What are phishing/ smishing scams?
Phishing – a method used by scammers to obtain confidential information such as your NRIC details, credit card numbers, One-Time Passwords (OTPs) and login credentials through the internet so they can make unauthorised transactions.
Smishing – also known as SMS phishing, this is a common form of phishing cybersecurity attack carried out by scammers over mobile text messaging.
The scammers typically try to connect with targeted members of the public via messaging applications such as WhatsApp, Viber, WeChat, FB Messenger, etc. and will request for personal information, credentials and one-time password (OTP) under the guise of ‘verification purposes’ or ‘assisting in investigation’.
It is usually conducted via official-looking email messages or SMSes that appear to come from legitimate organisations. Such emails and SMSes typically contain a hyperlink to a spoof website and mislead account holders to enter credentials and security details on the pretext that security details must be updated or changed.
There has been a recent rise in SMS phishing scams targeting customers of financial institutions. Scammers impersonate the FI with fraudulent links.
Example of a phishing email:
An email with spoofed headers or fictitious email addresses may appear to be sent from Etiqa Singapore and include links to unfamiliar websites. This is likely to be a phishing attempt and is not sent by Etiqa Singapore even though it may appear in the same thread as the legitimate email.
Example of a SMS phishing scam:
Also known as smishing, SMS scams are carried out via SMS spoofing techniques where the SMS sender information appear to be from legitimate organisations. These fake SMSes often contain links to fraudulent websites that resemble the organisation’s website that the scammers are impersonating.
Sometimes, the fake messages may even appear within existing legitimate SMS thread from financial institutions. Do not click on any URL links in the SMS Alert without checking on the authenticity first, even if it appears in an existing SMS conversation with a legitimate organisation. If in doubt, type the link directly into your browser address bar.
Please note that Etiqa will not request customer to unlock or change password via SMS. Please call Customer Care at +65 6887 8777 or submit a form at https://www.etiqa.com.sg/contact/ if you are in doubt.
|Check and verify||Take preventive measures||Report immediately|
|Always verify the authenticity of the information with the official Etiqa website URL www.etiqa.com.sg.
You may also verify the authenticity of the information with official websites or sources like https://www.scamalert.sg.
|Do not respond to requests to perform any transaction to unknown account numbers.
To block unsolicited messages and calls (only available on iOS devices), download the ScamShield mobile app developed by the Singapore Police Force and the National Crime Prevention Council.
|If you suspect that you have fallen victim to a scam, change your password immediately. Call +65 6887 8777 or email us at firstname.lastname@example.org to report any unauthorised transactions made to your account(s) and lodge a police report.|
- International calls – Be wary of unexpected international calls, especially those that are allegedly from local organisations. All international calls will come with a ‘+’ prefix, and yes that includes numbers starting with ‘+65’, which are likely spoofed local numbers.
- Email address/phone number – Always look at the address or number instead of just the sender name. Is the email address from the official domain of the alleged sender? If it isn’t, it is most likely fake. Also, do not call or reply to unofficial telephone numbers provided in unsolicited emails and text messages. Always verify the authenticity of the information with official websites or sources.
- Unsolicited SMSes - Some scammers use fake SMSes (i.e. job ads, lucky draw wins, etc.) for social engineering or to trick the victims into divulging confidential account and internet banking information.
- Urgent messages – Don’t be too quick to act on urgent or threatening language. Scammers will try to make you act fast without thinking by using phrases like “urgent action required” or “your account will be terminated”.
- Bad grammar – Is the email or SMS poorly written and filled with typos? No official communications will be riddled with grammar mistakes. The same applies for website as well.
- Suspicious links – Hover across the link to check the URL address. Does it match the context of the email? Is it from a legitimate domain e.g. URL starts with the bank’s official website domain? Is it a secured website that starts with https://? Many fake websites have slight spelling differences from the real domain name. If unsure, go via the official website or app instead of clicking through.
- Unsolicited attachments – Legitimate sources don’t usually send across attachments if you did not ask for it. You should also look out for attachments ending in .exe or .zip, which could be malware.
- Confidential information – Never disclose your banking or card credentials such as username, password, One-Time Password (OTP) or Card CVV numbers to anyone.
- Passwords – When creating your passwords, use a complex combination of letters and numbers, perhaps the one suggested by your computer. You can store your passwords securely with a good password manager.