Scam Prevention

Email Scams in Singapore

  • Duncan
  • 14 May 2025
Email Scams in Singapore

Email Scams in Singapore:
How to Spot and Avoid Common Email Scams in 2025


Even as Singapore’s digital economy grows, so have sophisticated email scams! In early 2025 alone, over 9,500 scam cases were reported, with losses exceeding $224 million (The Straits Times, 2025).

Email scams or phising scams, which began as error-riddled junk mail have evolved into complex, highly targeted schemes, as scammers use AI, spoofed domains, and psychological tricks to pose as trusted entities such as like IRAS, Singtel, banks, and even government agencies to deceive even the most careful of us.

This guide covers:  
✅ Some common scam tactics such as AI phishing, BEC scams, fake IRAS/Singtel emails
✅ Real-life examples to illustrate red flags to watch out for
✅ Protection tips for individuals & businesses
✅ What to do if scammed - reporting and recovery steps

 
What Are Email Scams?


Email scams, or phishing scams, are fraudulent messages crafted to:
-    Steal sensitive personal/financial information such as SingPass or credit card details
-    Trick victims into making unauthorised payments using fake invoices or “urgent fines”
-    Spread malware, via infected attachments, to compromise victims’ devices
-    Gain access to secured systems

Modern email scams are no longer the crude, easily-spotted deceptions of the past, but are more frequently powered by:
•    AI-written phishing emails with minimal or no  grammatical errors, mimicking real corporate and natural language, evading traditional spam filters.
•    Spoofed addresses and compromised domains (e.g., iras-gov.sg instead of iras.gov.sg), or hijacked legitimate accounts.
•    Targeted impersonation, where scammers research victims and send tailored messages referencing real events, accounts, or transactions, instead of mass spam
•    Business Email Compromise (BEC) where attackers infiltrate or mimic company emails, targeting finance teams with payment requests/instructions.
•    Technical support scams such as fake “Singtel” or “Microsoft” tech support emails which prey on the less tech-savvy, often the elderly.

Now that we understand how email scams work, let’s examine some common types in Singapore.

Common Types of Email Scams in Singapore


1. Fake IRAS Email Scams


IRAS (Inland Revenue Authority of Singapore) scams are prevalent, especially during tax season. With emails impersonating IRAS by using lookalike domains and official-sounding language, villains use messages which generally fall into two categories, namely 
•    the "windfall" approach, promising tax refunds, but requiring immediate action, or 
•    the "penalty" approach, threatening legal consequences for alleged tax discrepancies.

Common tactics:
•    Promising tax refunds and asking recipients to click on fake IRAS portals.
•    Threatening legal action or fines for supposed tax discrepancies.
•    Requesting payment for investment-related tax charges.

Example:
According to The Straits Times (2024), IRAS warned of a phishing e-mail from [email protected] asking taxpayers to click on a link to update their particulars.

How to spot:
•    Uses fake domains like @iras-refund.com (real IRAS: @iras.gov.sg).
•    IRAS never asks for payments via email links.  
•    Unique trait: Mentions "federal tax" whereas Singapore uses "income tax".

⚠️ Remember: Fake IRAS emails often include urgent threats or fake refunds.

Real vs fake/scam IRAS email

2. Singtel and Telco-Related Scams


Scammers pretending to be Singtel, StarHub, or even M1 send spoofed emails with fake invoices or promotional giveaways, with some even mimicking subscription notices for Netflix or Spotify.

Tactics include:
•    Fake billing emails demanding immediate payment.
•    "You've won a new iPhone" promos with links to phishing sites.

Real case: Scammers using fake e-mails purportedly from Singtel netted at least $62,000 when victims who clicked on the spoofed URL link were directed to a fake Singtel webpage. (The Straits Times, 2021)

How to Spot:
•    “Unpaid invoice” with a fake Singtel logo.
•    Singtel never requests payments via email links.
•    Hover over links to check URLs (e.g., “bit.ly/claim-iphone” is a scam).  
•    Unique trait: Promises free gadgets (e.g., "Claim your new iPhone!").

⚠️ Remember: Singtel will never ask for payment via email links. Check for universal red flags like poor grammar or suspicious attachments.

3. Business Email Compromise (BEC)


BEC scams target companies by compromising or spoofing internal email accounts to deceive employees into transferring funds or revealing sensitive data.

