Scam Prevention

Phishing in Singapore: Don’t Take the Bait! Your Guide to Spotting Fake Links and Websites with Scam.SG

  • Admin
  • 9 June 2025
Phishing in Singapore: Don’t Take the Bait! Your Guide to Spotting Fake Links and Websites with Scam.SG

Introduction

In 2024 alone, there were 8,552 phishing cases, with victims losing $59.4 million, making phishing the third most common scam in the country. (CNA, 2025; https://www.police.gov.sg/Media-Room/Police-Life/2025/02/Five-Things-You-Should-Know-about-the-Annual-Scams-and-Cybercrime-Brief-2024)

Imagine receiving either of these messages:

“Your SingPost package is being held—pay $2.99 now to release it!” or, 
“Your DBS account will be suspended unless you verify your details.”

These scam scenarios which exploit fear, urgency, and trust play out many times each year in Singapore (CNA, 2021; GOVTECH Singapore, 2023; CSA, 2024). With Singapore’s multilingual population, fraudsters craft nefarious messages in English, Mandarin, Malay, and Tamil, making them even harder to detect. 

This guide will arm you with practical strategies to spot fake links and websites, avoid phishing traps, and leverage TrustScore from Scam.SG to verify suspicious sites, whether you’re a student, professional, or retiree, these skills are crucial for protecting your identity and finances in Singapore’s digital age.

What Is Phishing and Why Is It Prevalent in Singapore?

Phishing is a fraudulent attempt to obtain sensitive information such as passwords, NRIC numbers, or bank details, by pretending to be a trustworthy entity.

Fraudsters impersonate legitimate organisations to trick individuals into divulging confidential information such as passwords, NRIC numbers, bank credentials, or OTPs. 

The deception typically comes through fake emails, SMS messages, websites, or social media posts designed to mimic reputable entities like SingPass, DBS, or even the Singapore Police Force.

Phishing thrives in Singapore due to the city-state’s high internet penetration, widespread use of digital banking, and mobile-first population. Almost every resident is connected via smartphone, making them susceptible to well-crafted SMS and email phishing campaigns. Singapore’s global status and high standard of living also make it an attractive target for organised cybercrime syndicates.

The Anatomy of a Phish: How Scammers Lure You In

Phishing attacks exploit psychological manipulation, using fear, greed, trust, or curiosity to override rational judgment and prompt immediate action.

Some Common Phishing Tactics in Singapore

Tactic Example Description
Urgency/Fear “Your account expires in 24 hours!”
“Legal action in 24 hours!”
Too-Good-To-Be-True Offers “You won a Rolex! Click to claim.”
Authority Impersonation Fake SMS from “DBS” or “IRAS.”
Curiosity/Lust “Your friend tagged you in a secret post.”
Spoofed URLs paypa1.com, dbs-secure-login.com
Deceptive HTTPS Fake sites with padlock icon
Generic Greetings “Dear Customer”
Suspicious Sender Address [email protected]


Delivery Methods in Singapore

 

Method Example Impact
Smishing (SMS) 17 Land Transport Authority (LTA) phishing cases reported in December and $33,000 lost. (The Straits Times, 2024)
Email Phishing 266 SingPost impersonation cases led to $495,000 lost. 
(The Straits Times, 2024)
WhatsApp/Telegram

Scammers use hacked accounts to impersonate contacts and request loans or card details. (Singapore Police Force, 2024)

More than 330 people fell victim to scams involving the sale of pop star Taylor Swift's concert tickets, with total losses of at least S$213,000. (CNA, 2025)
Fake Ads S'pore General Hospital calls out 'fake ads' that make use of its logo (mothership, 2024)
Social Media Victim lost $3,000 to fake crab promotion ad on TikTok. 
(mothership, 2022)

Victims lost $162k amid phishing scam spike involving social media ads in September. (The Straits Times, 2024)
AI Voice Cloning (Vishing) Scammers use AI to clone voices of bank staff or family members.
QR Code Phishing (Quishing) A phishing scam resulted in a S$33.8 million loss when a victim provided login credentials after scanning a QR code.
(The Online Citizen, 2025)
Deepfake Fraud Use of AI-generated deepfake videos or voices to impersonate trusted individuals.


