facebook-pixel

Phishing Attacks in Singapore: How to Recognize and Avoid Them

L
Lunyb Security Team
··9 min read

Phishing attacks in Singapore have escalated into one of the most damaging categories of cybercrime, costing residents and businesses hundreds of millions of dollars each year. According to the Singapore Police Force's annual scam reports, phishing remains among the top five reported scam types, with victims losing money to fake bank alerts, fraudulent government messages, and cloned e-commerce sites. This guide explains how these attacks work, how to recognise them quickly, and what practical steps you can take to protect yourself, your family, and your business.

What Are Phishing Attacks?

Phishing is a form of social engineering where criminals impersonate a trusted person, brand, or authority to trick you into revealing sensitive information such as passwords, OTPs, NRIC numbers, or credit card details. Instead of hacking systems directly, attackers exploit human trust, urgency, and fear.

In Singapore, phishing has evolved rapidly. Attackers now use highly localised content — references to DBS, POSB, OCBC, UOB, SingPass, IRAS, CPF, ICA, and even local courier services like SingPost and Ninja Van — to appear credible. Many of these messages are indistinguishable from genuine communications at first glance.

Why Singapore Is a Prime Target

Singapore's high digital adoption rate, strong banking infrastructure, and reliance on services like SingPass and PayNow make it particularly attractive to phishing syndicates. Several factors amplify the risk:

  • Mobile-first population: Over 90% of adults use smartphones for banking and government services.
  • Cross-border scam operations: Many phishing campaigns are run from overseas call centres targeting Singaporean numbers and email addresses.
  • Trust in institutions: Residents generally trust official-looking communications from banks and government agencies, which scammers exploit.
  • Multilingual environment: Attackers craft messages in English, Mandarin, Malay, and Tamil to broaden their reach.

Common Types of Phishing Attacks in Singapore

Understanding the format of the attack is the first step to recognising it. Below are the most prevalent phishing categories seen locally in 2025 and 2026.

1. SMS Phishing (Smishing)

SMS-based phishing is the most reported form in Singapore. Victims receive text messages claiming to be from a bank, delivery service, or government agency, urging them to click a link and "verify" their account. Even after the SMS Sender ID Registry (SSIR) was made mandatory, attackers still bypass it by spoofing generic sender IDs or using overseas numbers.

2. Email Phishing

Email phishing typically impersonates services like IRAS tax refunds, Netflix billing errors, DHL package holds, or Microsoft 365 login alerts. The message contains a link to a fake login page designed to harvest your credentials.

3. Voice Phishing (Vishing)

Scammers call victims pretending to be police officers, MOH staff, or bank fraud teams. They pressure targets into transferring money or revealing OTPs to "assist an investigation" or "secure" their account.

4. QR Code Phishing (Quishing)

QR code phishing has surged in Singapore, with cases where stickers on hawker stalls, bubble tea shops, and even public notices were replaced with malicious QR codes redirecting to fake payment pages.

5. Social Media and Messaging App Phishing

WhatsApp, Telegram, and Facebook Messenger are heavily used for phishing. Fake job offers, cryptocurrency "investment" opportunities, and impersonation of friends asking for OTPs are common tactics.

6. Spear Phishing and Business Email Compromise (BEC)

Targeted attacks on companies, especially SMEs, involve impersonating a CEO or supplier to request urgent fund transfers. Singapore businesses reportedly lose tens of millions annually to BEC scams.

Red Flags: How to Recognise a Phishing Attempt

Phishing messages almost always share telltale patterns. Train yourself to pause when you see any of the following:

  1. Urgency or fear tactics: "Your account will be suspended in 24 hours."
  2. Unexpected links: Especially shortened or misspelled URLs like dbs-secure-verify.com instead of dbs.com.sg.
  3. Requests for OTPs, passwords, or NRIC: No legitimate bank or agency will ever ask for these.
  4. Generic greetings: "Dear Customer" instead of your name.
  5. Grammar or formatting errors: Minor inconsistencies in fonts, logos, or phrasing.
  6. Unusual payment requests: Gift cards, cryptocurrency, or transfers to personal accounts.
  7. Mismatched sender domains: An "IRAS" email coming from a Gmail address.

Comparison: Legitimate vs Phishing Communications

FeatureLegitimate MessagePhishing Message
SenderOfficial domain (e.g. @dbs.com)Lookalike or free email domain
LinksDirect to official siteShortened, misspelled, or foreign TLDs
ToneInformational, no pressureUrgent, threatening, or emotional
RequestsNever asks for OTP or passwordAsks for credentials or funds
PersonalisationUses your name/account partialGeneric "Dear User"
GrammarPolished and consistentErrors, odd spacing, weird symbols

Real Phishing Examples Seen in Singapore

These examples reflect actual campaigns reported by the Singapore Police Force and the Cyber Security Agency of Singapore (CSA):

  • Fake SingPass login: Emails claiming your SingPass is expiring, linking to a cloned login portal.
  • Bank OTP scam: SMS claiming an unauthorised transaction, prompting you to "cancel" via a link that captures your credentials.
  • Fake IRAS tax refund: Notice of a small tax refund requiring bank details on a fraudulent site.
  • Parcel delivery scam: SingPost or DHL SMS asking for a "redelivery fee" of $1–$2, which then harvests full card details.
  • Job offer scams on Telegram: Easy work-from-home tasks that eventually ask for money transfers.

How to Protect Yourself from Phishing

Prevention is a mix of technology, habits, and awareness. Follow these steps to reduce your risk dramatically.

