You Are Here: HOME
Security Advisory
 

Security Guide on Scams and Fraud Attempts
Learn how to spot and stop fraud. Check out these security tips to protect yourself from scams.

Business Email Compromise (BEC) Attacks
A BEC is an email-based fraud technique that is designed to gain access to critical business information or extract money through fraudulent requests for payment or wire transfer.

Spoofed email addresses used by the scammers often include slight misspellings or replacement of letters, which may not be obvious at first glance.
Genuine email address
e.g. 1: abc@deshipping.com
e.g. 2: sallykoh@yyconstruction.com

Spoofed email address
e.g. 1: abc@deshpping.com
e.g. 2: sallyk0h@yyconstruction.com

Customers are advised to adopt the following preventive measures:
1.Promote a Culture of (Cyber) Vigilance among Employees
Regularly share cyber hygiene news on current scam/phishing cases.

2.Implement Additional Verification Process for Finance-related Requests
Implement a secondary confirmation process to verify the authenticity of finance-related requests.

3.Block Malicious or Spoofed Emails
Implement filters at the email gateway to filter out emails with known malware spamming indicators.

4. Implement Strong Password Policies
Using strong passwords, changing them regularly, and enabling Two-Factor Authentication (2FA) where possible.

5.Inspect suspicious / urgent emails closely
Seek confirmation using a different medium (i.e. phone call) before proceeding with an important instruction that was sent via the email.

This information is current as of 22 Feb 2022.
Source: Singapore Police Force, Police Advisory on Variant Of Business Email Compromise Scam, https://www.police.gov.sg/media-room/news/20200120_others_police_advisory_on_variant_of_business_email_compromise_scam Cyber Security Agency of Singapore (CSA), Protecting Your Enterprise from Business Email Compromise Attacks, https://www.csa.gov.sg/singcert/advisories/ad-2020-008

 

Phishing Scam
Victims receive a call informing them that they have won a lucky draw. To claim the prize, the victim must provide their passport details or other personal information.

In another phishing scam, fake websites are created to look identical to the actual websites but with a slightly different web address. Should victims input their personal details and PIN numbers to these websites, their information and money are at risk.

What you should look out for:
●Phone calls from anyone telling you that you have won a lucky draw. Legitimate organizations typically notify winners via written means such as email or an official letter, in addition to a phone call. If in doubt, contact the organization for verification
●Fake emails. Check the email address of the sender and look out for spelling or grammar mistakes. These are signs of a scam email
●Official-looking emails that do not address you by name. Spam emails are usually sent out en masse
What you should do:
●Never give out personal information such as your bank account or credit card numbers via email
●Never disclose PIN numbers, user account IDs, passwords or credit card details over email
●Delete suspicious emails and ignore phone calls from people making claims about the use of your name
●Be aware that no email service provider, bank, financial institution or website administrator would email customers to verify or ask for their account information, password or PIN
●Hover your mouse over the link in the email to check the destination address. If the address doesn’t lead you back to the website you are expecting, it is likely to be a phishing attack
●Never input sensitive information to pop-up windows from emails or websites
●Never download or open attachments in emails from unfamiliar sources
●Never feel pressured to reveal your personal information online
●Protect your computer or device with a firewall, spam filters and up-to-date anti-virus software
●Look for the secure symbol in the URL. Secure websites use 'https' rather than 'http' at the start of the address, or a closed padlock or unbroken key icon at the bottom right corner of your browser window. Legitimate websites are generally encrypted to protect your details

This information is current as of 22 Feb 2022.
Source: National Crime Prevention Council (NCPC), Types of scam, https://www.scamalert.sg/types-of-scams

 

Social Media Impersonation/Whatapp Takeover Scam
Scammers will hack into a victim's social media accounts or messaging apps such as Whatsapp and use their identity to ask contacts to buy iTunes or other gift cards for them.

In other cases, scammers will reach out to the victim's contacts to ask for personal and bank details, and One-Time passwords (OTPs) of their online accounts (such as Lazada, Shopee, Qoo10) on the pretext of helping them sign up and/or claim prizes for fake lucky draws, contests purportedly conducted by popular e-commerce sites such as Lazada, Shopee or Qoo10. Once the scammers get hold of these information, they will then proceed to make unauthorised transactions on those accounts.