Phishing scams constantly evolve — scammers now use AI, deepfakes, and multilingual bots to bypass your defences.

Real-World Examples of Phishing Scams in Singapore

Phishing is not theoretical — it’s already affecting Singaporeans daily. Here are some recent examples:

  1. Fake SingPass Phishing Scam: At least 47 people tricked by scammers into revealing Singpass credentials since January 2024. (The Straits Times, 2024)
  2. "Budget 2024” Telegram Scam: Fraudsters impersonated the Ministry of Finance to steal Telegram credentials.

  3. Maybank Scam: Maybank Singapore revealed that with help from the Singapore Police Force, it has intervened in 19 scam cases from March 2023 to June 2024, preventing the loss of S$1,215,600. (FINTECH Singapore, 2024)

  4. DBS phishing scam (2024): Fake SMS messages posing as DBS Bank redirected victims to a convincing fake DBS website where they unknowingly entered banking credentials. The scam caused over S$446,000 in reported losses within the first two weeks of January 2024. (CNA, 2024)


Your Phishing Radar: Spotting Fake Links and Websites


A sharp eye and healthy scepticism are your best weapons. Here’s how to spot fake links and websites in Singapore:

  1. Inspect the URL Carefully
    • Hover (Desktop) or Long-Press (Mobile): Reveal the real link before clicking.
    • Check for Typos: e.g., paypa1.com (fake) vs. paypal.com (real).
    • Verify Domain Endings: Official Singapore sites use “.sg”, “.gov.sg”, or trusted “.com” domains—not random strings or foreign domains.
    • HTTPS ≠ Safe: The padlock icon can be faked. Always cross-check the domain with the official site (CSA, 2024).

      2. Real vs. Fake Website Checklist

Feature Legitimate Site  Scam Site
URL dbs.com.sg dbs-secure-login.com
Design Professional Poor graphics/design
Grammar Fluent English Spelling/grammar errors
Contact Info Phone/address listed Only Gmail or web forms

      3. Email & SMS Red Flags

  • Generic Greetings: “Dear Customer” instead of your name.
  • Suspicious Sender: Email address doesn’t match sender (e.g., [email protected]).
  • Unexpected Messages: About accounts you don’t have.
  • Pressure Tactics: “Act now or your account will be suspended!”


      4. Multilingual & Local Clues

  • Scams may appear in English, Mandarin, Malay, or Tamil.
  • Look for awkward translations or mixed languages.


Tip: When in doubt, copy the link and check it with TrustScore from Scam.SG (see next section).

Beyond Spotting: Proactive Measures with Scam.SG and Other Tools

Staying ahead of scammers means using the right tools and habits.

The Power of Scam.SG

Scam.SG is Singapore’s largest platform for business reviews and authenticity checks. Its TrustScore engine analyses and verifies businesses to help you avoid scams and make safer decisions.

How to Use Scam.SG’s TrustScore:

  1. Go to Scam.SG/companies.

  2. Enter the business name or UEN.

  3. Click “Check TrustScore.”

  4. Review the result:

    • Foundational: New or unverified business

    • Evolving: Early signs of credibility

    • Established: Verified and trusted

    • Institutional: Highly credible with strong reputation

Community Reporting:

Report suspicious sites to Scam.SG to help others avoid scams.

Other Essential Safeguards

  • Enable Two-Factor Authentication (2FA): For banking and social accounts.
  • Use Strong, Unique Passwords: Consider a password manager.
  • Keep Software Updated: Regularly update your OS, browsers, and antivirus.
  • Install ScamShield: Blocks scam calls and SMS.
  • Bookmark Official Sites: Access sensitive services only via official URLs or apps.
  • Educate Family & Friends: Especially seniors, who are often targeted.


