The Singapore police and the Inland Revenue Authority of Singapore (IRAS) have observed a sudden surge in phishing scams since July 2022.
Scammers would impersonate as IRAS and target victims through SMSes, and so far at least 51 victims have fallen prey, with total losses amounting to at least S$37,400.
The police and IRAS issued a July 28 joint media release about this scam.
The scam occurs in the following sequence:
- Members of public would receive unsolicited SMSes containing “IRAS” in the sender name. The recipients are directed to urgently complete their tax review/ inspection via an embedded link in the message.
- Upon clicking on the link in the SMS, the victims would be sent to a spoofed Singpass login page, where they would be asked to enter their Singpass ID and password.
- Thereafter, the victims would be redirected to another spoofed webpage which looks like an IRAS website, and finally to a spoofed bank login page.
- The victims would then be requested to enter their Internet banking credentials and OTPs received on their mobile phones. Victims would only discover that they had been scammed when they were notified of unauthorised transactions made from their bank accounts.
The police and IRAS are advising members of the public to remain vigilant and be mindful of the following crime prevention reminders:
- IRAS does not send SMSes containing links asking you to log in with your credentials (i.e. passwords and Singpass log-in details).
- Always verify the authenticity of claims of problems with your income tax status with the official IRAS website.
- Ensure that the Singpass website domain you are accessing is singpass.gov.sg, with a 'lock' icon in the address bar.
- Users should make it a point to update their contact details registered with Singpass and enable notifications via their Singpass app so that they can be promptly alerted of suspicious log-ins, e.g. when a log-in on a new device or Internet browser is detected, and contact Singpass to secure their account.
- Log-ins to government services should only be done at websites with domains ending with “.gov.sg”. If you received a link that does not end with “.gov.sg”, check against the list of trusted websites at www.gov.sg/trusted-sites.
- Never disclose your personal or Internet banking details and OTPs to anyone.
- Report any fraudulent transactions to your bank immediately.
Those with any information relating to such crimes can call the police hotline at 1800-255-0000, or submit a report online at www.police.gov.sg/iwitness.
Members of the public can visit www.scamalert.sg or call the anti-scam hotline at 1800-722-6688 for more information.
All media via