In a headlining incident, in December 2021, almost 470 OCBC bank customers lost an approximate S$8.5 million, to a phishing scam. The sophisticated attack was carried out via SMS, where customers were instructed to access a fake website link. They were asked to log in with their Internet banking details, and for some users, this included a one-time password (OTP). Within a short period of time, customers found their bank accounts drained of funds. Even as investigations are ongoing, there has been no guarantee that customers will be able to recover their cash and life savings.
Such attacks help stress the importance of people keeping their guard up against phishing attempts. These can come as emails, SMSes or other forms of communication. Here are some things to note, with a few steps to follow, to stay clear of phishing attacks.
So, what is phishing?
Phishing is a type of online scam where attackers ‘fish’ for personal information. This information is then used to impersonate an individual or a company. The most common forms of phishing are email and SMS phishing.
Phished, or stolen, data can include identity card and passport numbers, banking details, login IDs and passwords and one-time passwords (OTPs). With this information, scammers assume the identities of people and companies, to funnel out monetary funds and carry out other fraudulent activities. These other fraudulent activities can include taking out unauthorised loans and mortgages.
People often fall prey to scams because of the convincing appearance of scammers’ phishing tools. Perpetrators use copy-cat websites and messages that feature authentic designs, logos and details. These design elements are often lifted from legitimate websites. Unsuspecting recipients, who may think that they are taking action to secure their money or accounts, then click on URLs that serve to reveal their personal information. As the links are accessed, personal data is fed to and downloaded by scammers, in a process that is often instant, unstoppable and irreversible.
How do you stay clear of phishing attempts?
Adopt these precautionary steps and learn how to recognise the signs.
1. Take your time. Upon receiving an email or SMS, take a pause before responding or reacting to it. Approach incoming correspondence with a calm and clear mind, regardless of the urgency that is insinuated in the message.
2. Identify the sender. Is the sender a person or company that you recognise? Did you start the conversation, or does it feel like you’ve been contacted out of the blue? Cold emails should always raise your suspicions.
3. Scan for inconsistencies. Even if you do recognise the sender, make a habit of checking other details to verify their identity. Check that the sender’s name and email address correspond and are spelt correctly. Scammers make subtle changes, such as adding or removing single alphabets, to avoid raising alarm.
Email and SMS phishing messages also tend to carry urgency and cause panic. Always approach them calmly, while being sensitive to the way that they’re crafted. Spelling and grammatical errors are signs that the messages are not what they appear to be. A simple typo could clue you in immediately to an impending attack.
4. Verify URLs and avoid opening attachments. Just like spelling and grammatical errors, strange links often allude to phishing attempts. Hover your mouse over URLs to see if they are masking odd addresses. If you feel the need to explore further, open new browser windows so that you may type in the full, official addresses. This helps ensure that you are aware of the legitimacy of the links and their related web pages.
As well, avoid opening any attached files. Only do so if you are certain of the sender and the authenticity of their message.
5. Think before you click. A malicious attack can begin as soon as you act on steps that are outlined in a phishing message. Therefore, it’s important to not rush any response. Avoid clicking on anything in an email or SMS, no matter the tone of urgency.
Government agencies and financial institutions often disseminate advisories that state that they will never solicit sensitive information through email, SMS or phone conversations. This should make you extra wary of messages that ask for urgent action.
If you’ve identified a phishing attack on a personal device, delete the message and clear your trash folder. If you’ve identified such a message on a company device, follow your organisation’s protocols on reporting and escalating the issue.
Prevention is better than cure
Here are some tips to shore up your defence against phishing attacks.
- Be more conscientious and security-minded when you use the Internet. You are your own strongest line of defence. At the first detection of anything suspicious, report it as spam or junk. If you have contact with the person or entity that is being impersonated, you may wish to notify them as well. Look for IT helpdesk channels (if available) to escalate issues in the most efficient way.
- Keep your system’s security software updated. If you’re on a personal device, such as a mobile phone or tablet, be sure to heed those update alerts. Delaying the installation of patches can leave you vulnerable to newer malware and scamming technology.
- Activate multi-factor authentication (MFA). MFA, which includes OTPs, acts as additional protection for your personal information. Never reveal your MFA details to anyone.
The high cost of phishing attacks in Singapore
From January to June 2021, 20,000 cases – covering loan, e-commerce, and job and investment scams and more – leading to a total loss of S$168 million, were reported. Among the trends analysed, Singaporean police found that cyber criminals had targeted people who were feeling anxious and vulnerable in the Covid-19 situation. The scams were carried out over email, SMS and WhatsApp, as well as on social channels such as TikTok and Tinder.
The reach of scammers is wide and unlimited, affecting even the savviest users of modern technology. So, smarten up and be on the alert to keep the phishing attempts at bay.