09/20/2024 | Press release | Distributed by Public on 09/20/2024 20:39
The Police would like to alert members of the public to a surge in parcel delivery phishing scams. Since 1 January 2024, at least 338 cases were reported, with total losses amounting to at least $616,000. Of these 338 cases, at least 266 cases, with total losses amounting to at least $495,000, involved impersonation of SingPost.
In this variant, victims would receive a message purporting that a parcel delivery to the victim's address had failed. The message would instruct the victim to click on a uniform resource locator ("URL") to confirm their address. Victims who click on the URL would be directed to a phishing site which would prompt the victim to key in their credit/debit card details. Victims realise that they had been scammed when they notice unauthorised transactions on their credit/debit cards.
In addition the Police observed the abuse of online messaging applications such as iMessage and Rich Communication Services ("RCS") to deliver these phishing messages. Messages from these messaging applications would appear alongside legitimate SMSes in the victim's mobile devices. While there are safeguards such as the SMS Sender ID Registry ("SSIR") to protect public from spoofed SMSes, such protection does not extend to online messaging applications. Members of the public must be more vigilant against messages from unknown contacts appearing alongside SMSes in the same channel. Please see illustrations below on messages sent out via iMessage and RCS:
Please see Annex for further details on how to distinguish iMessage and RCS from SMS.
Members of the public should stay alert against instances where they receive messages from unknown contacts through a group chat on such messaging applications, which would also appear alongside SMSes in the same channel. Group chats may be renamed to mimic legitimate Sender IDs used in SMSes, and thereby used by scammers to impersonate legitimate entities in such group chat settings. The image below shows an example of a group chat created by scammers on Android RCS designed to impersonate SingPost.
SingPost has clarified on its website that it will not send SMSes to request for any payment before delivery or personal information. SMSes from SingPost comes from the SMS Sender ID "SingPost" and will not contain clickable links. Lastly, SingPost only receives payments made on the official SingPost mobile application, post offices, and SAM kiosks.
The Police would like to advise members of the public to adopt the following precautionary measures to avoid falling for scams:
If you have any information relating to such crimes or are in doubt, please call the Police Hotline at 1800-255-0000, or submit it online at www.police.gov.sg/i-witness.All information will be kept strictly confidential. If you require urgent Police assistance, please dial '999'.
For more information on scams, members of the public can visit www.scamalert.sg or call the Anti-Scam Helpline at 1800-722-6688. Fighting scams is a community effort. Together, we can ACT Against Scams to safeguard our community!
Annex
(Note: Some elements have been redacted for privacy)
How to differentiate between SMS and RCS messages on Google Messages
How to differentiate between SMS and RCS messages on iMessage