How it works:
•    Scammer gains access to or mimics a senior executive’s email.
•    Sends urgent request for payment or invoice settlement.
•    May include fake attachments or links to malware.

Example:
In 2024, the Singapore Police Force, working with international partners, recovered over USD 40 million in a major BEC case (Singapore Police advisory 2024). In another incident, a local company nearly lost S$300,000 when an employee was duped by a fake supplier email requesting payment to a new overseas account (The Straits Times, 2025).

How to Spot:
•    Mimics CEO/CFO emails (e.g., [email protected]).
•    Unique trait: Requests urgent wire transfers to "new accounts."

How to avoid: 
•    Verify requests via phone before transferring money.  
•    Watch out for urgent, authoritative language

⚠️ Remember: BEC scams rely on urgency and authority. Always verify payment requests via a second channel, such as phone call.

4. E-Commerce and Delivery Scams


As online shopping grows, so do scams involving parcels and order confirmations.

Tactics:
•    "Failed delivery" notices from SingPost or DHL asking for payment.
•    Emails from fake platforms like "Qoo10" or "Shopee" with order issues.

Example:
"Your parcel is held due to unpaid customs fee. Click here to pay $3.20." Small charges are often a ruse to collect card details.

How to Spot:

•    Requests for small payments so villains can steal card details.
•    Links to fake SingPost/DHL sites.

5. Charity and Donation Scams


After natural disasters, before or even during festive seasons, scammers send fake donation drives mimicking known charities or religious organisations asking for donations.

How to Spot:
•    Appeals to emotion with high-pressure language.
•    Requests to donate via cryptocurrency or untraceable platforms.

How to verify
•    Donate only via official websites, such as “giving.sg”

How to verify legitimate emails


Legitimate IRAS communications will never request sensitive information via email links, nor will they demand immediate action under threat of legal consequences. All authentic tax-related matters can be verified through the official IRAS website or via the myTax Portal using your SingPass.

Per Singapore Customs, they would not send hyperlinks for cash transactions and added that official e-mail addresses under Singapore Customs contain the domain @customs.gov.sg and official correspondence would never be sent from personal e-mail accounts like Gmail or Yahoo. 

Singtel never sends unsolicited emails requiring account verification through provided links, as any legitimate communication regarding account security would direct customers to the official Singtel application or website, accessed independently rather than through provided links.

📌 5 Signs of a Scam Email
(Use this as a sidebar or infographic for quick reference.)

S/No

Red Flag

Example

Common in

These Scams

1

Fake Sender

[email protected] (not iras.gov.sg)

IRAS, Singtel, Bank scams

2

Urgent Threats

"Your account expires in 24 HOURS!"

BEC, Fake fines

(IRAS, LTA)

3

Suspicious Links

bit.ly/claim-iras (hides real URL)

Phishing,

Fake deliveries

4

Bad Grammar

"Kindly do the needful."

Mass phishing

(e.g., "Qoo10" scams)

5

Strange Attachments

"Invoice.zip" or "Refund.exe"

Malware,

Fake invoices

 

💡 Pro Tip: 
Legitimate emails from IRAS, banks, or Singtel will never threaten immediate action or ask for sensitive data via links. Always verify by contacting the organisation directly via their official website or hotline.

STOP

Checklist for Scam Emails - Singapore-Style


While each scam type has unique tricks, most share common warning signs.

Here are some tips on how to spot them:
🔍 Check Sender Address - Misspelled domains
✅ Legit: [email protected] (exact match!)
❌ Scam: [email protected] (almost real, but fake!)

🚨 Watch for Urgent Threats - Common in BEC scams, fake IRAS penalties.
✅ Legit: Calm, professional language
❌ Scam: "URGENT: Your account is suspended!" (panic mode)

💾 Be Wary of Attachments and check before downloading
✅  Legit: No weird files, only official documents
❌ Scam: Suspicious files (.exe, .zip) or unexpected attachments

🔗 Check the Links - before clicking
✅  Legit: Directs to “.gov.sg” or official app
❌Scam: Shortened or strange links (e.g., bit.ly/claim-iphone)

⚠️ Pro Tip: 
•    These signs apply broadly, but as some scams have unique traits, always verify with the official source (e.g., IRAS, Singtel) before acting.
•    Singapore government and banks will NEVER ask for your OTP or password via email.
•    Don’t be kaypoh – don’t click! 

