Phishing Scams: Fake Pages Built to Steal Your Logins
Phishing is the practice of tricking you into entering sensitive information — passwords, OTPs, card numbers — on a page that looks legitimate but is controlled by a scammer.
Modern phishing is convincing: cloned branding, near-identical URLs and real-time prompts for your OTP. The reliable defence is to never reach a login page by clicking a link in an unexpected message, and to never share an OTP.
How the scam works
- 1You receive an email, SMS or chat message warning of a problem with an account and urging immediate action.
- 2A link leads to a fake page that mirrors a bank, government or popular service.
- 3You enter your username and password, which the scammer captures instantly.
- 4The fake page then asks for an OTP, which the scammer uses in real time to log in or authorise a transfer.
- 5You may be shown a fake success screen while the scammer drains the account or changes your credentials.
Common warning signs
- Unexpected messages creating urgency or fear about your account.
- Links with subtle misspellings or unusual domains rather than the official website.
- Pages asking for your password and OTP together, or for full card details.
- Generic greetings, odd grammar, or branding that looks slightly off.
- Requests to disable security features or to confirm an OTP by reading it aloud.
Real-life examples
The following scenarios are fictional and generalised for illustration only.
The account suspension email
An email warns that a bank account will be suspended unless verified within an hour. The link opens a page identical to the bank's. After entering the login and an OTP, the victim sees a maintenance message while funds are transferred out.
The Singpass look-alike
A message claims a government payout is pending and links to a page resembling a national login. The victim enters credentials, which the scammer uses to access real services and apply for facilities in the victim's name.
How to protect yourself
- Never log in via links in emails or messages; open the official app or type the address yourself.
- Treat your OTP like a key — never enter it on a page you reached by clicking a link, and never read it to anyone.
- Check the exact domain name; scammers use look-alikes with extra words or letters.
- Enable multi-factor authentication and use a password manager that only autofills on genuine domains.
- Bookmark the real websites of your bank and key services and use those bookmarks.
- Report suspicious emails and delete them rather than engaging.
What to do if you become a victim
- 1Change the password for the affected account immediately, and any other account using the same password.
- 2Contact the service or bank to report the compromise and freeze transactions.
- 3Enable or reset multi-factor authentication.
- 4Watch for follow-up scams using the data you entered.
- 5Lodge a police report and call 1799.
Frequently asked questions
Explore our financial education resources
Borrow smart and stay safe. Compare loan options through a trusted platform, and read our guides on responsible borrowing in Singapore.
Related articles
WhatsApp & SMS Scams: Hijacked Accounts and Spoofed Messages
From account-takeover codes to spoofed sender IDs and malicious links, learn how messaging scams operate and how to lock down your accounts.
ReadCredit Card & Banking Scams: Protecting Your Money and Cards
Fake bank alerts, card-not-present fraud and unauthorised transactions explained, with practical steps to secure your accounts.
ReadIdentity Theft: Protecting Your NRIC, Singpass and Personal Data
When criminals misuse your NRIC, Singpass or personal data they can open accounts and take loans in your name. Learn to prevent and respond.
Read