The Police have observed a surge in phishing scams where scammers would target victims through SMSes to obtain Singpass login credentials.
The scams occurred in the following sequence:
- Members of the public would receive unsolicited SMSes with the sender’s ID containing similarities to “Singpass” (e.g. MySingpass, SGSingpass). The SMSes would indicate that the recipients’ Singpass accounts had been or would be deactivated, and that they were required to conduct facial verification. Recipients would be required to log into Singpass through a web link provided in the SMSes.
- Upon clicking on the web link, the victims would be directed to a spoofed Singpass login webpage, where they would be required to enter their Singpass ID and password. Victims will then be led to a 2FA page where they would be prompted for their Singpass One-Time Password (OTP).
Victims would realise that they have had scammed when they received alerts from Singpass that their profiles had been updated. In some cases, the victims would receive alerts that they had signed up for bank accounts and credit cards. Unauthorised transactions were also charged to the credit cards in some cases.
While the authorities have taken down the phishing websites, user vigilance is crucial in our fight against evolving scams. The Police and GovTech would like to advise members of the public to be on heightened alert, and to follow these crime prevention measures:
- Singpass does not send SMSes containing web links asking you to log in with your credentials (i.e. passwords and OTPs).
- The official SMS’ sender identity for Singpass is labelled as ‘Singpass’ or ‘SingPass’.
- Users can verify the authenticity of claims against their Singpass account via the official Singpass hotline at 63353533 and press “9” for 24-hour scam support. Ensure that the Singpass website domain you are accessing is singpass.gov.sg, with a 'lock' icon in the address bar. You may refer to the Annex for an example of the official Singpass login webpage;
- Users should make it a point to update their contact details registered with Singpass and enable notifications via their Singpass app so that they can be promptly alerted of suspicious logins, e.g. when a login on a new device or Internet browser is detected;
- If you suspect that your Singpass account has been compromised, reset your Singpass password immediately;
- Log-ins to Government services should only be done at websites with domains ending with “.gov.sg”. If you received a link that does not end with “.gov.sg”, check against the list of trusted websites at www.gov.sg/trusted-sites;
- Never disclose your personal or Internet banking details and OTPs to anyone; and
- Report any fraudulent transactions to your bank immediately.
If you, or someone you know, have received a suspicious SMS related to Singpass, please contact the official Singpass hotline at 63353533. You may also call the Police Hotline at 1800-255-0000, or submit a report online at www.police.gov.sg/iwitness. If you require urgent Police assistance, please dial ‘999’.
For more information on scams, members of the public can visit www.scamalert.sg or call the Anti-Scam Hotline at 1800-722-6688. Join the ‘Spot the Signs. Stop the Crimes’ campaign at www.scamalert.sg/fight by signing up as an advocate to receive up-to-date messages and share them with your family and friends.
For more information and tips on how you can transact with Singpass securely, visit go.gov.sg/even-safer-singpass.
Together, we can help stop scams and prevent our loved ones from becoming the next victim.
Images of Phishing SMSes
Images of Spoofed Singpass Webpages
Image of the real Singpass Login Webpage
SINGAPORE POLICE FORCE
02 October 2022 @ 2:15 PM