Police issue warning on surge in phishing scams involving Singpass

Prisca Ang
The Straits Times
October 2, 2022

The police have warned against a surge in a new type of phishing scams where fraudsters target victims through SMSes to obtain their Singpass log-in credentials.

Members of the public received unsolicited SMSes in which the sender's ID contained similarities to the name of the national digital identity system, said the police on Sunday. These include alternative names such as MySingpass and SGSingpass.

The SMSes indicated that the recipients' Singpass accounts had been or would be deactivated, and that they were required to conduct facial verification. Recipients were asked to log into Singpass through a Web link provided in the SMSes.

Upon clicking on the Web link, the victims were directed to a spoofed Singpass log-in webpage, where they were required to enter their Singpass ID and password.

Victims were then led to a two-factor authentication (2FA) page and were prompted for their Singpass one-time password (OTP). They realised they had been scammed upon receiving Singpass alerts that their profiles had been updated.

In some cases, they received alerts that they had signed up for bank accounts and credit cards. Unauthorised transactions were also sometimes charged to the cards.

Members of the public received unsolicited SMSes in which the sender's ID contained similarities to the name of the national digital identity system. PHOTO: SPF

The police said the authorities have taken down the phishing websites but added that user vigilance is crucial in the nation's fight against evolving scams.

Together with GovTech which manages Singpass, the police advise the public to be alert and take note of the following details:

- Singpass does not send SMSes containing Web links asking you to log in with credentials such as passwords and OTPs

- The official SMS sender identity for Singpass is "Singpass" or "SingPass"

- Users can verify the authenticity of claims by calling the official Singpass hotline on 6335-3533 and pressing "9" for 24-hour scam support

- Ensure that the Singpass website domain you are accessing is singpass.gov.sg, with a lock icon in the address bar

- Users should update their contact details registered with Singpass and enable notifications via their Singpass app so that they can be promptly alerted of suspicious log-ins

- Reset your Singpass password immediately if you suspect that your Singpass account has been compromised

- Log-ins to government services should be done only at websites with domains ending with ".gov.sg". If you received a link that does not end with ".gov.sg", check against the list of trusted websites at this link.

- Never disclose your personal or Internet banking details and OTPs to anyone, and report any fraudulent transactions to your bank immediately.

Visit the Scam Alert website or call the Anti-Scam Hotline on 1800-722-6688 for more information on scams. Users can also visit this Singpass website for tips on how to transact with Singpass securely.

The Straits Times

Get a copy of The Straits Times or go to straitstimes.com for more stories.