facebook-pixel
L
Lunyb

Phishing Attacks in Singapore: How to Recognize and Avoid Them

L
Lunyb Security Team
··9 min read

Phishing attacks in Singapore have surged into one of the most damaging categories of cybercrime, costing victims hundreds of millions of dollars each year. From fake DBS SMS messages to fraudulent SingPost delivery notices and impersonated government agencies, scammers have grown increasingly sophisticated in how they target Singaporeans. This guide explains how phishing works in the local context, the red flags you need to recognize, and the practical steps you can take to stay safe.

What Is a Phishing Attack?

A phishing attack is a form of social engineering where criminals impersonate trusted organizations to trick victims into revealing sensitive information such as passwords, OTPs, credit card numbers, or SingPass credentials. The attacker's goal is usually to gain unauthorized access to bank accounts, e-wallets, or corporate systems.

While phishing is a global problem, Singapore is a particularly attractive target because of its high digital banking adoption, widespread use of PayNow, and strong reliance on QR codes and government digital services. The Singapore Police Force has repeatedly flagged phishing scams as a top-ranking scam category, with losses regularly exceeding S$100 million annually.

Why Singapore Is a Major Target for Phishing

Several factors make Singapore especially vulnerable to phishing campaigns:

  • High digital banking penetration: Nearly every adult uses internet or mobile banking.
  • Trusted institutions to impersonate: DBS, OCBC, UOB, IRAS, MOM, ICA, and SingPost are household names scammers exploit.
  • SingPass as a single sign-on: One compromised SingPass can unlock dozens of government and financial services.
  • QR-based payments: PayNow and SGQR are easy to mimic in fake payment requests.
  • Multilingual population: Scammers craft messages in English, Mandarin, Malay, and Tamil to reach more victims.

Common Types of Phishing Attacks in Singapore

1. SMS Phishing (Smishing)

Smishing is the most prevalent phishing vector in Singapore. Victims receive an SMS claiming to be from a bank, telco, or government agency, urging them to click a link to verify an account, settle a fine, or reactivate a service. The link leads to a clone website that captures login credentials and OTPs in real time.

Common pretexts include:

  • "Your DBS account has been suspended. Verify now."
  • "SingPost parcel undelivered. Update address."
  • "LTA fine outstanding. Pay before suspension."
  • "IRAS tax refund pending. Claim now."

2. Email Phishing

Email phishing remains heavily used against both consumers and businesses. Attackers spoof the branding of Microsoft 365, Google Workspace, local banks, or vendors. Business email compromise (BEC) is especially costly in Singapore, where finance teams have been tricked into wiring large sums to fraudulent accounts.

3. Voice Phishing (Vishing)

Scammers call victims pretending to be from the Singapore Police Force, MOH, ICA, or a bank's anti-fraud team. They may use spoofed local numbers and even play recorded "press 1 to speak to an officer" prompts. Once trust is built, the victim is pressured to transfer funds or disclose credentials.

4. QR Code Phishing (Quishing)

Fraudulent QR stickers have been found pasted over legitimate PayNow QR codes at hawker centres and parking meters. Scanning leads to fake payment pages designed to harvest bank credentials.

5. Social Media and Messaging Phishing

WhatsApp, Telegram, and Facebook Marketplace are increasingly used to deliver phishing links disguised as job offers, investment opportunities, or part-time gig scams targeting students and homemakers.

Red Flags: How to Recognize a Phishing Attempt

Most phishing messages share recognizable warning signs. Train yourself and your family to pause whenever you see any of the following:

  1. Urgency or fear: "Your account will be closed in 24 hours."
  2. Unexpected links: Legitimate Singapore banks stopped sending clickable links in SMS in 2022.
  3. Mismatched sender details: Email domains that look almost right, like dbs-sg-security.com instead of dbs.com.sg.
  4. Requests for OTPs or passwords: No legitimate organization will ever ask for these.
  5. Generic greetings: "Dear Customer" instead of your name.
  6. Spelling and grammar errors: Particularly in messages claiming to be from MAS or IRAS.
  7. Suspicious attachments: Especially .zip, .htm, or .exe files in supposed invoices.
  8. Too-good-to-be-true offers: Tax refunds, lucky draws, or guaranteed investment returns.

