facebook-pixel

Phishing Attacks in Singapore: How to Recognize and Avoid Them in 2026

L
Lunyb Security Team
··9 min read

Phishing attacks in Singapore have reached record levels, with the Singapore Police Force reporting hundreds of millions of dollars lost to scams each year — a significant portion delivered through deceptive emails, SMS, and fake websites. As one of Asia's most digitally connected societies, Singapore is a prime hunting ground for cybercriminals who impersonate banks, government agencies, delivery firms, and popular e-commerce platforms.

This guide explains how phishing works in the Singapore context, the specific tactics used against locals, and the practical steps you can take to protect yourself, your family, and your business.

What Are Phishing Attacks?

Phishing is a form of social engineering where attackers pose as trusted entities to trick victims into revealing sensitive information such as passwords, SingPass credentials, credit card numbers, or one-time passwords (OTPs). Attacks can arrive through email, SMS (smishing), phone calls (vishing), WhatsApp, Telegram, and even QR codes (quishing).

The goal is almost always the same: get the target to click a malicious link, download a harmful file, or hand over information that unlocks their accounts.

Why Singapore Is a Top Target

  • High digital adoption: Nearly universal internet and smartphone penetration means more potential victims.
  • Cashless payments: PayNow, PayLah!, and card-linked wallets are attractive to fraudsters.
  • Trusted institutions: Attackers exploit the strong public trust in DBS, OCBC, UOB, IRAS, ICA, and SingPost.
  • Multilingual population: Scams are crafted in English, Mandarin, Malay, and Tamil to widen reach.

Common Types of Phishing Attacks in Singapore

Understanding the categories helps you spot new variants faster. Here are the most active phishing formats seen locally.

1. Banking and PayNow Phishing

Fake SMS or emails claim your DBS, OCBC, UOB, or Standard Chartered account has been suspended, or that an unauthorised PayNow transfer needs verification. The link leads to a cloned banking login page designed to steal credentials and OTPs in real time.

2. Government Impersonation Scams

Scammers pretend to be from IRAS (tax refund), ICA (passport or visa issues), MOM (work pass), MOH (COVID-related), or SPF. Messages often reference SingPass login and threaten legal action if you do not respond immediately.

3. Delivery and E-Commerce Phishing

Fake SingPost, Ninja Van, Shopee, Lazada, or Qoo10 notifications tell you a parcel is stuck at customs and a small fee is required. The payment page harvests card details.

4. Job Scams via WhatsApp and Telegram

Victims receive unsolicited offers for "part-time work-from-home jobs" paying generous commissions. After a few small payouts, targets are asked to top up funds — which vanish.

5. Investment and Cryptocurrency Phishing

Fake trading platforms impersonate MAS-licensed brokers or celebrities like local business figures to lure users into depositing money. Withdrawal is impossible.

6. QR Code Phishing (Quishing)

Stickers with malicious QR codes are placed over legitimate ones at hawker centres, bubble tea shops, or car park meters. Scanning leads to fake PayNow or credit card pages.

Red Flags: How to Recognize a Phishing Attempt

Most phishing messages share telltale signs. Train yourself to pause and check for the following indicators before clicking any link.

  1. Urgency and fear: "Your account will be closed in 24 hours," "Immediate action required," or threats of arrest.
  2. Suspicious sender addresses: Emails from dbs-secure-sg.com instead of dbs.com.sg, or SMS from unknown +65 numbers or overseas codes.
  3. Requests for OTPs or passwords: No legitimate Singapore bank, government agency, or telco will ever ask for these.
  4. Generic greetings: "Dear Customer" instead of your actual name.
  5. Poor grammar or odd phrasing: Awkward English, wrong currency symbols, or inconsistent branding.
  6. Mismatched URLs: Hover over links — if the visible text says "OCBC" but the URL points elsewhere, it's a scam.
  7. Unusual payment methods: Requests for gift cards, cryptocurrency, or transfers to personal bank accounts.
  8. Too-good-to-be-true offers: Lottery wins you never entered, tax refunds you didn't apply for, or huge investment returns.

Real Examples of Phishing in Singapore

The SingPass Login Scam

Victims receive an SMS claiming their SingPass is suspended. Clicking the link opens a near-perfect clone of the SingPass portal. Once credentials and Face Verification are handed over, attackers access CPF, HDB, IRAS, and banking services.

The Fake DBS "Unauthorised Transaction" Alert

An SMS warns of a S$1,200 charge and asks the user to "cancel" via a link. The fake site captures the login, prompts for an OTP, and drains the account within minutes.

The Ninja Van Parcel Fee

A message states a package is held pending a S$0.99 redelivery fee. The card entered is later used for high-value overseas purchases.

Comparison: Phishing Channels and Their Risk Levels

Channel Common Impersonations Risk Level Key Defence
SMS (Smishing) Banks, SingPost, ICA, IRAS Very High Never click links; use official apps
Email Microsoft 365, banks, employers High Verify sender domain, use spam filters
WhatsApp / Telegram Job offers, investment groups Very High Ignore unsolicited chats, block strangers
Phone Calls Police, MOH, China officials High Hang up, call the agency directly
QR Codes PayNow, parking, F&B menus Medium Check for tampering, inspect URL preview
Social Media Ads E-commerce, crypto brokers Medium Buy only from verified official pages

How to Protect Yourself from Phishing in Singapore

A layered defence works best. Combine technology, habits, and awareness.

1. Use the ScamShield App

Developed by the National Crime Prevention Council and Open Government Products, ScamShield blocks known scam calls and filters suspicious SMS. It is free on iOS and Android.

