Phishing in Singapore: A 49% Surge and What the Data Reveals
Phishing remains the most prevalent cybersecurity threat facing Singapore. According to the Cyber Security Agency's Singapore Cyber Landscape 2024/2025 report, phishing attempts rose by 49% compared to the previous year. The scale and sophistication of these attacks have made them a focal point for both regulators and organisations across the city-state.
The Anatomy of a Phishing Attack in Singapore
Phishing campaigns in Singapore predominantly target individuals through email, SMS (smishing), and messaging applications. The CSA's data indicates that attackers commonly impersonate:
- Local banks — DBS, OCBC, and UOB remain the most spoofed institutions. Messages typically claim account suspensions or unusual transactions, directing recipients to credential-harvesting pages
- Government agencies — Singpass, IRAS (tax authority), and CPF Board notifications are replicated with high visual fidelity
- Delivery services — SingPost and international courier impersonation tied to parcel delivery scams
- E-commerce platforms — Lazada, Shopee, and Carousell used as lures during peak shopping periods
The most common tactic involves creating near-identical replicas of legitimate login pages. URLs typically differ from authentic domains by one or two characters — a technique known as typosquatting. The CSA has documented cases where phishing domains were registered and deployed within hours of being created, then taken down within 24-48 hours to evade detection.
Why the 49% Increase
Several factors contributed to the documented increase in phishing volume during 2024:
- AI-assisted content generation — Phishing emails have become more linguistically polished, eliminating the grammatical errors that previously served as warning signs
- Expanded digital surface area — Singapore's high smartphone penetration (over 92%) and widespread adoption of digital banking created more potential entry points
- QR code phishing (quishing) — A newer vector where malicious QR codes redirect to phishing pages, reported in food courts, public transport stations, and physical mailers
- Credential stuffing from prior breaches — Leaked credentials from international data breaches used to craft targeted spear-phishing messages with personal details
Documented Identification Methods
The CSA's "Better Cyber Safe Than Sorry" campaign outlines specific checks for identifying phishing attempts:
- Verify the sender's actual email domain (not just the display name) by hovering over or long-pressing the address
- Check URLs before clicking — legitimate Singapore government sites use .gov.sg domains exclusively
- Be wary of urgency language such as "immediate action required" or "account will be suspended"
- Legitimate organisations do not request OTPs, passwords, or full NRIC numbers via email or SMS
- Cross-reference messages against the organisation's official app or website by navigating directly, not through provided links
Post-Compromise Response Protocol
For individuals who have entered credentials on a suspected phishing site, the sequence recommended by CSA and the Singapore Police Force is:
- Immediately disconnect the device from the internet
- Change passwords for the compromised account and any accounts sharing the same password
- Enable two-factor authentication (2FA) on all critical accounts — email, banking, and government services
- Contact your bank immediately if financial credentials were entered
- Check login history across accounts for unauthorized access
- Call the ScamShield Helpline at 1799 (24/7) to report the incident
- File a police report if financial loss has occurred
SME-Specific Measures
The 2026 best practices for small and medium enterprises documented by industry bodies in Singapore include:
- Deploy advanced email filtering with URL and attachment scanning
- Implement domain-based message authentication (DMARC, SPF, DKIM) on corporate email
- Conduct quarterly phishing simulation exercises for all employees
- Maintain a zero-trust security posture — authenticate every user, device, and application regardless of network location
- Require multi-factor authentication for all business applications, VPN access, and administrative accounts
According to CSA data, organisations that conducted regular phishing simulations reported 40% fewer successful credential compromises compared to those without simulation programmes.
Scale of Financial Impact
The Singapore Police Force reported that scam-related losses exceeded S$660 million in 2023, with phishing contributing a substantial portion. While 2024 data is still being compiled, the 49% increase in attempt volume suggests the financial impact has continued to escalate. The banking sector's introduction of the Shared Responsibility Framework in December 2024 redistributes liability between financial institutions, telecommunications companies, and consumers in cases involving phishing.
Sources and References
Content last reviewed: March 28, 2026