Singapore’s Response to the Phishing Threat

The government and private sector are fighting back with robust measures:

  1. SMS Sender ID Registry (SSIR):
    Only verified businesses can send branded SMS. Unregistered messages are marked as “Likely-SCAM.”
  2. Anti-Scam Command (ASCom):
    A dedicated task force for swift response to major scam operations.
  3. National Scam Education Campaigns:
    Regular public campaigns on emerging threats like QR code phishing or deepfakes.
  4. Collaboration with Banks & Telcos:
    Banks (e.g., DBS, OCBC) block transactions from known scam sites and send app alerts. Telcos block spoofed domains and restrict international scam calls.


Quote by Mr Gerald Singham, Chairman of NCPC,
“All of us have a responsibility to prevent ourselves and our loved ones from becoming a victim of scam. Learning to spot the various signs of scams and taking the necessary precautions to safeguard ourselves are crucial in the fight against scams.”

How Businesses in Singapore Can Protect Themselves

Phishing isn’t just a personal threat—SMEs and enterprises are frequent targets of business email compromise (BEC) and invoice fraud.

Best Practices for Businesses:

  • Employee Training: Run regular cybersecurity awareness sessions.
  • Verify Payment Instructions: Always confirm invoice changes via phone or in-person.
  • Deploy Email Filtering: Block phishing emails before they reach staff.
  • Encourage Link Verification: Use Scam.SG before clicking suspicious links.

What to Do If You’ve Clicked a Phishing Link

If you suspect you’ve fallen for a phishing scam, act fast:

  1. Disconnect: Stop further data leaks.
  2. Change Passwords: Start with banking and email accounts.
  3. Call Your Bank: Freeze accounts if needed.
  4. Scan for Malware: Use updated antivirus software.
  5. Report the Incident:
    The Singapore Police Force (SPF) or at the nearest Neighbourhood Police Centre/Post,
    SingCERT, ScamShield, or the platform it originated from (e.g., Google for Gmail, social media platforms).


Tip: For detailed steps on “What to Do If You’ve Clicked a Phishing Link”, see guide from either

  • Scam.SG on What to Do If You Have Been Scammed in Singapore or
  • ScamShield on I've been scammed


Future Phishing Trends: What’s Next?

Scammers are getting smarter. Here’s what to watch for in 2025 and beyond:

  • AI Voice Scams (Vishing): Cloned voices impersonate bank staff or loved ones.
  • CAPTCHA-Protected Phishing: Scam sites use CAPTCHAs to evade detection.
  • Deepfake Fraud: AI-generated videos and voices trick even the wary. (The Straits Times, 2025)
  • Multilingual AI Bots: Scammers use bots that speak Singlish and local dialects.


Local Defence:
A*Star’s Meralion AI is being trained to intercept suspicious calls in English, local languages, and even Singlish. (The Straits Times, 2025)


FAQ: Your Phishing Questions Answered

Q: Is HTTPS always safe?
A: No. Scammers can get SSL certificates. Always check the full URL. (Cyber Security Agency of Singapore (CSA), 2024)

Q: How do I report a scam in Singapore?
A: Use ScamShield, Scam.SG or the Singapore Police Force.

Q: What if the message is in my mother tongue?
A: Scammers target all languages. When in doubt, check with ScamShield.


Stay Vigilant!

As technology advances, attackers become more creative and focused. Awareness, knowledge, and proactive vigilance — plus tools like Scam.SG and ScamShield — are your best defences.


Action Steps:

  1. Bookmark ScamShield and Scam.SG to verify suspicious links.
  2. Share this guide with friends and family.
  3. Stay updated by following advisories from the Singapore Police Force (SPF), Monetary Authority of Singapore (MAS), and other Singaporean authorities.


Don’t be the next victim—always verify before you click!

Stay one step ahead of scammers. Together, we can make Singapore’s digital space safer for everyone.

Disclaimer:
This article is for informational purposes only. For urgent assistance, contact the Singapore Police Force or your bank immediately.