The Police and the Inland Revenue Authority of Singapore (IRAS) have observed a sudden surge in phishing scams where scammers would impersonate as IRAS and target victims through SMSes. Since July 2022, at least 51 victims had fallen prey, with total losses amounting to at least $37,400.
The scam occurs in the following sequence:
- Members of the public would receive unsolicited SMSes containing “IRAS” in the sender’s name. The recipients would be directed to urgently complete their tax review/inspection via an embedded link in the message.
- Upon clicking on the link in the SMS, the victims would be sent to a spoofed Singpass login page, where they would be asked to enter their Singpass ID and password.
- Thereafter, the victims would be redirected to another spoofed webpage which looks like an IRAS website, and finally to a spoofed bank login page.
- The victims would then be requested to enter their Internet banking credentials and One-Time Passwords (OTPs) received on their mobile phones. Victims would only discover that they had been scammed when they were notified of unauthorised transactions made from their bank accounts.
While the authorities work swiftly to take down phishing websites, user vigilance is crucial in our fight against evolving scams. The Police and IRAS advise members of the public to be on heightened alert and to follow these crime prevention measures:
- IRAS does not send SMSes containing links asking you to log in with your credentials (i.e. passwords and Singpass log-in details);
- Always verify the authenticity of claims of problems with your income tax status with the official IRAS website;
- Ensure that the Singpass website domain you are accessing is singpass.gov.sg, with a 'lock' icon in the address bar. You may refer to the Annex for an example of the real Singpass log-in page;
- Users should make it a point to update their contact details registered with Singpass and enable notifications via their Singpass app so that they can be promptly alerted of suspicious log-ins, e.g. when a log-in on a new device or Internet browser is detected, and contact Singpass to secure their account;
- Log-ins to Government services should only be done at websites with domains ending with “.gov.sg”. If you received a link that does not end with “.gov.sg”, check against the list of trusted websites at www.gov.sg/trusted-sites;
- Never disclose your personal or Internet banking details and OTPs to anyone; and
- Report any fraudulent transactions to your bank immediately.
If you have any information relating to such crimes, please call the Police Hotline at 1800-255-0000, or submit it online at www.police.gov.sg/iwitness. If you require urgent Police assistance, please dial ‘999’.
For more information on scams, members of the public can visit www.scamalert.sg or call the Anti-Scam Hotline at 1800-722-6688. Join the ‘Spot the Signs. Stop the Crimes’ campaign at www.scamalert.sg/fight by signing up as an advocate to receive up-to-date messages and share them with your family and friends. Together, we can help stop scams and prevent our loved ones from becoming the next victim.
Annex A
How Victims Fall Prey
Images of Phishing SMSes
Images of Spoofed Singpass Webpages
Image of the real Singpass Login Webpage
Image of Spoofed IRAS Webpage
SINGAPORE POLICE FORCE
28 July 2022 @ 5:00 PM