2. Enable Multi-Factor Authentication

Turn on two-factor authentication (2FA) for email, banking, SingPass, and social media. Prefer app-based authenticators (Google Authenticator, Microsoft Authenticator) or hardware keys over SMS-based codes when possible.

3. Verify Links Before Clicking

Shortened or unfamiliar links are common in phishing. Use a link preview or expander tool to see the true destination first. When sharing links yourself for work or marketing, use a reputable, transparent shortener with click analytics and malware scanning such as Lunyb — this helps recipients trust your links and lets you monitor for abuse. For a broader comparison of options, see our 2026 URL shorteners buyer's guide.

4. Set Money Locks on Bank Accounts

DBS, OCBC, and UOB now offer "Money Lock" features that ring-fence a portion of funds so they cannot be transferred digitally — even if your account is compromised.

5. Keep Software Updated

Install operating system, browser, and app updates promptly. Many phishing kits rely on outdated browsers to deliver additional malware.

6. Use Encrypted DNS and a Private Browser

Enable encrypted DNS (DoH or DoT) in Chrome, Edge, or Safari to reduce the chance of being redirected to a malicious clone site over untrusted Wi-Fi. Consider privacy-focused browsers like Brave or Firefox with tracking protection.

7. Never Share OTPs or SingPass Credentials

Treat OTPs the same way you treat cash. Once given, they cannot be recovered. No bank employee, police officer, or government agency will ever request them.

8. Bookmark Official Sites

Access banking, SingPass, IRAS, and CPF only via bookmarks or the official mobile apps — never via links in messages.

What to Do If You've Been Phished

Speed matters. Every minute counts once credentials are stolen.

  1. Contact your bank immediately. DBS: 1800-339-6963, OCBC: 1800-363-3333, UOB: 1800-222-2121. Ask for account freeze and card cancellation.
  2. Change compromised passwords from a clean device — email, SingPass, and any accounts sharing that password.
  3. Report to the police at 1800-255-0000 or file online at police.gov.sg. Provide screenshots, phone numbers, and transaction details.
  4. Report the scam to ScamShield or via the anti-scam hotline 1799.
  5. Reset your SingPass at singpass.gov.sg and check activity logs for unauthorised access.
  6. Notify contacts if the attackers may have gained access to your email, WhatsApp, or social accounts — they may attempt to phish others through you.
  7. Run a malware scan on any device that opened the phishing link or attachment.

Phishing Protection for Singapore Businesses

SMEs are increasingly targeted with Business Email Compromise (BEC), fake invoices, and CEO fraud. Key measures include:

  • Deploy DMARC, SPF, and DKIM on your domain to reduce email spoofing.
  • Train staff quarterly with simulated phishing exercises.
  • Implement a dual-approval process for any payment or bank detail change.
  • Segment access — finance staff should not share credentials with general users.
  • Use branded, monitored short links for marketing campaigns so customers can spot fakes more easily. Our honest review of Lunyb and our Rebrandly review cover reputable options.
  • Maintain an incident response plan aligned with the Cyber Security Agency of Singapore (CSA) guidelines.

The Role of Regulators and Industry

The Monetary Authority of Singapore (MAS) has mandated stricter measures for banks, including the removal of clickable links in SMS and emails, delayed activation of new digital tokens, and a Shared Responsibility Framework that assigns liability between banks, telcos, and consumers when phishing losses occur. The Infocomm Media Development Authority (IMDA) has also implemented the SMS Sender ID Registry to block unregistered alphanumeric sender IDs — a major source of scam SMS.

Despite these steps, criminals adapt quickly. Personal vigilance remains the strongest layer of defence.

Frequently Asked Questions

How can I tell if an SMS from my bank is real?

Since 2022, Singapore banks no longer include clickable links in SMS to customers. If a message from "DBS", "OCBC", or "UOB" contains a URL, treat it as a scam. Always log in through the official mobile app or a bookmarked website.

Is SingPass safe to use?

Yes, SingPass itself is highly secure, particularly with Face Verification and app-based logins. The risk is not the platform but users being tricked into entering credentials on fake sites. Never approve a SingPass login you did not initiate.

What should I do if I clicked a phishing link but did not enter any information?

Close the page immediately, clear your browser history and cache, run a full antivirus scan, and monitor your accounts for unusual activity over the next few weeks. If a file was downloaded, do not open it and consider a factory reset if unsure.

Can I recover money lost to a phishing scam in Singapore?

Recovery is possible but not guaranteed. Report to your bank and the police within minutes for the best chance. Under the Shared Responsibility Framework, banks and telcos may compensate victims if they failed in their duties — but users who shared OTPs willingly typically bear the loss.

Are QR code scams really a threat in Singapore?

Yes. Cases have been reported at hawker centres, bubble tea shops, and even parking meters, where scammers stick fraudulent QR codes over legitimate ones. Always inspect QR codes for tampering, and check that the URL preview matches the expected merchant before paying.

Final Thoughts

Phishing in Singapore is a fast-moving, well-funded threat, but it is not unbeatable. Attackers rely on urgency, familiarity, and momentary lapses in judgment. By slowing down, verifying senders, protecting your OTPs, and using tools like ScamShield, Money Lock, and reputable link platforms, you drastically reduce your exposure.

Share this article with family members — especially elderly relatives, who are disproportionately targeted — and make phishing awareness a regular household and workplace conversation. Staying informed is the single most effective defence against Singapore's most persistent cybercrime.

Protect your links with Lunyb

Create secure, trackable short links and QR codes in seconds.

Get Started Free

Related Articles