facebook-pixel

Phishing Attacks in Singapore: How to Recognize and Avoid Them

L
Lunyb Security Team
··9 min read

Phishing attacks in Singapore have grown from clumsy email scams into highly convincing operations that mimic banks, government agencies, and delivery couriers with unsettling accuracy. According to the Singapore Police Force's annual scam reports, phishing-related losses continue to climb into the hundreds of millions of dollars each year, affecting everyone from students to senior executives. Understanding how these attacks work — and how to spot them before you click — is one of the most valuable digital skills a Singapore resident can develop in 2026.

This guide breaks down the most common phishing tactics used against Singaporeans, the psychological tricks behind them, and the practical steps you can take to protect your money, your identity, and your business.

What Are Phishing Attacks?

Phishing is a form of social engineering where attackers impersonate a trusted organisation or person to trick you into revealing sensitive information — passwords, OTPs, credit card numbers, Singpass credentials, or CPF details — or into installing malware. The goal is almost always financial theft, identity fraud, or unauthorised account access.

In Singapore, phishing typically arrives through four main channels:

  1. SMS (smishing) — fake texts from "DBS", "POSB", "SingPost", "IRAS", or "MOM".
  2. Email — spoofed messages from banks, e-commerce platforms, or government agencies.
  3. Phone calls (vishing) — impersonation of police officers, MAS staff, or China authorities.
  4. Messaging apps — WhatsApp, Telegram, and WeChat scams involving fake job offers, investment groups, or "friends in trouble".

The State of Phishing in Singapore

Singapore's high smartphone penetration, digital-first banking, and widespread use of Singpass make it a lucrative target. The Cyber Security Agency of Singapore (CSA) and the Singapore Police Force have repeatedly flagged phishing and job scams among the top scam types reported each year, with losses frequently exceeding S$600 million annually across all scam categories.

Several factors make local users particularly vulnerable:

  • Heavy reliance on SMS OTPs and PayNow for daily transactions.
  • Familiarity with government digital services, which attackers now imitate convincingly.
  • Frequent parcel deliveries from platforms like Shopee, Lazada, and Taobao — a favourite phishing hook.
  • Multilingual population, allowing scammers to tailor messages in English, Mandarin, Malay, or Tamil.

Common Types of Phishing Attacks Targeting Singaporeans

1. Bank Impersonation Scams

Attackers send SMS or emails claiming your DBS, OCBC, UOB, or Standard Chartered account has been "locked" or has an "unusual transaction". A link directs you to a fake login page that captures your credentials and 2FA code in real time.

2. Singpass and Government Agency Phishing

Fake messages claiming to be from IRAS (tax refund), ICA (passport renewal), MOM (work pass update), or Singpass ("account suspended") direct victims to convincing replica sites. Once credentials are harvested, attackers can access CPF, HDB, and banking services linked to Singpass.

3. Delivery and Parcel Scams

"Your SingPost parcel could not be delivered. Please update your address here." These SMS scams spike around major sale events like 11.11 and Chinese New Year, when many Singaporeans genuinely are expecting deliveries.

4. Job Scams

Unsolicited WhatsApp or Telegram messages offer easy part-time work — often "boosting reviews" or "completing tasks". Victims are lured onto fake platforms, asked to top up money to "unlock" higher commissions, and eventually lose everything.

5. Investment and Cryptocurrency Phishing

Scammers pose as MAS-licensed brokers or use deepfake videos of local celebrities and ministers endorsing fake trading platforms. Victims are drawn into Telegram groups, shown fabricated returns, then unable to withdraw funds.

6. Business Email Compromise (BEC)

Targeting SMEs, attackers spoof a CEO or supplier email requesting an urgent bank transfer or a change of payment account. BEC losses in Singapore regularly run into the tens of millions each year.

How to Recognize a Phishing Attempt

Modern phishing messages are polished, but almost all share telltale signals. Learning to pause and check these signs can prevent the vast majority of successful attacks.

Red Flag What It Looks Like Why It Matters
Urgency or fear "Your account will be closed in 24 hours" Pressures you to act before verifying
Unfamiliar sender domain support@dbs-sg-secure.com Real banks use their exact domain (e.g. dbs.com.sg)
Suspicious links Shortened or misspelt URLs Hides the real destination
Requests for OTP or password "Please verify your OTP with our officer" No legitimate bank or agency will ever ask
Unexpected attachments .zip, .htm, .exe files Common malware delivery methods
Generic greetings "Dear Customer" instead of your name Mass-sent phishing lacks personalisation

Check the URL Before You Click

Hovering over a link on desktop, or long-pressing on mobile, reveals the true destination. Watch for lookalike domains such as dbs-secure.sg.com, singpass-login.net, or iras-refund.co. Genuine Singapore government sites always end in .gov.sg, and major banks use their long-established primary domains.

If a link has been shortened, use a link expander or preview tool before clicking. Reputable shorteners like Lunyb include safety scanning and destination previews, but scammers often abuse anonymous, generic shorteners — so treat every unknown short link with caution.

Step-by-Step: What to Do If You Receive a Suspicious Message

  1. Do not click any link or call any number in the message. Scammers often route calls to fake "bank hotlines".
  2. Verify through official channels. Call the number printed on the back of your bank card, or log in to the official app directly.
  3. Check the sender. On email, view the full sender address, not just the display name.
  4. Report the message. Forward suspicious SMS to 7726 (SPAM), report scams to the ScamShield app, or call the Anti-Scam Helpline at 1799.
  5. Delete the message after reporting it, so you don't accidentally click later.

What to Do If You've Already Clicked or Shared Information

Speed matters enormously. Fraudsters can drain accounts within minutes of obtaining credentials.

