Security Advisory [Dec 2022]: Know the Scams; Avoid Getting Scammed

While investors are now more alert towards possible scams, scammers on the other hand, have also evolved and upgraded their scam tactics, often using channels that are part and parcel of our daily lives in Singapore. From text messages and calls from Ministry of Health (MOH) advising on Covid vaccinations, to recent cases of scammers impersonating ERP and LTA, there are also scammers who are now targeting users of SingPass.  

Phishing Scam: SingPass

In October 2022, the Singapore Police Force (SPF) has issued an “Advisory On Phishing Scams Involving Singpass” after seeing an increase in the number of cases where victims have unknowingly provided their Singpass login credentials to scammers via malicious SMS text messages.

As reported in the advisory, the scams occurred in the following sequence:

i.                     Receiving unsolicited SMSes: The sender ID of such text messages is usually made similar to “Singpass” (e.g. MySingpass, SGSingpass), and the text message indicated that the recipients’ Singpass accounts had been or would be disabled/deactivated and that they are required to click on a fraudulent URL link in the SMS to complete a verification process.

Examples of text messages from the SPF advisory article: 

ii.                     Clicking on the URL link in the SMS will then lead the victim to a spoofed Singpass login page, where they will first be required to enter their Singpass ID and password, and they will be subsequently be redirected to a 2FA page where they would be prompted to key in their Singpass One-Time Password (OTP).

Example of a spoofed Singpass website from the SPF advisory article: 

 

iii.                     Victims usually realise that they have been scammed after they received alerts from Singpass notifying them that their profiles had been updated, while some victims would have received alerts that they had signed up for bank accounts and credit cards. Some victims also had unauthorised transactions that were charged to their credit cards.

Other recent scam cases

These are the other recent scams that the Singapore Police Force has issued advisories on in the last few months:

-          Re-emergence of email phishing scams involving Singapore companies:

Victims received phishing emails sent from scammers impersonating Singapore Post (SingPost) and Singtel, with email address domain that do not appear to be related to the two companies, informing them to either renew their service subscription or to make payments for their parcel delivery. Victims were then tricked to click on the fraudulent URL links in the phishing emails where they will be redirected to fraud websites designed to look like the website of the impersonated company, where they will be required to key in their login information, including account names, password, credit/debit card details, One Time Password (OTP) and etc. The victims only realised that they had been scammed, after receiving notifications of unauthorised transactions made with their credit/debit cards.

-          Resurgence Of Bank Phishing Scams:

Victims would receive unsolicited SMSes with sender IDs such as “+1 (800) 11”, “+168730”, or “SMSAlert” that either informed them that their bank account had been locked, or that their cards had been locked due to security issues. Similarly, the spoofed SMS contained a URL link to trick the victim to click and key in their online banking user, password and One-Time Passwords (OTP) in a spoofed internet banking log-in page. The scammers, upon receiving such information, will then be able to access the victims’ online bank account, where they will then work on transferring the victim’s money to the scammers’ bank account.

In other cases, the SMSes would instruct the victim to make a phone call or Whatsapp call to retrieve card reactivation details, where the victim would then be informed that their account had been frozen, and personal and banking details would have to be provided over the phone call for verification. The victim would then receive genuine OTP SMSes from their banks, which the scammers would use in claims to “help” the victim reset their account, where in actual fact they would be working on transferring the victim’s money to other scammers’ account.

Victims would only realise that they had been scammed after discovering that transactions have been made from their bank accounts.

How to Protect Yourself against such scams?

To prevent falling victim to the above SMS and email phishing scams, these are the “3 Nevers and 3 Always” tips that investors should always remember when receiving unsolicited text messages and emails:

The 3 Nevers:

i.         Never click on any URL links embedded in SMSes from unverified sources, or unsolicited emails from email addresses with suspicious domains;

ii.       Never reveal your personal details, including internet banking, investment platform account details, and/or OTPs to anyone;

iii.     Never forward such SMSes/emails to others or call/reply to the SMSes/emails.

The 3 Always:

i.         Always verify the sender ID. eg. in the case of Singpass, the official SMS’ sender identity for Singpass is labelled as ‘Singpass’ or ‘SingPass’. For emails, always check the email domains, when in doubt, call up the bank/organisation to verify their email domains;
Important Note: The official Sender ID of SMSes sent by entities under iFAST Singapore are “iFAST” and “FSMOne”

ii.       Always verify the URL link and check against the sender’s official website or call the company direct for more information, eg. Singpass and Singapore banks have explicitly announced that they do not send out SMSes containing web links asking you to log in with your credentials. The Scam Alert website (https://www.scamalert.sg/) set up by The National Crime Prevention Council (NCPC) is also a useful website to check for similar scams that have been submitted by other users/victims;

iii.     Always report to the respective companies and/or the authorities if you suspect that your accounts or Singpass accounts have been compromised, and report to the bank and/or e-payment service provider if fraudulent transactions were made.

Source:

1.       Advisory On Phishing Scams Involving Singpass, 2 Oct 2022, Singapore Police Force website (https://www.police.gov.sg/media-room/news/20221002_advisory_on_phishing_scams_involving_singpass)  

2.       Police Advisory On The Re-Emergence Of Email Phishing Scams Involving Singapore Companies, 3 Nov 2022, Singapore Police Force website (https://www.police.gov.sg/media-room/news/20221103_police_advisory_on_the_re-emergence_of_email_phishing_scams_involving_sg_companies)

3.       Police Advisory On Resurgence Of Bank Phishing Scams, 12 Oct 2022, Singapore Police Force website (https://www.police.gov.sg/media-room/news/20221012_police_advisory_on_resurgence_of_bank_phishing_scams)