More than S$37,000 lost by victims in July amid 'sudden surge' in Iras phishing scams

SINGAPORE — The police and the Inland Revenue Authority of Singapore (Iras) on Thursday (July 28) warned of a "sudden surge" in phishing scams involving scammers impersonating Iras through SMSes.

At least 51 victims have fallen for the scams this month, with losses amounting to at least S$37,400, the authorities said in a joint release.

Victims of such scams would receive unsolicited SMSes listing Iras as the sender’s name, they said.

The recipients would be directed to complete their tax review or inspection using an embedded link in the message.

Upon clicking on the link in the SMS, the victims would be sent to a spoofed Singpass page, where they would be asked to enter their login credentials.

“Thereafter, the victims would be redirected to another spoofed webpage which looks like an IRAS website, and finally to a spoofed bank login page,” said the authorities.

The victims would be requested to enter their Internet banking details and one-time passwords (OTPs) received on their mobile phones.

They would only realise they had been scammed after being notified of unauthorised transactions from their bank accounts, the authorities said.

“While the authorities work swiftly to take down phishing websites, user vigilance is crucial in our fight against evolving scams,” they added.

In the joint release, the authorities also said that Iras does not send SMSes containing links asking members of the public to log in with their credentials such as passwords and Singpass login details.

They advised members of the public to be on “heightened alert” and follow crime prevention measures such as always verifying the authenticity of claims about problems with their income tax status with the official Iras website.

Members of the public should also ensure the Singpass website domain they are accessing is singpass.gov.sg, with a lock icon in the address bar.

Users should update their contact details registered with Singpass and enable notifications via their Singpass app so that they can be promptly alerted of suspicious logins and contact Singpass to secure their account.

This includes when a login on a new device or Internet browser is detected.

Logins to Government services should only be done at websites with domains ending with “.gov.sg”, said the police and Iras.

Members of the public can check against the list of trusted websites at www.gov.sg/trusted-sites if they receive a link that does not end with “.gov.sg".

They should also never disclose their personal or Internet banking details or OTPs to anyone and report any fraudulent transactions to their bank immediately.

Those with information relating to such crimes can call the police hotline at 1800-255-0000 or submit it online. CNA