24 May 2018
Singapore, 24 May 2018… The Monetary Authority of Singapore (MAS) alerts the public to fraudulent emails impersonating MAS that attempt to get recipients to divulge their bank account IDs and passwords. Members of the public are advised not to click on the links in these emails or divulge any personal information including login IDs or passwords.
These emails claim that banks in Singapore have come under attack by hackers. They contained a link to a fake MAS website. The recipients are then asked to provide details of their bank accounts, including IDs and passwords. Please see Annex A for screen shots of these emails and fake websites.
MAS does not and will not ask bank customers to provide or verify their bank account information. If members of the public receive any unsolicited emails or letters purportedly from MAS requesting for bank account information, they should report to MAS at webmaster@mas.gov.sg.
For more tips to guard against phishing activities, please refer to the MoneySENSE website: http://www.moneysense.gov.sg/Understanding-Financial-Products/Banking-and-Cash/Things-to-Watch-Out-for/Phishing.aspx. (The tips are also appended in Annex B for reference.)
***
Annex B
Tips on how to avoid phishing attempts
What is phishing?
Phishing is a way of obtaining sensitive personal information such as one’s banking account details, PIN, one-time passwords (OTP), credit card number, user ID or password through the Internet, in order to perform unauthorised banking transactions.
The most common phishing method is a spoofed email purporting to be from an FI, credit card issuer or service provider. The emails usually use the following tactics to get the consumer to release their personal information:
· "Your account is currently being updated as we are introducing a new security system. Follow the instructions below to reactivate your account."
· "Your credit card is the subject of a police investigation for fraud. Please follow the instructions below."
· "Our records indicate that payment for your Internet account is due. We are also currently introducing a new e-payment service. Please follow the instructions below."
· "You are the lucky winner of our lucky draw. Please submit your credit card details so that we can verify your identity."
The phishing emails typically contain URL links, which when clicked, direct the consumer to fake webpages (e.g. a login page) which mimic the websites of legitimate FIs. These fake webpages are often used by perpetrators to harvest the sensitive personal information belonging to consumers. The webpages may also contain malware aimed at infecting consumers’ computing devices.
Steps to protect against phishing
Below are some quick tips that can help identify potential phishing attacks, as well as best practices that consumers can adopt to guard against phishing attempts:
· Your bank will never send you emails asking you to divulge any confidential or personal information.
· Never reveal your PIN or OTP to anyone. No bank would ever ask you for your PIN or OTP (via email or phone) for whatever reason.
· Do not click on any link to log on to bank websites or open attachments in emails purportedly sent to you by your bank, credit card issuer or service provider. Instead, always enter the full URL or domain name of your bank or credit card issuer into your browser address bar. If you are unsure of the web address, contact your bank for the information.
Check your bank's website regularly for more information on announcements and advisories related to Internet security.