of draining bank accounts. Quishing remains active, with fake QR codes appearing on parking meters, hawker stalls, and promotional flyers.
6. SingPass Phishing
Because SingPass unlocks banking, CPF, IRAS, and HDB services, it's a high-value target. Fake SingPass login pages are distributed via SMS and email, often tied to fake "government grant" or "GST voucher" announcements.
Real-World Phishing Examples Seen in Singapore
Example 1: The DBS "Unusual Transaction" SMS
Victims receive: "DBS Alert: A transaction of S$988.00 was attempted. If not you, verify at dbs-secure-sg.com". The link leads to a near-perfect replica of DBS digibank, harvesting username, PIN, and SMS OTP in real time.
Example 2: The IRAS Tax Refund Email
An email claims the victim is owed a S$427 tax refund and must log in via SingPass. The fake SingPass page captures credentials and 2FA codes, allowing attackers to access CPF and bank accounts.
Example 3: The Job Scam
A WhatsApp message offers "part-time work liking videos" with daily payouts. After small initial earnings, victims are pushed to deposit funds into a fake task platform — and lose everything.
How to Recognize a Phishing Attempt: 10 Red Flags
- Urgency or fear: "Your account will be suspended in 24 hours."
- Unexpected links: Shortened or unusual domains like dbs-verify-sg.net instead of dbs.com.sg.
- Requests for OTP, PIN, or password: No legitimate bank or government agency in Singapore will ever ask for these.
- Generic greetings: "Dear Customer" instead of your name.
- Spelling and grammar mistakes, even subtle ones.
- Mismatched sender addresses: An email "from DBS" sent from a Gmail or random domain.
- Attachments you didn't request, especially .apk, .zip, or .html files.
- Calls from overseas (+) numbers claiming to be local agencies.
- QR codes in unexpected places or stickers pasted over original ones.
- Offers that seem too good to be true: guaranteed investment returns, free GST vouchers, or instant job payouts.
How to Verify a Suspicious Link Before Clicking
Most phishing attacks succeed because victims click a malicious link before thinking. Here's a quick verification process:
- Hover before you click. On desktop, hover over the link to preview the destination URL.
- Check the domain carefully. Legitimate Singapore bank domains end in .com.sg or .com — not .xyz, .top, or -secure.net.
- Expand shortened URLs. Use a URL expander or a trustworthy link checker to reveal the final destination before visiting.
- Use the official app instead. If your bank "emails" you about an issue, open the app directly and check notifications there.
- Call the official hotline. Verify any urgent claim using numbers from the official website, not the SMS or email.
If you manage marketing or transactional links for your business, using a reputable shortener that provides HTTPS, link previews, and abuse monitoring — such as Lunyb — helps your customers trust your messages and reduces the chance of your brand being impersonated. For a deeper comparison of shortener options used in the region, see our 2026 buyer's guide to URL shorteners.
Phishing Attack Types Comparison
| Attack Type | Channel | Common Impersonation | Risk Level in SG |
|---|---|---|---|
| Smishing | SMS | DBS, OCBC, Singtel, SingPost | Very High |
| Email Phishing | IRAS, Microsoft, Shopee | High | |
| Vishing | Phone call | SPF, MAS, banks | High |
| WhatsApp/Telegram | Messaging apps | Job recruiters, investment firms | Very High |
| Quishing | QR codes | F&B outlets, parking, surveys | Medium |
| SingPass Phishing | Email/SMS | Singapore Government | High |
How to Protect Yourself: A Step-by-Step Guide
1. Enable Strong Authentication Everywhere
Turn on SingPass Face Verification and biometric logins for banking apps. Avoid SMS-only OTPs where stronger alternatives exist.
2. Activate the Money Lock Feature
DBS, OCBC, UOB, and other local banks offer a "Money Lock" or "Vault" feature that prevents online transfers from a portion of your savings. Lock the bulk of your funds.
3. Set Lower Transaction Limits
Reduce default transfer and PayNow limits in your banking app. Most scams rely on quickly draining large balances.
4. Download Only From Official App Stores
Following anti-malware measures by MAS and IMDA, Singapore banking apps now block transactions if sideloaded apps or accessibility services are detected. Never install APK files sent via WhatsApp or SMS.
5. Register With the ScamShield App
The ScamShield app, developed by the National Crime Prevention Council, blocks known scam SMSes and calls. Pair it with the ScamShield Helpline (1799) for verification.
6. Keep Devices Updated
Install iOS, Android, and browser updates promptly. Many phishing kits exploit outdated browsers to drop malware.
7. Use a Password Manager
Password managers autofill credentials only on the legitimate domain — so if you land on a fake bank page, the manager won't fill in your password, giving you an extra hint that something's wrong.
