Phishing Attacks in Singapore: How to Recognize and Avoid Them
Phishing attacks in Singapore have grown from a nuisance into one of the country's most damaging cybercrime categories. In 2023 alone, Singapore Police Force data showed that scam victims lost over S$651 million, with phishing-based scams making up a significant chunk of those losses. From fake SingPost delivery notices to counterfeit DBS and OCBC login pages, attackers are getting sharper, faster, and disturbingly local in tone.
This guide breaks down what phishing looks like in the Singapore context, how to recognise the most common tactics, and what practical steps you can take to avoid falling victim.
What Are Phishing Attacks?
Phishing is a form of social engineering where attackers impersonate a trusted party — a bank, government agency, delivery company, or employer — to trick you into handing over sensitive information or clicking a malicious link. The goal is usually to steal login credentials, credit card numbers, OTPs, or install malware on your device.
In Singapore, phishing has evolved beyond generic "Nigerian prince" emails. Modern attacks use local branding, Singlish phrasing, .sg domain lookalikes, and even reference real Singaporean institutions like IRAS, CPF Board, MOM, and Singpass.
Common Types of Phishing in Singapore
- Email phishing — Fake emails from "DBS", "IRAS", or "Singpost" asking you to verify details.
- Smishing (SMS phishing) — Text messages about failed deliveries, unpaid tolls, or suspicious bank activity.
- Vishing (voice phishing) — Phone calls impersonating SPF officers, MAS staff, or China officials.
- Spear phishing — Highly targeted emails aimed at specific employees, often in finance or HR roles.
- Whaling — Attacks aimed at C-suite executives, often involving fake invoices or wire transfer requests.
- QR code phishing (quishing) — Malicious QR codes placed in public spaces or emails.
Why Singapore Is a Prime Target
Singapore's high digital adoption, PayNow ubiquity, and Singpass-linked services make it a lucrative environment for phishers. A single stolen Singpass credential can unlock CPF accounts, HDB records, tax filings, and even bank onboarding at other institutions.
Additionally, Singaporeans are used to receiving legitimate notifications from government bodies via SMS and email — the same channels that phishers exploit. When something looks slightly official and mentions "MOH", "ICA", or "LTA", people tend to lower their guard.
Key Local Factors That Enable Phishing
- Widespread reliance on SMS-based OTPs (though banks are transitioning to Singpass-based authentication).
- High trust in local brands like DBS, POSB, UOB, OCBC, Singtel, and SingPost.
- Heavy e-commerce activity via Shopee, Lazada, and Carousell.
- Cross-border messaging platforms (WhatsApp, Telegram) used for both personal and work communication.
- Multilingual population — attackers can rotate between English, Mandarin, Malay, and Tamil.
Real Examples of Phishing Attacks in Singapore
Understanding real cases helps you spot patterns. Here are some of the most common phishing playbooks reported by the Singapore Police Force and the Cyber Security Agency (CSA):
1. The OCBC SMS Scam (2021–2022)
Victims received SMS messages appearing to come from OCBC, warning of suspicious account activity. The messages contained links to fake OCBC login pages. Nearly 790 people lost approximately S$13.7 million within weeks. The scam was so damaging that OCBC issued goodwill payouts to all affected victims.
2. SingPost Redelivery Scam
An SMS or email claims a parcel could not be delivered and asks you to pay a small "redelivery fee" via a linked page. The page harvests card details, which are then used for large unauthorised purchases.
3. Fake IRAS Tax Refund Emails
Emails claiming you're eligible for a tax refund, complete with an official-looking IRAS letterhead. The link leads to a credential-harvesting page mimicking Singpass login.
4. Job Scam Phishing on Telegram and WhatsApp
Unsolicited messages offering "easy work-from-home tasks" — reviewing products, liking videos, or boosting hotel ratings. Victims are eventually asked to "top up" funds or provide bank details.
