Police warn of SMS phishing scam targeting Singpass users; some end up with unauthorised credit card charges

SINGAPORE — The police have warned the public of a "surge" in phishing scams targeting Singpass users through unsolicited SMSes containing links that direct them to a spoofed website.

Some victims ended up with unauthorised transactions charged to their credit cards after their Singpass login details were stolen, the authorities said in an advisory on Sunday (Oct 2).

“This is a new variant of phishing scams for which police have observed a rising trend for,” the authorities added.

Detailing how the scam happens, the police said that members of the public would receive unsolicited SMSes from a sender ID resembling Singpass, such as “MySingpass” or “SGSingpass”.

“The SMSes would indicate that the recipients’ Singpass accounts had been or would be deactivated, and that they were required to conduct facial verification,” said the police.

The recipients would then be instructed to log into their Singpass account through a web link provided in the message, which directs them to a spoofed Singpass login webpage.

Upon keying in their Singpass ID and password, victims will then be led to a Two-Factor Authorisation page where they would be prompted for their Singpass One-Time Password (OTP).

The individuals would only realise that they had been scammed when they receive alerts from Singpass informing them that their profiles had been updated.

“In some cases, the victims would receive alerts that they had signed up for bank accounts and credit cards. Unauthorised transactions were also charged to the credit cards in some cases,” said the police.

The police said that user vigilance is crucial in combatting scams, even as authorities have taken down the phishing websites.

The authorities reminded the public to observe the following crime prevention measures:

• Singpass does not send SMSes containing web links asking you to log in with your credentials
• The official SMS sender identity for Singpass is labelled as "Singpass" or "SingPass"
• Users can contact the official Singpass hotline at 63353533 and press “9” for 24-hour scam support 
• Ensure the Singpass site being accessed is singpass.gov.sg with a lock icon in the address bar
• Any log-in to government services should be done only on websites with domains ending with “.gov.sg”
• Never disclose personal or internet banking details and OTPs to anyone
• Report any fraudulent transactions to the bank immediately
• Individuals who suspect that their Singpass details have been compromised should reset their Singpass password at go.gov.sg/reset-sp-pw

They should also check their Singpass transaction history for any suspicious activities and lodge a police report or submit details of the incident online via www.police.gov.sg/iwitness.

Anyone with information about such crimes may contact the police at 1800-255-0000 or at the I-Witness website above.

Members of the public may also visit www.scamalert.sg or call the Anti-Scam Hotline at 1800-722-6688 for more information on scams.