Phishing is a method which cybercriminals use to fraudulently obtain your personal and financial information such as your login details, bank account numbers and credit card numbers. Cybercriminals often disguise themselves as a legitimate individual or reputable organisation through email, instant messaging and other communication channels. Once they obtain your personal information, they could gain access to your online accounts, and even impersonate you to scam the people around you, such as your family, friends and business partners.
Phishing scams are ever-evolving. In the past, phishing messages contained bad spelling, grammatical and punctuation errors, making them easier to spot. With the rise of generative artificial intelligence, cybercriminals are coming up with more sophisticated phishing scam messages with minimal errors.
Cybercriminals devise convincing advertisements to trick users into taking action such as scanning malicious QR codes or clicking on malicious links to make payment for goods and services. In the recent spate of malware phishing scams, victims are asked to download malicious Android Package Kit files via URL links. Installing these apps will allow cybercriminals to access users devices to steal passwords and banking credentials.
Only download apps from official platforms - Google Play Store (Android) or Apple App Store (iOS), as these platforms have measures in place to detect and remove malicious apps.
Cybercriminals often try their luck by sending mass emails and messages to large groups of people, in hopes that someone responds.
Cybercriminals also tend to use urgent or threatening messages to pressure you to click on links. By doing so, they hope to instill panic and fear to trick you into providing confidential information. Be wary of emails with phrases such as “urgent action required” or “your account will be terminated”. If you have good reason to believe it is a scam, delete the message immediately.
Cybercriminals can also easily create fake websites that are visually similar to legitimate websites to phish for personal data. Take note of the URL in the address bar of your web browser. Cybercriminals often use tricks such as substituting letters in a URL to mislead you into thinking that you are on a legitimate website e.g., www.paypa1.com instead of www.paypal.com.
Most organisations will never ask for your personal information such as NRIC, login credentials and credit card details to be sent over the Internet. If the sender claims to be from your bank and requests for your bank account number, it should raise a red flag immediately.
When in doubt, contact the company directly to clarify, but be sure not to use the contact information provided in the email. Do refer to the official website or call the company’s hotline. Check with a trusted source such as a family member or friend, or contact the Anti-Scam helpline.
For emails, look at the sender’s email address that may look similar to a company’s official email address. Hover your mouse cursor over links in emails. A small window will appear above the link to show you the actual URL, which is the real destination of the link.
If the links are mismatched, it is a strong indicator that something ‘phishy’ is going on. If you are using a mobile device, long-press the link to display a window with the actual URL. Be careful not to tap and open the link!
If you are a victim of a phishing scam, you should: