Phishing Scams Targeting Bank and MyInfo Accounts in Singapore
Singapore residents are targeted by phishing attacks impersonating DBS, OCBC, UOB, Singpass, and CPF, using SMS spoofing and fake login portals to harvest banking credentials and MyInfo personal data.
Part of: Phishing
Last reviewed: 1 June 2026
Singapore has a highly digitised banking and government services ecosystem — features that make phishing particularly effective. The Singpass digital identity system, CPF online portal, and internet banking for major local banks represent high-value targets because compromising one can cascade across multiple government and financial services.
The Singapore Police Force and MAS issue joint advisories regularly about phishing campaigns. The OCBC phishing case — in which dozens of customers lost millions in a single campaign — prompted significant regulatory action on SMS sender ID protection and cooling-off periods for high-risk banking transactions.
How this scam works on Singapore
Victims receive SMS messages appearing to come from DBS, OCBC, or UOB — sometimes in the genuine bank's SMS thread due to sender ID spoofing. The message warns of a suspicious transaction or account restriction and provides a link to resolve it. The link leads to a convincing clone of the bank's login page.
Singpass phishing targets users with fake prompts to verify their identity for CPF transactions, grant scheme applications, or SkillsFuture claims. Entering Singpass credentials gives attackers access to tax records, medical data, and linked financial accounts.
Fake MAS investment scam warnings paradoxically serve as a new phishing vector: criminals send SMS claiming to be MAS alerting the victim to a suspicious transaction, with a number to call. The callback line is staffed by scammers who harvest credentials.
Common red flags
- Bank SMS with a login link, even if it appears in the bank's genuine message thread
- Singpass login prompt arriving via SMS or email rather than the official Singpass app
- Caller claiming to be MAS or CPF asking for account credentials or OTP
- Login page whose URL has a slight variation from the bank's official domain
- Request to authorise a transaction by clicking a link rather than within the bank's official app
How to protect yourself
- Access all banking and government services only through official apps downloaded from the App Store or Play Store
- Enable Singpass Face Verification and two-factor authentication for all government digital services
- Never click links in SMS messages claiming to be from your bank — call the number on the back of your card
- Register for your bank's transaction alert service with low threshold amounts
- Report suspicious SMS to the Singapore Police Force at police.gov.sg/iwitness
How to report it
- Report to Singapore Police Force at police.gov.sg/iwitness or call 999 for urgent cases
- Contact the Anti-Scam Helpline at 1800-722-6688
- Report phishing sites to the Singapore Cybersecurity Agency at csa.gov.sg
Frequently asked questions
What is Singpass and why is it targeted by phishing scammers?
Singpass is Singapore's national digital identity system, providing access to over 2,000 government and private sector services including CPF, tax filing, MyInfo, and healthcare records. Compromising Singpass credentials gives attackers access to a wide range of sensitive personal data and financial accounts — making it a high-value phishing target.