SINGAPORE: The Singapore Police Force recently issued two advisories to warn the public regarding phishing scams where victims have lost over S$300,000.
One scam targets people who frequent Carousell and Facebook; the other involves scammers impersonating the Inland Revenue Authority of Singapore (IRAS).
The Police said on Dec 19 that in a resurgence of fake buyer phishing scams on the two online platforms mentioned, at least 132 victims have lost at least $314,000 this month alone.
The modus of fraudsters perpetuating this scam is for them to pretend to be buyers, contacting sellers in Carousell or Facebook to feign interest in the items they post for selling.
When the fake buyer “agrees” to the sale, the vendors are sent a malicious URL link or QR code via email, in-app messaging or WhatsApp, supposedly to facilitate the buyer’s payment for the sale or for courier services such as Lalamove so the item can be delivered.
Vendors, however, who click on the links or scam the QR codes the scammers send end up getting redirected to a spoofed website. They are then asked to key in their internet banking login credentials, credit card details and/or One-Time Password (OTP), and the victims of these scams then realise that they’ve been tricked or cheated after they discover unauthorised transactions made from their bank accounts or cards.
On Dec 20, the Police said that scammers who pretend to be from the IRAS have managed to scam at least 10 victims who lost at least S$9000.
Fraudsters posing to be from IRAS have sent unsolicited emails telling people they are eligible for refunds due to prior overcharging of payments. The would-be victims are then sent an online link to a phishing website masquerading as the IRAS website.
They select their preferred refund method through a debit or credit card. The victims then provide their bank card details and One-Time Passwords (OTPs) on the phishing website.
Like the fake buyer scam victims, they would only discover that they had been scammed when they were later notified of unauthorised transactions made on their debit or credit cards.
As a precaution, the Police have asked the public to add the ScamShield App and security features. No one should ever use personal or banking credentials, including Time Passwords (OTPs), to anyone.
They added and underlined the importance of looking out for tell-tale signs of a phishing website.
Scams should also be reported immediately to the Police Hotline at 1800-255-0000 or via online submission at www.police.gov.sg/iwitness.
Read also: Scam victims lose $560K to parcel delivery phishing schemes /TISG