The Singapore Police Force (SPF) has revealed that the country is witnessing a surge in parcel delivery phishing scams. Since 1 January 2024, at least 338 cases were reported, with total losses amounting to at least SGD 616,000. Of these 338 cases, at least 266 cases, with total losses amounting to at least SGD 495,000, involved impersonation of SingPost, an official news release said.
“In this variant, victims would receive a message purporting that a parcel delivery to the victim’s address had failed. The message would instruct the victim to click on a uniform resource locator (URL) to confirm their address. Victims who click on the URL would be directed to a phishing site which would prompt the victim to key in their credit/debit card details. Victims realise that they had been scammed when they notice unauthorised transactions on their credit/debit cards,” the SPF said, detailing the procedure used by scammers.
The SPF said it also noticed the abuse of online messaging applications such as iMessage and Rich Communication Services (RCS) to deliver these phishing messages.
Messages from these messaging applications would appear alongside legitimate SMSes in the victim’s mobile devices. While there are safeguards such as the SMS Sender ID Registry (SSIR) to protect public from spoofed SMSes, such protection does not extend to online messaging applications.
“Members of the public must be more vigilant against messages from unknown contacts appearing alongside SMSes in the same channel. Members of the public should stay alert against instances where they receive messages from unknown contacts through a group chat on such messaging applications, which would also appear alongside SMSes in the same channel. Group chats may be renamed to mimic legitimate Sender IDs used in SMSes, and thereby used by scammers to impersonate legitimate entities in such group chat settings,” the police said.
Also read: Scam victims in Singapore lose SGD 28,000 in OneMotoring e-mail phishing; police issue alert
Meanwhile, SingPost has clarified on its website that it will not send SMSes to request for any payment before delivery or personal information. SMSes from SingPost comes from the SMS Sender ID “SingPost” and will not contain clickable links. SingPost only receives payments made on the official SingPost mobile application, post offices, and SAM kiosks.