Phishing Tactics Compared: Spot the Difference

Attack Type Primary Channel Common Lure Key Red Flag
Smishing SMS / RCS Bank or parcel alerts Clickable link in SMS
Email phishing Email Account verification, invoices Spoofed sender domain
Vishing Phone call Police or bank impersonation Pressure to transfer funds
Quishing QR code Fake PayNow / parking QR sticker overlaid on original
Social media phishing WhatsApp / Telegram Job or investment offers Unverified recruiter, upfront fee

How to Verify Suspicious Links Before Clicking

Shortened or unfamiliar links are a favourite tool of phishers because they hide the real destination. Before clicking any link, especially one received unexpectedly, take these steps:

  1. Hover before you click: On desktop, hover over the link to preview the actual URL.
  2. Expand short links: Use a link preview tool to see the final destination.
  3. Check the domain carefully: Look for subtle misspellings (dbs vs dlds, ocbc vs ocbe).
  4. Type the URL manually: If in doubt, go directly to the official app or website rather than clicking.
  5. Use trusted shorteners: Reputable services like Lunyb include link scanning and analytics that make malicious redirects easier to detect. For more on choosing safe link tools, see our 2026 buyer's guide to URL shorteners.

If you regularly share links professionally, it's worth understanding how legitimate shorteners handle security. Our honest review of Lunyb and our Rebrandly review both cover the trust and safety features that distinguish reputable platforms from the suspicious links used in phishing campaigns.

Practical Steps to Protect Yourself in Singapore

1. Enable the Money Lock Feature

DBS, OCBC, UOB, and several other Singapore banks now offer a "Money Lock" feature that ring-fences a portion of your savings so it cannot be transferred digitally, even if scammers obtain your login. Activate this for your emergency funds.

2. Use the ScamShield App

Developed by the National Crime Prevention Council and Open Government Products, ScamShield blocks known scam calls and SMS messages and lets you report suspicious content directly. It is available for both iOS and Android.

3. Turn On Two-Factor Authentication (2FA)

Use app-based authenticators (Google Authenticator, Microsoft Authenticator) rather than SMS OTPs where possible. SingPass already supports face verification, which is far more phishing-resistant than passwords alone.

4. Download Banking Apps Only from Official Stores

Singapore banks have moved to a "safe app" environment where banking apps detect sideloaded software and block transactions. Never install APK files sent via WhatsApp or SMS.

5. Verify Through Official Channels

If you receive a message claiming to be from your bank, IRAS, ICA, or MOM, log in to the official app or call the published hotline. Never use phone numbers or links provided in the suspicious message itself.

6. Keep Software Updated

Apply iOS, Android, Windows, and browser updates promptly. Many phishing kits exploit older browser vulnerabilities to install malware silently.

7. Use Encrypted DNS and Safe Browsing

Enable encrypted DNS (such as Cloudflare 1.1.1.1 or Quad9) on your devices to block known phishing domains at the network level. Chrome, Safari, and Edge's built-in Safe Browsing features also help filter malicious sites.

What to Do If You've Been Phished

Acting quickly can dramatically reduce the damage. If you suspect you have fallen for a phishing attack:

  1. Call your bank immediately using the 24/7 anti-scam hotline printed on the back of your card.
  2. Freeze affected accounts and revoke any active sessions in your banking app.
  3. Change passwords for SingPass, email, and any reused credentials.
  4. Report to the police via the Anti-Scam Centre at 1800-722-6688 or file a report at www.police.gov.sg/iwitness.
  5. Lodge a ScamShield report so the scam number or URL can be blocked for others.
  6. Notify IMDA if the phishing came via SMS or call, especially if it spoofed a Singapore number.
  7. Monitor your credit with Credit Bureau Singapore for unusual activity over the next 6-12 months.

Phishing Protection for Singapore Businesses

SMEs in Singapore are increasingly targeted by business email compromise and invoice fraud. Recommended baseline controls include:

  • Implement SPF, DKIM, and DMARC on all corporate domains.
  • Use Microsoft Defender or Google Workspace advanced phishing protection.
  • Mandate hardware security keys (FIDO2) for finance and admin staff.
  • Run quarterly phishing simulations and short training modules.
  • Establish a callback policy: any payment instruction received by email must be verified by phone using a previously known number.
  • Engage with the Cyber Security Agency of Singapore (CSA) and SingCERT advisories.