  1. Immediately contact your bank to freeze the account. All major Singapore banks now offer a self-service "kill switch" in their apps.
  2. Change your passwords — starting with email, then banking, then Singpass. Use unique passwords for each service.
  3. Revoke Singpass sessions at singpass.gov.sg if you suspect credential theft.
  4. File a police report at spf.gov.sg/e-services or in person at any Neighbourhood Police Centre.
  5. Run a malware scan if you downloaded any file or APK, especially outside the Google Play Store.
  6. Monitor your accounts and CPF statement for unauthorised activity over the following weeks.

How to Protect Yourself Long-Term

Enable Strong Authentication

Turn on two-factor authentication (2FA) everywhere, and prefer app-based authenticators (Google Authenticator, Authy) or hardware keys over SMS OTPs where possible. For Singpass, activate face verification and biometric login.

Use the Money Lock Feature

DBS, OCBC, UOB, and other Singapore banks now offer a "Money Lock" that ring-fences a portion of your savings from any digital transaction — even if a scammer gains full access to your app. Locking a meaningful portion of your emergency savings is one of the highest-impact protections available.

Install ScamShield

The ScamShield app, developed by the National Crime Prevention Council and Open Government Products, blocks known scam calls and SMS. It's free on iOS and Android and updated regularly with new scam signatures.

Keep Software Updated

Update your phone's operating system, browser, and banking apps promptly. Many phishing pages exploit older browsers that lack modern anti-phishing protections. Turn on Google Safe Browsing or Apple Fraudulent Website Warning in your browser settings.

Use Encrypted DNS and Reputable Browsers

Switching to encrypted DNS (like Cloudflare's 1.1.1.1 for Families or Quad9) blocks known malicious domains at the network level. Pair this with a privacy-respecting browser such as Brave or Firefox with tracking protection enabled.

Be Careful With Short Links

Short links are convenient but can hide phishing destinations. When sharing or clicking short URLs — for work, marketing, or personal use — stick to reputable services that offer link previews, malware scanning, and analytics. Our team has compared the leading options in the Best URL Shorteners of 2026 buyer's guide, and reviewed premium contenders like Rebrandly in depth.

Phishing Protection for Singapore Businesses

SMEs are increasingly targeted because they often lack the security teams of larger enterprises. If you run a business in Singapore, consider the following baseline controls:

Control Purpose Priority
SPF, DKIM, DMARC email authentication Prevents attackers from spoofing your domain High
Staff phishing awareness training Humans are the last line of defence High
Simulated phishing exercises Measures real-world readiness Medium
Endpoint detection & response (EDR) Catches malware post-click High
Payment verification callbacks Stops BEC wire fraud Critical
Hardware security keys for admins Blocks credential phishing on privileged accounts High

CSA's Cyber Essentials and Cyber Trust marks provide a structured framework for Singapore businesses of any size to raise their baseline security posture, and IMDA offers subsidies through the SMEs Go Digital programme to help fund these improvements.

Reporting Phishing in Singapore: Key Contacts

  • Anti-Scam Helpline: 1799
  • Police (emergency): 999
  • Police non-emergency: 1800-255-0000
  • ScamShield app: Report suspicious SMS and calls
  • SingCERT: csa.gov.sg/singcert — report phishing sites and incidents
  • Forward scam SMS to 7726 (SPAM)

Frequently Asked Questions

How can I tell if an SMS from "DBS" or "POSB" is real?

Legitimate Singapore banks send SMS from a registered Sender ID that appears as the bank's name (e.g. "DBS") without any embedded links to external sites. Since 2023, banks have removed clickable links from customer SMS entirely. If you receive a "bank" SMS containing a link, treat it as phishing and delete it after reporting to 7726.

Is Singpass safe from phishing?

Singpass itself is highly secure, but attackers phish the login credentials. Always access Singpass through the official app or by typing singpass.gov.sg directly into your browser — never through a link in an email or SMS. Enable face verification for an additional layer of protection.

What should I do if I gave a scammer my OTP?

Act immediately: call your bank's fraud hotline (numbers are on the back of your card), activate the in-app kill switch, change your online banking password, and file a police report. The faster you act, the higher the chance funds can be recalled — banks have a short window during which they can attempt to reverse or hold transfers.

Are shortened URLs always dangerous?

No. Shortened URLs are widely used for legitimate marketing, receipts, and QR codes. The risk depends on the provider and the sender. Reputable services scan for malicious destinations and offer link previews. Be suspicious when a short link arrives from an unknown sender, uses obscure domains, or is combined with urgent language about money or account issues.

Does the government reimburse phishing scam losses in Singapore?

Under the Shared Responsibility Framework (SRF) that took effect in Singapore, banks and telcos may be required to bear part of the loss if they failed to meet specified anti-scam duties. However, reimbursement is not automatic and depends on the circumstances. The strongest protection remains prevention: strong authentication, Money Lock, ScamShield, and healthy scepticism toward unexpected messages.

Final Thoughts

Phishing attacks in Singapore will keep evolving — deepfake voices, AI-generated messages in perfect local slang, and QR-code-based scams are already emerging. The technical defences matter, but the single most powerful habit is the pause: taking ten seconds to verify a message through an independent channel before you click, type, or transfer. Combined with Money Lock, strong 2FA, ScamShield, and cautious link handling, that pause is what turns a potential victim into a hard target.

Stay alert, share this knowledge with family members — especially older relatives, who are disproportionately targeted — and report every suspicious message you encounter. Every report helps the wider Singapore community stay safer.

Protect your links with Lunyb

Create secure, trackable short links and QR codes in seconds.

Get Started Free

Related Articles