1. Verify Before You Click

Always hover over links (or long-press on mobile) to preview the destination. If in doubt, open your banking app or the official website manually instead of clicking any link in an email or SMS.

2. Use a Link Checker

Suspicious short links should be scanned before opening. Trusted URL shorteners and preview tools help expose the true destination. If you use short links for business, choose a transparent platform like Lunyb, which lets recipients trust the origin of the link. For a broader look at reliable providers, see our 2026 URL shortener buyer's guide.

3. Enable Multi-Factor Authentication (MFA)

Use app-based authenticators (Google Authenticator, Microsoft Authenticator) or hardware security keys where possible. Avoid SMS-based OTPs when a stronger option exists.

4. Keep Devices and Browsers Updated

Modern browsers such as Chrome, Edge, Safari, and Firefox include phishing filters that block known malicious sites. Regular updates ensure these defences remain effective.

5. Use Encrypted DNS and Private Browsers

Enable DNS-over-HTTPS (DoH) in your browser to prevent DNS-level tampering. Consider privacy-focused browsers with built-in tracker and phishing protection for high-risk activities like online banking.

6. Register with the SMS Sender ID Registry Awareness

Be aware that any SMS from an unregistered sender ID appearing to be from a bank or government agency is highly likely to be a scam. Since 2023, most legitimate senders in Singapore have registered.

7. Set Transaction Limits and Kill Switches

All major Singapore banks now offer transaction limits, money lock features, and kill switches. Use them to cap your exposure in case of a compromise.

8. Report Suspicious Messages

Forward suspicious SMS to 7726 (SPAM), report phishing sites to ScamShield, and lodge a police report at police.gov.sg/iwitness or by calling the ScamShield helpline at 1799.

What to Do If You've Been Phished

Speed matters. If you suspect you've fallen for a phishing attack, take these steps immediately:

  1. Freeze your accounts: Use your bank's kill switch or call the 24-hour hotline (e.g. DBS 1800-339-6963).
  2. Change your passwords: Start with your email, banking, and SingPass accounts.
  3. Revoke active sessions: Log out of all devices from your account settings.
  4. Enable MFA if not already active.
  5. File a police report and alert ScamShield.
  6. Scan your device for malware, especially if you installed any APK file.
  7. Notify contacts if scammers may impersonate you next.

Phishing Protection for Businesses in Singapore

SMEs and enterprises face unique risks. A single compromised email account can lead to invoice fraud costing hundreds of thousands. Recommended safeguards include:

  • Deploy email authentication protocols: SPF, DKIM, and DMARC.
  • Use secure email gateways with anti-phishing AI.
  • Conduct quarterly phishing simulations for staff.
  • Establish a two-person approval process for fund transfers above a set threshold.
  • Use branded, trusted short links for marketing — see how Rebrandly and Lunyb handle branded, transparent URLs to reduce link-based impersonation risks.
  • Maintain an incident response playbook aligned with CSA guidelines.

The Role of URL Shorteners in Phishing (and How to Use Them Safely)

Short links are often abused by scammers because they hide the final destination. However, reputable shorteners now offer link previews, malware scanning, and branded domains that make them safer to send and receive.

When receiving a short link, always preview it before clicking. When sending short links to customers, use a provider that supports branded domains and analytics so recipients can verify the sender. A transparent platform builds trust — a critical factor when phishing is rampant.

Government and Community Resources

Singapore has several official channels for phishing prevention and reporting:

  • ScamShield App — filters known scam calls and SMS.
  • CSA SingCERT — issues advisories on emerging threats.
  • Anti-Scam Centre (ASC) — freezes fraudulent transactions rapidly.
  • Police Scam Helpline: 1799.
  • gov.sg WhatsApp channel — official government updates and scam alerts.

FAQ: Phishing Attacks in Singapore

1. What should I do if I clicked a phishing link but didn't enter anything?

You are likely still safe, but scan your device for malware, clear browser cookies, and monitor your accounts for unusual activity over the next few weeks. If you clicked from a work device, notify your IT team immediately.

2. Are phishing SMS still a problem after the SMS Sender ID Registry?

Yes. The registry has reduced spoofing significantly, but attackers now use overseas numbers, generic sender IDs, or messaging apps like WhatsApp and Telegram to bypass it. Vigilance is still essential.

3. Can I get my money back if I was scammed via phishing?

Under the Shared Responsibility Framework in Singapore, banks and telcos may bear part of the loss if they failed in their duties. However, recovery is not guaranteed. Report the incident to your bank and the Anti-Scam Centre within minutes for the best chance of freezing the funds.

4. How can I tell if a website is a phishing clone?

Check the URL carefully for misspellings (e.g. dbs-sg.com vs dbs.com.sg), look for HTTPS with a valid certificate, avoid entering credentials on sites reached via SMS or email links, and compare the domain to the official one saved in your bookmarks.

5. Is antivirus software enough to protect against phishing?

No. Antivirus catches malware but rarely blocks well-crafted phishing pages. Combine it with browser-level phishing protection, MFA, safe browsing habits, and use of trusted link-preview tools for the strongest defence.

Final Thoughts

Phishing attacks in Singapore are becoming more sophisticated, personalised, and multilingual. But awareness remains your strongest weapon. By recognising the red flags, verifying every link before you click, enabling MFA, and using trusted platforms for links and communications, you can dramatically reduce your risk. Share this guide with family, friends, and colleagues — because in the fight against phishing, informed communities are the hardest to fool.

Protect your links with Lunyb

Create secure, trackable short links and QR codes in seconds.

Get Started Free

Related Articles