facebook-pixel

Phishing Attacks in Singapore: How to Recognize and Avoid Them

L
Lunyb Security Team
··9 min read

Phishing attacks in Singapore have surged into one of the most damaging categories of cybercrime, costing victims hundreds of millions of dollars each year. From fake DBS SMS messages to counterfeit SingPass login pages, scammers are exploiting the trust Singaporeans place in familiar brands and government services. Understanding how these scams work — and how to spot them before you click — is the single most important skill you can develop to protect yourself and your family online.

This guide breaks down the phishing landscape in Singapore in 2026, the red flags to watch for, and practical steps you can take to stay safe.

What Is a Phishing Attack?

A phishing attack is a social engineering scam in which criminals impersonate a trusted organization — such as a bank, delivery service, or government agency — to trick you into revealing sensitive information like passwords, OTPs, credit card numbers, or SingPass credentials. Phishing can arrive via email, SMS (called "smishing"), voice calls ("vishing"), messaging apps like WhatsApp and Telegram, or even QR codes placed in public spaces.

In Singapore, phishing has evolved far beyond the badly worded emails of a decade ago. Modern attacks are localized, professionally designed, and often use spoofed sender IDs that make messages appear to come directly from legitimate institutions.

The Scale of Phishing Attacks in Singapore

According to the Singapore Police Force and the Cyber Security Agency of Singapore (CSA), scam-related losses in Singapore have consistently exceeded S$650 million annually in recent years, with phishing being one of the top three attack vectors. The most commonly impersonated organizations include:

  • Banks: DBS, POSB, OCBC, UOB, Standard Chartered, and Citibank
  • Government: SingPass, IRAS, CPF Board, Ministry of Health, ICA
  • Delivery services: SingPost, Ninja Van, Lazada, Shopee
  • Telcos: Singtel, StarHub, M1
  • Payment platforms: PayNow, PayLah!, GrabPay

The government has responded with initiatives like the SMS Sender ID Registry (SSIR), which blocks unregistered senders from using organization names, and the ScamShield app, which filters known scam messages. Yet criminals continue to adapt.

Common Types of Phishing Attacks in Singapore

1. SMS Phishing (Smishing)

You receive an SMS claiming your DBS account has been locked, a Shopee package cannot be delivered, or your IRAS tax refund is ready. The message includes a link to a fake login page that captures your credentials and OTP in real time.

2. Email Phishing

Fake emails from "SingPass," "CPF," or your bank ask you to verify your identity or reset your password. The email often contains urgent language and a lookalike domain such as singpass-verify.com or dbs-secure.net.

3. WhatsApp and Telegram Scams

Scammers pose as friends, delivery agents, or job recruiters offering high-paying part-time work. They eventually direct victims to a phishing site or ask them to install a malicious APK.

4. Voice Phishing (Vishing)

Automated calls claim to be from ICA, the police, or China customs, warning of legal action unless you "verify" personal details. Some now use AI-generated voice cloning to impersonate family members.

5. QR Code Phishing (Quishing)

Fake QR stickers placed on bubble tea shops, parking meters, or restaurant tables redirect victims to phishing sites when scanned. This has become increasingly common in Singapore's cashless economy.

6. Malicious Android App Scams

Victims are tricked into installing APK files outside the Play Store, which then intercept SMS OTPs and drain bank accounts. Google Play Protect's Enhanced Security in Singapore now blocks many of these, but new variants appear weekly.

How to Recognize a Phishing Attempt

Every phishing message, no matter how polished, tends to share a few tell-tale signs. Learn to spot these seven red flags:

  1. Urgency and fear: "Your account will be suspended in 24 hours."
  2. Unexpected links: Legitimate banks in Singapore never send clickable links in SMS.
  3. Requests for OTPs or passwords: No genuine institution will ever ask for these.
  4. Lookalike domains: dbs-sg.com, singpass.login-verify.net, iras.gov-sg.co.
  5. Generic greetings: "Dear Customer" instead of your name.
  6. Poor grammar or unusual phrasing: Especially in supposedly official communications.
  7. Unsolicited attachments: Especially PDF invoices, ZIP files, or APK installers.

Comparing Legitimate vs. Phishing Communications

Here is a side-by-side look at how genuine and fake messages differ in Singapore:

FeatureLegitimate MessagePhishing Message
Sender IDRegistered (e.g., "DBS", "SingPass")Unknown number or spoofed ID with "Likely-SCAM" label
Clickable linksRarely used; directs you to open the official appAlmost always contains a link
Domaindbs.com.sg, singpass.gov.sg, iras.gov.sgdbs-secure.net, singpass-login.com, iras-refund.co
ToneNeutral, informationalUrgent, threatening, or too good to be true
Request for OTPNeverCommon
PersonalizationUses your name and partial account numberGeneric "Dear Customer"

How to Avoid Falling Victim

Enable Multi-Factor Authentication Everywhere

Use SingPass Face Verification, hardware tokens, and app-based authenticators like Google Authenticator or Authy. Avoid SMS-based OTPs where possible, since these can be intercepted by malicious apps.

Verify Before You Click

If you receive a message about your bank account, close it and open the official app directly. Never rely on the link provided. For government matters, log in through the Singpass app.

Use the ScamShield App

Developed by the National Crime Prevention Council and Open Government Products, ScamShield filters known scam SMS and calls. Enable it on both iOS and Android.