How to Recognise a Phishing Attempt
Recognising phishing comes down to noticing small inconsistencies that legitimate senders would never make. Here's a quick reference table:
| Warning Sign | What It Looks Like | Legitimate Behaviour |
|---|---|---|
| Urgency | "Your account will be suspended in 24 hours!" | Banks give you time and multiple channels to respond. |
| Suspicious sender | support@dbs-sg-secure.com | Legitimate emails come from official domains like dbs.com.sg. |
| Requests for OTP | "Please enter your OTP to verify." | No Singapore bank or agency asks for your OTP via SMS or call. |
| Odd links | bit.ly/dbs-verify or dbs-login.xyz | Official links are on the bank's own domain. |
| Generic greetings | "Dear valued customer" | Real institutions typically address you by name. |
| Poor grammar | Spelling errors, awkward phrasing | Official communications are professionally proofread. |
Check the URL Before You Click
Attackers rely heavily on lookalike URLs — think dbs-sg.com instead of dbs.com.sg, or singp0st.net instead of singpost.com. If a link uses a shortener, hover over it (on desktop) or long-press it (on mobile) to preview the destination.
If you use link shorteners for your own business communications, choose one with transparency and click analytics. Trusted shortener platforms like Lunyb allow recipients to see where a link leads and give owners audit trails — the opposite of what phishers want. For a broader comparison of trustworthy shorteners, see our 2026 buyer's guide.
How to Avoid Falling Victim
Phishing prevention is a mix of technical safeguards and behavioural discipline. Neither alone is enough — but together, they dramatically reduce your risk.
Behavioural Habits
- Pause before clicking. Phishers rely on emotional reactions — fear, excitement, urgency. A 10-second pause often reveals the scam.
- Type URLs manually. Instead of clicking a link, open your browser and type the official address (e.g., dbs.com.sg).
- Verify through a second channel. Received a suspicious message from "HR"? Call or Teams-message them directly.
- Never share OTPs. No legitimate bank, MAS officer, or SPF officer will ever ask for your OTP.
- Be cautious of QR codes in public places — stickers can be placed over legitimate ones.
Technical Safeguards
- Enable Singpass Face Verification for high-risk logins.
- Use hardware security keys (like YubiKey) for critical accounts such as Google, Microsoft, and cryptocurrency exchanges.
- Turn on the Money Lock feature offered by DBS, OCBC, and UOB to ring-fence a portion of your savings from digital transfers.
- Keep devices updated — many phishing kits exploit older browser vulnerabilities.
- Use encrypted DNS (like Cloudflare's 1.1.1.1 or Quad9) to block known malicious domains at the network level.
- Install anti-phishing browser extensions from reputable providers.
- Use the ScamShield app, a free tool developed by the Singapore government to filter scam calls and SMS.
What to Do If You've Been Phished
Speed matters. The faster you act, the higher the chance of recovering funds and stopping further damage.
- Contact your bank immediately. Every major Singapore bank has a 24/7 fraud hotline (e.g., DBS: 1800-339-6963, OCBC: 1800-363-3333, UOB: 1800-222-2121).
- Change your passwords for the compromised account and any accounts sharing the same password.
- Report to the police via 999 (urgent) or the SPF's online portal at police.gov.sg/iwitness.
- File a report with ScamShield and the Anti-Scam Centre.
- Notify Singpass if your Singpass credentials may have been compromised — call 6335 3533.
- Freeze credit with the Credit Bureau Singapore if identity theft is suspected.
- Scan your device for malware and consider a factory reset if you clicked a suspicious download.
Phishing in the Workplace: What Singapore Businesses Should Do
For businesses, especially SMEs that make up over 90% of Singapore's enterprises, phishing is often the entry point for ransomware and Business Email Compromise (BEC). The Cyber Security Agency of Singapore recorded a sharp rise in BEC-related losses across 2023 and 2024.
Company-Level Protections
- Deploy DMARC, SPF, and DKIM for your email domain to prevent spoofing.
- Run quarterly phishing simulations to train staff.
- Enforce multi-factor authentication across all business accounts.
- Use domain monitoring to detect lookalike domains being registered against your brand.
- Vet all link-shortening tools used in marketing to ensure they support HTTPS, analytics, and revocation. See our Rebrandly review for a look at enterprise options.
