Understanding phishing so you can avoid becoming a victim.

 

Phishing is a method used to trick victims into giving out their personal and financial information including password, One-Time Password (OTP) or bank account numbers, shared Jason Chng, assistant director, regulations division, Cyber Security Agency of Singapore (CSA). He disclosed this during a People’s Association Wanted #StayHome Webinar Series on “Why people fall prey to phishing and how to protect yourself”.

Cyber criminals will disguise themselves as an individual or a reputable organisation such as a government agency in an e-mail, instant messaging or other communication channels. Once they obtain your personal details, they can then gain access to your online accounts and impersonate you to scam your contacts.

Chng added that phishing cases are on the rise in Singapore with 47,000 Singapore-hosted phishing links detected in 2020 as compared with 16,100 in 2018. “The year 2020 saw a surge in Covid-19-related phishing campaigns. COVID-19 themes very likely accounted for over 4,700 of malicious links. These links spoofed local entities and services, and were in greater demand during the circuit breaker period which included online retail and payment portals.”

 

How do criminals trick you?

He further shared that the scammers are able to trick victims as they tap into the fears people have to such a degree that they are unable to carefully discern the signs of scam e-mails. They send these e-mails that appear to be from legitimate organisations and authorities to trigger fear and this reduce our ability to think logically. “They catch us off guard mentally. Research shows phishing activity tends to be high around lunch breaks, early afternoon and end of the work week.”

Chng added that the scammers make use of how we tend to be very responsive and compliant to government or credible experts so check carefully before you click on links. We also let our guard down with people we know or like. Be wary of unusual requests from your friends as their accounts may have been hacked. And, if an item is limited, we are extremely responsive as we hope to get the deal. Also, if someone gives (or promises to give) us something, we are more willing to give something in return and if you have already committed to paying for something, you are more likely to follow up.

 

Spot the six signs

He shared six signs on spotting a phishing scam:

• Mismatched and misleading information – Study the information on the e-mails and websites closely. For e-mails, look out for a sender’s e-mail address that may look similar to a company’s official e-mail address. Hover your mouse over the links to view the actual URL. If you are using a mobile, long-press the link to display the actual URL and be careful not to tap and open the link. For websites, take a note of the URL. Cyber criminals create websites that are similar to the actual site and often use tricks such as substituting letters such as www.paypa1.com instead of www.paypal.com. Chng said to not trust links or e-mail addresses that claim to be from the government but do not have “gov.sg” in them, unless you are already familiar with them. There is an official link shortener (https://go.gov.sg) used by government agencies. Be watchful also of bad grammar on websites.
• Unexpected e-mails – If you receive an unexpected e-mail about an invoice for an item you did not purchase, do not click on the links and attachments. Delete the e-mail immediately.
• Use of urgent or threatening language – By pressuring you to reply quickly, criminals hope to instil panic and fear to trick you into providing confidential information. Be wary of e-mails with phrases such as ‘urgent action required’ or ‘your account will be terminated’.
• Suspicious attachments – Cyber criminals include attachments in e-mails as a method to infect user’s device with malware and steal data. It may be instinctive to open attachments we receive but it is important to exercise caution. Look out for suspicious attachment names and file names such as .exe.
• Promises of attractive rewards – False offers of amazing deals or unbelievable prizes are commonly used to encourage you to act immediately. Remember – if it sounds too good to be true, it probably is.
• Requests for confidential information – Most organisations will never ask for your personal or financial information to be sent over the Internet. If you receive such a request, it should raise a red flag immediately. When in doubt, contact the organisation or company directly to clarify.

 

Chng shared that  if you receive a phishing message, call or e-mail, ignore and delete it. Do not click on any attachment or link in the message. Should you receive an unsolicited ad or message to follow some instructions urgently, do not panic. Call your family members or friends for advice, visit Scam Alert (www.scamalert.sg) or call the Anti-Scam hotline at 1800-722-6688 for scam-related advice.

If you inadvertently clicked on a phishing link, take the following actions:

• Change the password for your banking account immediately, including all other accounts using this password.
• Alert the bank if you revealed credit card details.
• Monitor your account for unauthorised withdrawals or purchases.
  • Make a police report if any funds go missing.
• Use an anti-virus software such as McAfee and others to scan your system.
• Go to CSA’s SingCERT website – www.csa.gov.sg/singcert/reporting – if you wish to submit an incident report.

** For more cyber tips, download SG Cyber Safe Seniors Handbook at www.csa.gov.sg/sgcybersafeseniors.

 

(** PHOTO CREDITS: DHL and SingPost screenshots from Singapore Police Force website on police advisory on phishing scams involving e-mails and text messages; How to spot graphic from the Cyber Security Agency of Singapore)