8. Educate Family Members
Elderly relatives are disproportionately targeted. Walk them through what real bank communications look like and what they will never ask for.
What to Do If You've Been Phished
- Call your bank immediately using the 24/7 anti-scam hotline (e.g., DBS: 1800-339-6963).
- Freeze your accounts via the banking app's "kill switch" or branch.
- Report to the Singapore Police Force at 1800-255-0000 or online via the e-Services portal.
- File a report with ScamShield at 1799 or through the ScamShield app.
- Change all related passwords, including email and SingPass.
- Revoke SingPass access at singpass.gov.sg if you suspect credentials were stolen.
- Scan your device for malware and consider a factory reset if you installed any suspicious app.
Phishing Protection for Businesses in Singapore
Businesses face additional risks from Business Email Compromise (BEC) and supply-chain phishing. Recommended controls:
- Implement DMARC, SPF, and DKIM on all corporate domains.
- Adopt phishing-resistant MFA (passkeys or FIDO2 security keys).
- Run quarterly phishing simulations and CSA-aligned training.
- Use a branded link shortener with HTTPS and click analytics for outbound marketing, so customers can recognize your trusted domain.
- Subscribe to alerts from SingCERT (Cyber Security Agency of Singapore).
- Comply with the PDPA when responding to phishing-related data breaches.
If you're evaluating branded link tools for customer communications, our Rebrandly review and honest Lunyb review compare options on trust, security, and pricing.
FAQ: Phishing Attacks in Singapore
1. How common are phishing attacks in Singapore?
Phishing-related scams consistently account for the largest share of cybercrime in Singapore. Tens of thousands of cases are reported each year, with total losses regularly exceeding S$100 million annually. Underreporting means the real number is even higher.
2. Will DBS, OCBC, or UOB ever ask for my OTP or password?
No. Singapore banks have publicly committed that they will never ask for your full password, PIN, or SMS OTP via call, SMS, email, or WhatsApp. Any such request is a scam.
3. Are shortened URLs safe to click?
Shortened URLs themselves are not malicious — they are widely used by legitimate businesses. The risk depends on the source. If a short link arrives unexpectedly from an unknown sender, expand or preview it first. Reputable shortener services like Lunyb provide HTTPS, abuse monitoring, and click analytics that help reduce phishing abuse.
4. What should I do if I clicked a phishing link but didn't enter anything?
Close the page immediately, clear your browser cache, run a malware scan, and monitor your accounts for suspicious activity. If the page automatically downloaded a file (especially .apk), do not open it — delete it and consider a factory reset, particularly on Android devices.
5. Can I get my money back after a phishing scam?
Recovery depends on speed and circumstances. Singapore's Shared Responsibility Framework (SRF), in effect from December 2024, requires banks and telcos to share responsibility for losses if they fail to meet anti-scam duties. Reporting within minutes gives you the best chance — banks can sometimes recall transfers before funds leave the country.
Final Thoughts
Phishing attacks in Singapore are sophisticated, localized, and constantly evolving. The good news is that nearly every successful attack relies on the victim clicking, calling, or sharing something they shouldn't. By learning the red flags, slowing down before acting, using the protective tools offered by local banks and government agencies, and verifying links before you click, you can dramatically reduce your risk.
Stay skeptical. When in doubt, hang up, delete the message, and verify through official channels. In the fight against phishing, a few seconds of caution can save you years of financial damage.
Protect your links with Lunyb
Create secure, trackable short links and QR codes in seconds.
Get Started FreeRelated Articles
How Hackers Use Shortened URLs to Spread Malware (2026 Guide)
Shortened URLs hide their true destination, making them a favorite tool for cybercriminals delivering malware, phishing, and credential theft. Learn the top attack tactics hackers use in 2026 — and the practical steps you can take to protect yourself, your business, and your customers from malicious short links.
Phishing Attacks: How to Recognize and Avoid Them in 2026
Phishing attacks have grown more convincing than ever in 2026, powered by AI and stolen personal data. Learn how to spot red flags, avoid common scams, and respond quickly if you click a malicious link. This complete guide covers email phishing, smishing, vishing, and the practical defenses that actually work.
Zero Trust Security Model Explained Simply: A Complete 2026 Guide
Zero Trust security flips traditional cybersecurity on its head with one simple rule: never trust, always verify. This guide explains the Zero Trust model in plain language, covering core principles, key components, and a practical roadmap to start implementing it in any organization.
QR Code Scams in Singapore: How to Stay Safe in 2026
QR code scams — or quishing — are one of the fastest-growing threats in Singapore, draining millions from victims via fake PayNow stickers, malicious APKs, and Singpass clones. This guide breaks down how the scams work, how to spot them, and what to do if you're hit.