- Establish a clear reporting channel — employees should know exactly who to forward suspicious emails to.
The Role of Government and Industry in Singapore
Singapore has taken a proactive stance. The Shared Responsibility Framework (SRF), rolled out by MAS and IMDA in 2024, defines how banks and telcos must share responsibility with victims when specific safeguards fail. The government has also introduced:
- The SMS Sender ID Registry (SSIR), which blocks unregistered alphanumeric SMS senders by default.
- The Anti-Scam Command (ASCom) under SPF, consolidating investigation and recovery efforts.
- Mandatory kill switches across major retail banks.
- The ScamShield ecosystem, including the app, hotline (1799), and website.
Despite these efforts, phishers continually adapt. Personal vigilance remains the strongest layer of defence.
Frequently Asked Questions
1. How do I report a phishing SMS or email in Singapore?
You can report suspicious messages to ScamShield via the app or by calling 1799. For financial fraud, contact your bank's fraud hotline immediately and file a police report at police.gov.sg. Suspicious emails can also be forwarded to the Singapore Cyber Emergency Response Team (SingCERT) at singcert@csa.gov.sg.
2. Will my bank refund me if I fall for a phishing scam?
Under Singapore's Shared Responsibility Framework, banks and telcos may be required to compensate victims if they failed to implement mandated safeguards. However, if you willingly gave away your OTP or credentials despite warnings, recovery is not guaranteed. Speed of reporting significantly affects outcomes.
3. Are shortened links always dangerous?
No. Shortened links are a legitimate marketing and communication tool. The danger comes from not knowing where a link leads. Reputable link shortening services offer preview features, HTTPS enforcement, and analytics, making them safer than random-looking domains. Always hover-preview before clicking, especially on unsolicited messages.
4. How can I tell if a Singpass login page is fake?
The genuine Singpass domain is always singpass.gov.sg. Never enter your Singpass credentials on any other domain, even if it looks identical. Enable Singpass Face Verification for additional protection, and use the official Singpass mobile app rather than logging in via SMS links.
5. Is ScamShield effective against phishing?
ScamShield is a strong first line of defence, blocking known scam numbers and SMS senders using a database maintained by the SPF and NCPC. However, it cannot catch every new scam, especially those on encrypted platforms like WhatsApp or Telegram. Combine it with personal vigilance and technical safeguards for best results.
Final Thoughts
Phishing attacks in Singapore are becoming more localised, more sophisticated, and more damaging. But they still rely on the same fundamentals: urgency, impersonation, and a single click. By slowing down, verifying through independent channels, and using the technical safeguards available to you, the vast majority of phishing attempts can be neutralised before they cause harm.
Cybersecurity in 2026 isn't just about tools — it's about habits. Build them now, and you'll be far ahead of the average target.
Protect your links with Lunyb
Create secure, trackable short links and QR codes in seconds.
Get Started FreeRelated Articles
Email Security Best Practices for 2026: The Complete Guide
Email is still the #1 attack vector in 2026, and AI-driven phishing has raised the stakes. This guide covers the essential authentication standards, tools, and user habits that stop today's most sophisticated email threats.
Is Public WiFi Safe? The Truth in 2026
Public WiFi in 2026 is far safer than it used to be thanks to universal HTTPS and encrypted DNS — but evil twin hotspots, phishing links, and unpatched devices still cause real harm. Here is the honest truth about the risks that remain and the ten practical steps that actually protect you.
Zero Trust Security Model Explained Simply: A 2026 Guide
Zero Trust flips traditional cybersecurity on its head with one simple rule: never trust, always verify. This guide breaks down the model in plain language, covering its core principles, five pillars, real-world examples, and a practical roadmap for organizations and individuals alike.
How to Know if Your Phone Is Hacked: 10 Warning Signs (2026 Guide)
Worried your smartphone is compromised? Learn the 10 clearest warning signs your phone has been hacked, from battery drain and data spikes to strange apps and unauthorized messages. Includes a step-by-step recovery plan and prevention tips for 2026.