Phishing Scams
Phishing Scams
Phishing scams involve emails, messages, calls, or advertisements by scammers posing as government officials, financial institutions or businesses. Victims would be tricked into revealing sensitive information such as usernames, passwords, banking credentials and/or debit or credit card information by clicking malicious links or via phone calls. Upon acquiring the victims ’information, scammers would perform unauthorised transactions on the victims’ bank accounts or debit/credit cards.
At least S$14.2 million lost to scammers
Annual Scams and Cybercrime Brief 2023
Common signs of phishing are
-
Unsolicited emails, messages, images or advertisements with clickable links.
-
Clickable links lead you to a website/s that looks legitimate;
-
Spoofed webpage addresses
-
Unsecured websites requiring you to provide your personal details or banking credentials
For bank phishing
Victims will receive SMS alerts about potential unauthorised access to their bank accounts, prompting them to click on embedded URLs to verify their identity and stop the transactions.
For e-commerce/parcel delivery phishing
Messages or emails are designed to look like they were sent by postage and e-commerce logistics companies such as Singapore Post (SingPost) and contains phishing link.
For IRAS phishing
IRAS does not process tax refunds to credit/debit cards
How to stay safe
-
ADD: Add and use only official banking apps downloaded from official app stores (Google Play Store or Apple App Store) to make transfers or payments.
-
Add ScamShield app and set security features such as 2FA for banking apps, social media and Singpass accounts. Set transaction limits on internet banking transactions, including PayNow and PayLah.
-
CHECK: that you do not use clickable links or QR codes provided by unknown persons to make payments/transfers, as these lead to fake bank websites that phish for your banking credentials. Never disclose your personal information, internet banking and social media account details, and one-time passwords (OTPs) to anyone. Always verify the authenticity of unsolicited clickable links you receive and check the webpage addresses for discrepancies. Transactions, including PayNow and PayLah.
For bank phishing
Banks will never send you any clickable links via SMS and will use their officially registered SMS Sender ID.
For e-commerce/parcel delivery phishing
Verify the authenticity of the information with company or e-commerce platform directly. Use only official banking apps downloaded from official app stores (Google Play Store or Apple App Store) to make transfers or payments. Set transaction limits on internet banking transactions, including PayNow and PayLah.
For IRAS phishing
•Receive refunds securely: Any tax refunds are automatically credited into taxpayers’ bank account registered with IRAS or via PayNow (NRIC/FIN/UEN) accounts. Taxpayers can check for updates on any refund in IRAS’ myTax Portal. For further details, please visit IRAS’ website at https://www.iras.gov.sg/quick-links/refunds.
•Pay securely: GIRO is the preferred payment mode. For payments to IRAS made via internet banking, ATM bill payment and AXS mobile, select “IRAS” from the list of payees. Taxpayers can also pay using PayNow QR on myTax Portal. Learn about payment modes for different tax types to IRAS. IRAS will not ask taxpayers to pay taxes through third parties or intermediaries’ bank account. For tax matters, transact securely on myTax Portal ( mytax.iras.gov.sg): It is a secured and personalised portal for taxpayers to view and manage tax transactions with IRAS. SingPass authentication is also required before any transactions can be performed.
•Correspond with us on myTax Mail: Use myTax Mail to correspond with IRAS. IRAS will notify taxpayers via SMS when we have replied. For added security, we will respond to taxpayers via myTax Mail if their query contains confidential information.
Emailing IRAS:
•Always check before clicking on any links in the email that give you instructions to follow some steps to receive the tax refunds. Do not give away your online banking details (username, password or One-Time-Password) or credit card/debit card details.
•Always check the email address even though the sender ID shows ‘IRAS’. Sender ID can be spoofed to make the email looks legitimate. A legitimate email address from IRAS ends with @iras.gov.sg".
•IRAS will not send emails on tax refund amount or contain confidential documents : IRAS does not send out confidential documents such as tax return forms, notices of assessment, refund letters or other tax statements through unsecured emails. Confidential documents are deposited and can be retrieved from myTax Portal (mytax.iras.gov.sg).
Learn more about phishing scams
Asked to pay extra delivery fees to ship your parcel? It could be a scam
Received an unsolicited link? Here’s how to check if it’s legitimate
Received an offer for your listed item? Beware of clickable links from buyers
Encountered this scam? Report it!
If you have transferred money to a scammer, please visit this page for a list of immediate actions: I've Been Scammed!
Help keep the community safe by reporting any instances of this scam you’ve seen or experienced with the ScamShield App.