Stay smart, stay safe!

Bookmark this checklist, and share with your friends or colleagues, even if they are tech-savvy, as a handy reminder!

 

Pexels Aviz 4447140

How to Protect Yourself from Email Scams

Verifying a Suspicious Email


If you're unsure whether an email is legitimate:
•    Don’t click any links but visit the official website directly to clarify.
•    Check directly with the organisation such as IRAS, or Singtel, using official hotlines or emails.
•    Search online as many scams are documented on forums or news sites.
•    Use ScamShield, a Singapore-developed app that helps filter scam messages and calls.


CSA launched the “Better Cyber Safe than Sorry” national cybersecurity awareness campaign in July 2021, to increase awareness of cybersecurity and improve adoption of good cybersecurity practices in daily life, as follows:
•    Use strong passwords and enable 2FA/MFA to secure your accounts
•    Be vigilant and learn to spot signs of phishing
•    Use anti-virus software to prevent malware infections
•    Patch and update your software promptly an regularly to protect your devices

As email scams grow increasingly sophisticated, Singaporeans must remain vigilant, sceptical, and proactive. Remember:
✅ Verify first - Never trust unsolicited requests  
✅ Use official channels - Always navigate to websites directly  
✅ Report immediately - Help authorities track and block scams  
✅ Educate others – such as elderly family members and those less familiar with technology  

What to Do If You “Kena” Scammed


1.    Report to the Police at www.police.gov.sg or visit a Neighbourhood Police Centre.

2.    Contact Your Bank Immediately to request a temporary freeze or reversal of unauthorised transactions.

3.    Notify the Organisation Impersonated such as IRAS, Singtel, or others so they can alert others.

4.    Visit ScamShield to report scams and learn about emerging threats in Singapore.

5.    File a report of the scam to scam.SG and help build a verified trust rating for domains.

6.    Seek counselling if needed, such as AWARE at their Helpline: 1800-777-5555

Pexels Mikhail Nilov 8943324

What to Include in a Report:


•    Subject: "Report Scam Email Singapore"
•    Full email headers and screenshots
•    Any transaction or personal data shared
•    Timeline of events and sender details

FAQ: Some Common Questions About Email Scams in Singapore

Q: How can I verify if an IRAS email is legitimate?
A: Authentic IRAS communications will direct you to use your SingPass to access the official IRAS website (www.IRAS.gov.sg). For any suspicious communications, contact IRAS directly via their official hotline at 1800 356 8300.

Q: What should I do if I've already responded to a suspected scam email?
A: Act immediately:
1) Contact your bank to freeze any potentially compromised accounts, 
2) Change passwords for affected services using a different device, 
3) Report the incident to the 24/7 ScamShield Helpline at 1799, and 
4) Monitor your accounts for unusual activity.

Q: How quickly do I need to report a scam email?
A: Immediate reporting is crucial, particularly if financial information was compromised. The Singapore Police Force's Anti-Scam Centre has a significantly higher recovery rate for funds reported within 24 hours of transfer.

Q: Can I recover money lost to an email scam in Singapore?
A: Recovery possibilities depend on reporting speed, scam type, and transfer method. In 2024, the Anti-Scam Centre successfully recovered approximately 35% of scam losses when reported within the first day. Contact your bank's fraud department immediately, as they can sometimes reverse recent transactions.

Final Thoughts


According to Mr Gaurav Keerthi, Deputy Chief Executive (Development) of Singapore's Cyber Security Agency (CSA): "Cybersecurity is a shared responsibility." 

Email scams in Singapore are becoming more convincing and costly. However, with vigilance and education, we can counter them. Whether it's a fake tax refund or a bogus delivery notice, staying informed is our best defence.

Should you encounter suspicious communications, contribute to Singapore's collective security by reporting them promptly. Your vigilance not only protects your personal information and finances but strengthens our nation's digital resilience against those who would exploit technology and our trust for their own criminal gain.

Through awareness, caution, and community vigilance, we can navigate the digital landscape safely, even as scammers devise increasingly sophisticated deceptions.

Always verify before you click, and when in doubt, check official sources directly

Let's make Singapore a scam-smart nation.

Stay Safe, Stay Alert.
Learn more at scam.SG