Social Media Impersonation Scam
In this variation, scammers would either impersonate the victim or hack into their social media account and ask their contacts for their personal details such as mobile number, bank account details, and One-Time Passwords (OTPs) on the pretext of helping them sign up and/or claim prizes for fake contests or promotions allegedly by popular e-commerce sites such Lazada, Shopee, Qoo10, etc.

Whatsapp Takeover Scam
Scammers will use a variety of ways to get victims to share their 6-digit OTP with them. Here are some of the common methods used:

Method 1
A victim will receive a Whatsapp message from a friend or loved one whose account has been compromised. The scammer will use a variety of reasons to trick the victim into sharing their 6-digit Whatsapp verification code, personal or bank details with them. Reasons may range from the need for the information to help them sign up for fake contests or promotions to them sending the OTP to the victim by mistake. Once the victim shares the 6-digit Whatsapp OTP with the scammer, they will lose access to their Whatsapp account.

Method 2
A victim receives a Whatsapp message from a person who claims to be a Whatsapp support staff. The person asks for the victim's 6-digit OTP for verification. After providing the pin, the victim loses access to their Whatsapp account. We wish to highlight that Whatsapp or their staff will never ask for a user's 6-digit OTP.

Method 3
The scammer will deliberately fail the verification code process when attempting to install Whatsapp app using a victim's number on their phone. This then triggers the 6-digit OTP to be sent to the user's voicemail.

The scammer will then seize the opportunity to access the victim's voicemail account remotely by using the voicemail's default PIN provided by telecos to retrieve the victim's Whatsapp OTP. Once the scammer retrieve the OTP, he will proceed to takeover the victim's Whatapp account and enabling the 2-step verification to prevent the victim from regaining control over the account.

In all scenarios, scammers will proceed to reach out to more victims through the compromised accounts.

What you should look out for:
●You have trouble logging into your account
●Unauthorised transactions on your online or bank accounts
●Your phone data bill is larger than usual

What you should do:
●Never agree to an unexpected request from a friend without calling them first to verify if they want you to buy the gift card
●Under no circumstances should you share your One-Time passwords (OTPs) of any accounts with anyone, including your loved ones and friends
●Be extra careful with dealings over mobile message platforms like Facebook Messenger, WhatsApp, Skype or Line
●Verify with official sources such as the company's website or social media accounts to check if the promotion or lucky draw is real
●Enable the Two-Step verification feature for all online accounts. This will add an extra layer of security to your account in case your password is stolen
●If your account has been compromised, inform your contacts immediately of the hack and ask them not to accede to requests for personal information, especially OTPs. You should also make an immediate report to the operator of the messaging app or platform to regain control of your account.
●Change your voicemail account's default pin to prevent scammers from gaining access to your account. If you have no use of your voicemail account, contact your teleco to deactivate it

This information is current as of 22 Feb 2022.
Source: National Crime Prevention Council (NCPC), Types of scam, https://www.scamalert.sg/types-of-scams

 

Software Update Scam
Victims receive a call from someone claiming that their computer is in need of a security or software upgrade. To get the upgrade, victims must give their software user account ID and password to the caller. Sometimes, victims are asked to type several commands onto their computer, after which their computer system falls under someone else’s control. Alternatively, victims might be asked to purchase additional software online. When they do, the scammers take their credit card or bank account details for their own fraudulent use.

What you should look out for:
●Anyone who calls you with news intended to make you feel vulnerable, such as the security of your computer
●Cold calls that lead to the caller asking for payment to perform a "software upgrade"

What you should do:
●Ignore such calls and never follow the caller's instructions to install software or type commands onto your computer
●Never divulge personal info such as bank account details or credit card numbers to callers

For more types of scams, you may refer to Scam Alerts, https://www.scamalert.sg/types-of-scams

This information is current as of 22 Feb 2022.
Source: National Crime Prevention Council (NCPC), Types of scam, https://www.scamalert.sg/types-of-scams