Police warn of SMS phishing scams involving Singpass
Victims would receive unsolicited SMSes with the sender's ID containing similarities to Singpass, such as MySingpass or SGSingpass.
Images of the phishing SMSes with the sender's ID containing similarities to Singpass. (Images: Singapore Police Force)
SINGAPORE: The Singapore Police Force (SPF) on Sunday (Oct 2) warned of a new variant of SMS phishing scams where scammers would target victims with similar sender's ID to obtain their Singpass login credentials.
In a news release, the police said they have seen a surge in cases where people would receive unsolicited SMSes with the sender's ID containing similarities to Singpass, such as MySingpass or SGSingpass.
The SMSes would indicate that the recipients’ Singpass accounts had been or would be deactivated, and that they were required to conduct facial verification. They would then be required to log into Singpass through a web link provided in the messages.
Upon clicking on the link, the victims would be directed to a spoofed Singpass login webpage, where they would be required to enter their Singpass ID and password.
They would then be led to a two-factor authentication page asking for their Singpass one-time password, said the police.
The victims would only realise they were scammed when they received alerts from Singpass that their profiles were updated. In some cases, the victims would receive alerts that they had signed up for bank accounts and credit cards.
In some cases, unauthorised transactions were also charged to the credit cards.
"While the authorities have taken down the phishing websites, user vigilance is crucial in our fight against evolving scams," said the police.
SINGPASS DOES NOT SEND SMSES CONTAINING WEB LINKS
"The police and GovTech would like to advise members of the public to be on heightened alert," said the authorities.
Members of the public were advised that Singpass does not send SMSes containing web links asking recipients to log in with their credentials, such as passwords and one-time passwords.
The official SMS' sender identity is labelled as Singpass or SingPass.
Singpass users can verify the authenticity of the claims against their Singpass account via the Singpass hotline at 6335 3533 and press 9 for 24-hour scam support. They should also ensure that the Singpass website domain they are accessing is singpass.gov.sg, with a "lock" icon in the address bar.
Users were also advised to update their contact details registered with Singpass and enable notifications via their Singpass app so that they can be promptly alerted of suspicious logins, such as when a login on a new device or Internet browser is detected.
"If you suspect that your Singpass account has been compromised, reset your Singpass password immediately," said the police.
Log-ins to Government services should only be done at websites with domains ending with ".gov.sg". If a link received does not end with ".gov.sg", users should check it against the list of trusted websites at www.gov.sg/trusted-sites.
The police also advised users to never disclose their personal or Internet banking details and one-time passwords to anyone and to report any fraudulent transactions to their bank immediately.