For businesses sharing campaign or marketing links, using a reputable link management platform with built-in malware scanning helps protect customers from being misled. Our comparison of Rebrandly's pricing and features is a good starting point for teams evaluating enterprise options.

The Role of Regulators and Industry in Singapore

The Monetary Authority of Singapore (MAS) and the Infocomm Media Development Authority (IMDA) have rolled out the Shared Responsibility Framework, which clarifies how losses from phishing scams are apportioned between banks, telcos, and consumers. Key initiatives include:

  • SMS Sender ID Registry: Only registered organizations can send SMS using alphanumeric Sender IDs; unregistered ones are labeled "Likely-SCAM".
  • Removal of clickable links in customer SMS from local banks.
  • Anti-Scam Command: A police unit that works directly with banks to trace and freeze scam proceeds.
  • Money Lock and kill switches standardized across major banks.

These measures help, but personal vigilance remains the strongest defence.

Frequently Asked Questions

How common are phishing attacks in Singapore?

Phishing-related scams consistently rank among the top scam categories reported to the Singapore Police Force, with thousands of cases and losses exceeding S$100 million annually. Banking-related phishing and e-commerce phishing are the most reported subtypes.

Will my Singapore bank refund me if I'm scammed by phishing?

Under the Shared Responsibility Framework, banks and telcos may bear part of the loss if they failed to meet specified duties, but consumers can still be held responsible if they ignored clear warnings or shared OTPs willingly. Each case is assessed individually, which is why prevention is far more reliable than relying on reimbursement.

How do I report a phishing SMS or email in Singapore?

Forward suspicious SMS to 7726 (SPAM) or report through the ScamShield app. For emails, report to your email provider and to SingCERT via singcert@csa.gov.sg. If money has been lost, call the Anti-Scam Helpline at 1800-722-6688.

Can two-factor authentication completely prevent phishing?

2FA significantly raises the bar but is not foolproof. Real-time phishing kits can relay OTPs to attackers within seconds. Phishing-resistant methods such as passkeys, SingPass face verification, and FIDO2 hardware keys offer much stronger protection than SMS OTPs.

Is it safe to click on shortened links from people I know?

Only if you can verify the source. Compromised WhatsApp and Telegram accounts are frequently used to spread phishing links to contacts. When in doubt, ask the sender through a different channel before clicking, and use a link preview tool to inspect where the URL actually leads.

Final Thoughts

Phishing attacks in Singapore are evolving rapidly, blending technical sophistication with psychological pressure. The good news is that the vast majority of attacks can be defeated by a few consistent habits: pause before you click, verify through official channels, enable strong authentication, and use trusted tools when sharing or following links. Combined with national safeguards like ScamShield, Money Lock, and the SMS Sender ID Registry, an informed user in Singapore is well equipped to stay one step ahead of the scammers.

Protect your links with Lunyb

Create secure, trackable short links and QR codes in seconds.

Get Started Free

Related Articles

End-to-End Encryption Explained: How It Works and Why It Matters

End-to-end encryption keeps your messages, files, and calls readable only by you and your recipient — not even the service provider can see the content. This guide explains how E2EE works, why it matters, and how to use it well in everyday life.

10 min

Email Security Best Practices for 2026: The Complete Guide

Email remains the top attack vector in 2026, with AI-powered phishing making threats harder to spot. This comprehensive guide covers the top 10 email security best practices, tool comparisons, and step-by-step actions to keep your inbox safe.

8 min

Social Engineering Attacks: A Complete Guide to Recognizing and Preventing Human-Centered Threats

Social engineering attacks exploit human psychology rather than software flaws, and they're behind the vast majority of successful cyberattacks. This complete guide covers the major attack types, real-world examples, red flags, and proven defense strategies for individuals and organizations.

9 min

Phishing Attacks: How to Recognize and Avoid Them in 2026

Phishing attacks are behind more than 90% of cyber breaches. Learn how to recognize the red flags, defend against AI-powered scams, and protect your accounts with proven strategies that work in 2026.

9 min