Users of Singpass, a two-factor authentication system for securely accessing digital government and private sector services over mobile devices, are being targeted in a new phishing attack that looks to steal confidential information.
The Singapore Police Force (SPF) has issued an alert about the scam and have advised Singpass users on how to safeguard themselves.
Singpass allows users to scan QR codes on login pages of official government and private sector organisation websites to access digital services.
The login process requires the user’s consent and authentication through biometrics or passcode verification on their devices.
Describing the modus operandi, SPF said scammers would create fake surveys and recruit participants through online forums and e-commerce sites.
The surveys were purportedly conducted on behalf of reputable companies or organisations in Singapore.
Scammers would typically communicate with the victims through WhatsApp and promise them monetary rewards for their participation in the surveys.
Upon completing the surveys, the victims would be requested to scan a Singpass QR code with their Singpass app, with the scammers claiming it was part of the verification process to retrieve their survey results for disbursement of the monetary rewards.
However, the Singpass QR code provided by the scammers was a screenshot taken from a legitimate website, and by scanning the QR code and authorising the transaction without further checks, victims unintentionally gave the perpetrators access to certain online services, the police said.
SPF added that Singpass will never send QR codes through SMS, messaging apps like WhatsApp and other non-official messaging platforms.
SPF advised the public not to scan any Singpass QR code sent by someone else. Only Singpass QR codes found on official websites should be used.
Globally, despite the rise of highly sophisticated cyber attack methodologies, phishing remains the most common method used by cyber criminals to extract money from victims.
Singapore has witnessed a substantial rise in the number of phishing scams since the start of the Covid-19 pandemic.
A highly sophisticated SMS phishing scam involving OCBC Bank in December saw 470 people lose at least S$8.5 million when they clicked on the link provided in the SMS.
The fake SMS came to users’ phones in the same SMS thread that contained previous legitimate messages sent by the bank, including one time passwords (OTPs).
This gave the message a high degree of legitimacy for the victims.
In January this year. SPF issued an advisory saying it tracked at least 1200 phishing scams since December 2021.
It warned of the re-emergence of a variant of phishing scams where scammers would apply for e-wallets with the information gathered from the victims.
In its January bulletin, SPF said victims would often receive unsolicited calls via messaging applications and would subsequently speak to callers who would claim to be from a government agency.
During the conversation with the scammers, victims would be asked to provide their personal information, banking credentials and one-time passcode for verification purposes or to assist in investigations.
Using the information, the scammers would then create an e-wallet using applications in the name of the victims, and top up the e-wallet through the victim’s bank account.