Check Shortened Links Carefully

Shortened URLs are common in both legitimate marketing and phishing attempts. Reputable services like Lunyb provide link previews and analytics so recipients can verify a destination before clicking. If you're unsure whether a shortener is trustworthy, our honest review of Lunyb and our 2026 buyer's guide to URL shorteners can help you evaluate the options.

Keep Your Devices Updated

Install security patches for iOS, Android, Windows, and macOS as soon as they are released. Many phishing follow-ups rely on exploiting outdated systems.

Never Install APK Files from SMS or Chat Links

Singapore's banks now enforce restrictions that block transactions on devices with sideloaded apps. This is a strong signal: if someone tells you to install an APK, it is almost certainly a scam.

Use Encrypted DNS and a Privacy-Focused Browser

Enable DNS-over-HTTPS in your browser or system settings, and consider browsers like Brave or Firefox with anti-tracking features. This adds a network-level layer of protection against known phishing domains.

What to Do If You've Been Phished

If you suspect you've clicked a phishing link or entered credentials on a fake site, act immediately:

  1. Freeze your accounts. Use your bank's "Kill Switch" — DBS, OCBC, UOB, and Standard Chartered all offer this feature in-app.
  2. Change passwords. Start with banking, SingPass, email, and any accounts sharing the same password.
  3. Revoke SingPass sessions. Log in and check active sessions and linked devices.
  4. Report the scam. Call the Anti-Scam Helpline at 1800-722-6688 or file a report at ScamShield.gov.sg.
  5. File a police report at any Neighbourhood Police Centre or via www.police.gov.sg/iwitness.
  6. Notify contacts. If your messaging accounts were compromised, warn friends and family, as scammers often use hijacked accounts to phish others.

Pros and Cons of Singapore's Current Anti-Phishing Measures

Pros

  • SMS Sender ID Registry blocks most spoofed bank and government messages.
  • ScamShield app has filtered millions of scam SMS to date.
  • Money Lock and Kill Switch features on major bank apps limit losses.
  • Enhanced Google Play Protect blocks most malicious APK installations.
  • Public education campaigns from CSA and NCPC are widespread.

Cons

  • Scammers rapidly shift to WhatsApp, Telegram, and QR codes to bypass SMS filters.
  • AI-generated voice and deepfake scams are becoming harder to detect.
  • Recovery of lost funds remains difficult, especially for cross-border transfers.
  • Older Singaporeans and non-English speakers remain disproportionately affected.

Special Considerations for Businesses in Singapore

Business email compromise (BEC) and CEO fraud are rising sharply, especially among SMEs. Attackers spend weeks researching company hierarchies before sending convincingly spoofed invoice or wire transfer requests. Key safeguards include:

  • Implementing DMARC, SPF, and DKIM on your company domain.
  • Training staff to verify all financial requests via a second channel (phone call, in person).
  • Using branded, trackable short links for customer communications so recipients can trust your URLs. Marketers comparing options may find our Rebrandly review useful when choosing a link management platform.
  • Deploying endpoint detection and response (EDR) software across all company devices.
  • Running quarterly phishing simulations with employees.

The Future of Phishing in Singapore

Looking ahead, three trends will shape the phishing landscape in Singapore:

  1. AI-generated content: Perfectly written phishing messages in fluent Singlish, Mandarin, Malay, and Tamil are already appearing.
  2. Deepfake voice and video: Family emergency scams using cloned voices of loved ones will grow.
  3. Cross-platform attacks: A single scam may span SMS, WhatsApp, phone calls, and email in coordinated sequence.

Staying safe will require constant vigilance, ongoing education, and the use of layered defenses — from device settings to bank features to informed skepticism.

Frequently Asked Questions

How do I report a phishing attack in Singapore?

Call the Anti-Scam Helpline at 1800-722-6688, report the scam at ScamShield.gov.sg, and file a police report at www.police.gov.sg/iwitness or any Neighbourhood Police Centre. If your bank account is affected, contact your bank immediately and activate the in-app Kill Switch.

Will my bank refund me if I fall for a phishing scam?

Under Singapore's Shared Responsibility Framework, which took effect in 2024, banks and telcos may bear some liability if they failed to meet anti-scam duties. However, if you willingly disclosed your OTP or credentials, refunds are not guaranteed. Report the incident within 24 hours to maximize your chances.

How can I check if a link is safe before clicking?

Hover over the link on desktop to preview the URL, or long-press on mobile. Look for the exact official domain (e.g., dbs.com.sg, singpass.gov.sg). You can also paste suspicious links into scanners like VirusTotal or Google Safe Browsing. Reputable URL shorteners offer preview features that reveal the final destination before you visit it.

Is SingPass Face Verification safe from phishing?

SingPass Face Verification is significantly more secure than passwords or SMS OTPs because it relies on biometric data tied to your device. However, scammers still try to trick users into initiating legitimate Face Verification sessions and then transferring control. Never perform Face Verification at someone else's request over a phone call.

What should I do if I accidentally installed a suspicious APK?

Immediately disconnect from the internet, put your phone in airplane mode, and contact your bank to freeze all accounts. Uninstall the app, run a full malware scan, and consider a factory reset. Then change all critical passwords from a different, trusted device. Report the incident to the Singapore Police Force.

Protect your links with Lunyb

Create secure, trackable short links and QR codes in seconds.

Get Started Free

Related Articles