facebook-pixel

Phishing Attacks in Singapore: How to Recognize and Avoid Them

L
Lunyb Security Team
··9 min read

Phishing attacks in Singapore have become one of the most damaging categories of cybercrime, costing victims hundreds of millions of dollars each year. From fake DBS login pages to SMS messages impersonating SingPost, IRAS, and the Ministry of Health, scammers are using increasingly convincing tactics to steal credentials, one-time passwords, and money. This guide explains how phishing works locally, the red flags to watch for, and the practical steps every Singapore resident and business should take to stay safe.

What Are Phishing Attacks?

Phishing is a form of social engineering where attackers impersonate a trusted organisation — such as a bank, government agency, or delivery company — to trick you into revealing sensitive information or clicking a malicious link. In Singapore, phishing is the entry point for many of the country's largest scam categories, including e-commerce fraud, job scams, and investment scams.

According to the Singapore Police Force's annual scam statistics, phishing-related losses have consistently ranked among the top scam types, with victims losing tens of millions of dollars annually to fraudulent SMS, emails, and websites impersonating local institutions.

Why Singapore Is a Prime Target for Phishing

Several factors make Singapore an attractive target for phishing operators based both locally and overseas:

  • High digital adoption: Singapore has one of the world's highest rates of digital banking, PayNow, and e-government service usage.
  • Concentrated banking sector: A small number of major banks (DBS, OCBC, UOB, Standard Chartered, Citibank) means attackers can craft highly targeted templates.
  • Trusted government communications: Residents are accustomed to receiving legitimate SMS from agencies like IRAS, HDB, MOM, and ICA — which scammers exploit through spoofing.
  • High-value victims: Singapore's affluent population makes even a small success rate financially lucrative.
  • Language and cultural familiarity: Scammers now write in fluent Singlish-adjacent English, referencing local brands like Shopee, Lazada, Grab, and SingPost.

Common Types of Phishing Attacks in Singapore

1. SMS Phishing (Smishing)

SMS-based phishing remains the most widespread technique in Singapore. Since the introduction of the SMS Sender ID Registry (SSIR), unregistered aggregator IDs now appear as "Likely-SCAM", but attackers have shifted to alphanumeric spoofing, look-alike domains, and messages sent via international numbers or overseas SIMs.

Typical smishing examples include:

  • "Your DBS account has been suspended. Verify at dbs-secure-sg.com"
  • "SingPost: Your parcel is on hold due to unpaid customs fee of S$1.20"
  • "IRAS: You have a tax refund of S$358. Click to claim."
  • "MyInfo verification required. Log in via this link within 24 hours."

2. Email Phishing

Email phishing in Singapore commonly impersonates:

  • Local banks with fake statement or transaction alerts
  • Microsoft 365 and Google Workspace login prompts targeting SMEs
  • SingPass and CorpPass "account expiry" notices
  • Cloud storage share notifications (OneDrive, Dropbox, Google Drive)

Business Email Compromise (BEC) is a particularly costly variant, where attackers impersonate suppliers or company executives to redirect invoice payments — a threat MAS and the Cyber Security Agency of Singapore (CSA) have repeatedly warned about.

3. Voice Phishing (Vishing)

Voice phishing scams in Singapore often begin with a call claiming to be from SingTel, StarHub, ICA, or the Singapore Police Force. Victims are told their line will be cut, they are implicated in a crime, or their SingPass has been compromised, then transferred to a fake "officer" who requests bank details or OTPs.

4. Fake Websites and Malicious Apps

Attackers frequently register domains that closely resemble legitimate ones — for example, dbs-sg-login.com or ocbc-verify.net. Some scams go further by tricking victims into installing Android APK files outside the Play Store, giving attackers full remote access to the phone, including banking apps and OTP messages.

5. QR Code Phishing (Quishing)

Fraudulent QR codes have appeared on stickers placed over legitimate ones at hawker centres, coffee shops, and even bubble tea outlets. Scanning them leads to fake PayNow or payment pages that harvest login credentials.

Red Flags: How to Recognize a Phishing Attempt

Most phishing messages share a recognisable set of warning signs. Learn to scan for these before clicking anything:

  1. Urgency and fear: "Your account will be closed in 24 hours", "Immediate action required".
  2. Requests for OTPs, passwords, or SingPass credentials: No legitimate bank or government agency will ever ask for these.
  3. Suspicious sender: Emails from public domains (@gmail.com) claiming to be from banks, or SMS from international numbers.
  4. Look-alike domains: Extra words, hyphens, or unusual TLDs like .xyz, .top, or .cc.
  5. Unexpected attachments or APK files: Especially .zip, .html, or Android installers.
  6. Generic greetings: "Dear Customer" instead of your name.
  7. Grammar and formatting errors: Odd capitalisation, spacing, or currency formats (e.g., "SGD1,000.00-" instead of "S$1,000").
  8. Too-good-to-be-true offers: Tax refunds, lucky draws, unclaimed CDC vouchers, or investment returns.

Comparison: Legitimate vs Phishing Communications

Indicator Legitimate (e.g., DBS, IRAS) Phishing Attempt
Sender ID Registered SSIR ID (e.g., "DBS", "IRAS") "Likely-SCAM", unknown +65 number, or overseas number
Links Official domain (dbs.com.sg, iras.gov.sg) Look-alike domain, URL shortener with no context, or IP address
Request for OTP Never requested via SMS/email/call Frequently requested "to verify identity"
Tone Neutral, informational Urgent, threatening, or overly rewarding
Personalisation Uses your registered name, last 4 digits Generic "Dear Customer" or "Dear User"
Attachments Rarely; usually links to secure portal APKs, HTML files, or password-protected ZIPs

How to Verify a Suspicious Link Safely

Before clicking any link — especially shortened ones — take a few seconds to verify it:

  1. Hover over the link on desktop to preview the destination URL.
  2. Expand shortened URLs using a link preview tool before opening them.
  3. Type the domain directly into your browser rather than clicking.
  4. Check the ScamShield app or forward the message to 9крupled reporting channels.
  5. Cross-reference with official channels — call the bank's number on the back of your card, not the number in the message.

