Skip to main content
A Singapore Government Agency Website How to identify
Official website links end with .gov.sg
Government agencies communicate via .gov.sg websites (e.g. go.gov.sg/open). Trusted websites
Secure websites use HTTPS
Look for a lock () or https:// as an added precaution. Share sensitive information only on official, secure websites.

Government officials will never ask you to transfer money or disclose bank log-in details over a phone call.

Call the 24/7 ScamShield Helpline at 1799 if you are unsure if something is a scam.

Cyber Security Agency of Singapore

Beware of Phishing Scams

A wrong click exposes you to unseen attacks

Last updated 14 February 2025
A wrong click exposes you to unseen attacks banner

Phishing is a method which cybercriminals use to fraudulently obtain your personal and financial information such as your login details, bank account numbers and credit card numbers. Cybercriminals often disguise themselves as a legitimate individual or reputable organisation through email, instant messaging and other communication channels. Once they obtain your personal information, they could gain access to your online accounts, and even impersonate you to scam the people around you, such as your family, friends and business partners.

Phishing scams are ever-evolving. In the past, phishing messages contained bad spelling, grammatical and punctuation errors, making them easier to spot. With the rise of generative artificial intelligence, cybercriminals are coming up with more sophisticated phishing scam messages with minimal errors.

Only download apps from official apps store

Cybercriminals devise convincing advertisements to trick users into taking action such as scanning malicious QR codes or clicking on malicious links to make payment for goods and services. In the recent spate of malware phishing scams, victims are asked to download malicious Android Package Kit files via URL links. Installing these apps will allow cybercriminals to access users devices to steal passwords and banking credentials.

Only download apps from official platforms - Google Play Store (Android) or Apple App Store (iOS), as these platforms have measures in place to detect and remove malicious apps.

Think before you click on links provided in unsolicited emails and text messages

Cybercriminals often try their luck by sending mass emails and messages to large groups of people, in hopes that someone responds.

Cybercriminals also tend to use urgent or threatening messages to pressure you to click on links. By doing so, they hope to instill panic and fear to trick you into providing confidential information. Be wary of emails with phrases such as “urgent action required” or “your account will be terminated”. If you have good reason to believe it is a scam, delete the message immediately.

Cybercriminals can also easily create fake websites that are visually similar to legitimate websites to phish for personal data. Take note of the URL in the address bar of your web browser. Cybercriminals often use tricks such as substituting letters in a URL to mislead you into thinking that you are on a legitimate website e.g., www.paypa1.com instead of www.paypal.com.

Always check the authenticity of the email, call or request through official sources.

Most organisations will never ask for your personal information such as NRIC, login credentials and credit card details to be sent over the Internet. If the sender claims to be from your bank and requests for your bank account number, it should raise a red flag immediately.

When in doubt, contact the company directly to clarify, but be sure not to use the contact information provided in the email. Do refer to the official website or call the company’s hotline. Check with a trusted source such as a family member or friend, or contact the Anti-Scam helpline.

For emails, look at the sender’s email address that may look similar to a company’s official email address. Hover your mouse cursor over links in emails. A small window will appear above the link to show you the actual URL, which is the real destination of the link.

If the links are mismatched, it is a strong indicator that something ‘phishy’ is going on. If you are using a mobile device, long-press the link to display a window with the actual URL. Be careful not to tap and open the link!

If you are a victim of a phishing scam, you should:

  • Change your password immediately. If the password is used on your other accounts, change those too. Use a strong passphrase and be sure to use a different passphrase for each of your online accounts.

  • Run a full system scan with your anti-virus software.

  • Alert your bank promptly if you suspect you have revealed your banking details or credit card credentials.

  • Lodge a police report if you incur any monetary loss.

  • Report the phishing attempt to both the organisation that was misrepresented and the Singapore Cyber Emergency Response Team (SingCERT) at www.csa.gov.sg/reporting.

  • Visit www.scamalert.sg or call the Anti-Scam Helpline at 1799.


Resources

Cyber Tip: Beware of phishing scams
A wrong click exposes you to unseen attacks poster