When you shorten or share links yourself, choose a service that emphasises transparency and safety. Tools like Lunyb provide clean, trackable short links without the shady redirects that malicious shorteners often use, which helps recipients trust the URLs you send. If you're evaluating options, our 2026 buyer's guide to URL shorteners compares the safest and most reliable providers.

Practical Steps to Protect Yourself

For Individuals

  1. Enable the Money Lock feature offered by DBS, OCBC, UOB, and other local banks to ring-fence savings from digital transfers.
  2. Install ScamShield (developed by the National Crime Prevention Council and Open Government Products) to filter scam calls and SMS.
  3. Turn on Singpass face verification for high-risk transactions.
  4. Use hardware or app-based two-factor authentication instead of SMS OTP where possible.
  5. Never sideload Android apps from links sent via SMS, WhatsApp, or Telegram.
  6. Keep your OS and browser updated and enable Google Play Protect or equivalent.
  7. Use encrypted DNS (such as 1.1.1.1 for Families or Quad9) to automatically block many known phishing domains at the network level.

For Businesses and SMEs

  1. Enforce multi-factor authentication across email, CRM, and finance platforms.
  2. Deploy DMARC, SPF, and DKIM to prevent your domain from being spoofed.
  3. Train employees quarterly using simulated phishing exercises.
  4. Establish a payment verification protocol — always confirm bank detail changes by phone using a known number.
  5. Segment finance systems so a single compromised inbox cannot authorise large transfers.
  6. Subscribe to CSA SingCERT advisories for local threat intelligence.

What to Do If You've Been Phished

Speed matters. If you suspect you've clicked a phishing link or shared credentials, act within minutes:

  1. Call your bank immediately using the hotline on the back of your card. Most Singapore banks have 24/7 fraud hotlines and can freeze accounts on the spot.
  2. Change your passwords — start with email, then banking, Singpass, and any account sharing the same password.
  3. Revoke active sessions in your email and Singpass account settings.
  4. Factory reset your phone if you installed an APK or granted accessibility permissions.
  5. File a police report online at eservices.police.gov.sg or in person at any Neighbourhood Police Centre.
  6. Report the scam at ScamShield (scamshield.gov.sg) and forward phishing SMS to 9crime channels.
  7. Notify PDPC if personal data was leaked from a business account.

The Role of Regulation and Industry Response

Singapore has taken several steps to reduce phishing at a systemic level:

  • SMS Sender ID Registry (SSIR): Mandatory registration for all organisations sending SMS, reducing spoofing.
  • Shared Responsibility Framework (SRF): Introduced by MAS and IMDA, this framework sets out how banks and telcos share liability for phishing losses when duties are breached.
  • Anti-Scam Command (ASCom): A dedicated Singapore Police Force unit that works with banks to freeze funds within hours.
  • Digital Platforms Act and Online Criminal Harms Act: Give authorities power to compel platforms to remove scam content and accounts.

Despite these efforts, phishing continues to evolve — AI-generated voice clones, deepfake video calls, and increasingly localised content are now appearing in Singapore-targeted campaigns. Personal vigilance remains the strongest layer of defence.

Frequently Asked Questions

How do I report a phishing SMS or email in Singapore?

You can report phishing attempts through the ScamShield app or website (scamshield.gov.sg), forward suspicious SMS via the app, and file a police report at eservices.police.gov.sg. For phishing emails impersonating your bank, forward them to the bank's dedicated abuse address (for example, phishing@dbs.com or ocbcphishing@ocbc.com).

Will my bank refund me if I fall victim to a phishing scam?

Under the Shared Responsibility Framework, banks and telcos may bear part of the loss if they failed specific duties (such as not sending real-time transaction alerts). However, if you voluntarily disclosed your OTP or credentials, you may still bear most or all of the loss. Report the incident within minutes to maximise the chance of freezing funds.

Are shortened URLs always dangerous?

No. Shortened URLs are widely used by legitimate businesses for marketing, tracking, and clean sharing. The risk depends on the shortener and the sender. Reputable services enforce anti-abuse policies and scan links for malware. Be cautious of short links from unknown senders and use a link preview tool if you're unsure of the destination.

What is the difference between phishing and smishing?

Phishing is the general term for social-engineering attacks that impersonate trusted entities to steal information. Smishing is specifically phishing delivered via SMS. In Singapore, smishing is currently the most common delivery channel because SMS is heavily used for banking alerts, delivery updates, and government communications.

Can antivirus software alone protect me from phishing?

Antivirus and endpoint security help but are not sufficient on their own. Modern phishing often bypasses antivirus by relying purely on social engineering — no malware is installed, only credentials are stolen. A layered approach combining ScamShield, multi-factor authentication, encrypted DNS, cautious browsing habits, and up-to-date software offers the best protection.

Final Thoughts

Phishing attacks in Singapore are becoming more sophisticated, but the core defence has not changed: slow down, verify, and never share OTPs or credentials. Combining local tools like ScamShield and Money Lock with universal best practices — strong authentication, careful link inspection, and staying informed via CSA advisories — will protect you against the vast majority of attempts. Whether you're an individual protecting your CPF and savings or an SME safeguarding customer data, treating every unexpected message with healthy scepticism is the single most valuable habit you can build.

Protect your links with Lunyb

Create secure, trackable short links and QR codes in seconds.

Get Started Free

Related Articles