Singapore
Singapore
Sales season is starting – but do you know what online scams to look out for?
A woman opening a package. (File photo: iStock/Lim Weixiang)
This audio is AI-generated.
SINGAPORE: November is the start of sales season – Singles’ Day, Black Friday and Cyber Monday, followed closely by 12.12 and Christmas sales in December.
The rush of online purchases can also make it prime season for scammers who run parcel delivery phishing schemes.
Since October, at least 25 people in Singapore have lost about S$38,000 (US$28,000) in such scams, according to a police advisory on Nov 1.
Victims of these scams receive text messages or emails designed to look like official communications from postage and logistics companies.
The spoofed messages ask victims for additional payment to get their purchases delivered.
Those who click on phishing links in the messages are led to a spoofed website to key in their personal and banking details. These are then used for unauthorised money transfers.
If you take only one thing away, let it be this: Adopt a “never trust, always verify” attitude as a consumer, said Mr Ian Lim, Palo Alto Networks’ field chief security officer for Asia Pacific and Japan.
Here’s how to avoid getting phished while waiting for your deliveries.
It’s worth checking how the company delivering your purchase communicates with customers. If they have a mobile app, download it for official updates on the delivery.
For example, SingPost stopped sending SMS alerts last February, so if you receive any message about a delivery, it’s fake.
SingPost only sends an SMS for one-time PIN codes, digital queues at the post office and customer service follow-up in selected cases.
Delivery updates are pushed out through notifications on the SingPost mobile app. The company also sends emails.
Despite phasing out SMS alerts, SingPost told CNA that it still receives reports from customers of phishing messages that spoof it.
Some couriers, like Ninja Van, contact customers through bots on social messaging platforms like Facebook Messenger, Telegram or Viber.
They may also communicate through verified social media and WhatsApp accounts.
Take some time to assess the authenticity of a communication before clicking a link or taking any other action.
For SMS, all organisations that use sender IDs are required to register with the Singapore SMS Sender ID Registry. Look out for the “Likely-SCAM” label given to non-registered sender IDs. If there’s a phone number, look out for a country calling code outside of the expected region.
For email, examine the web domain of the sender’s email address. It should be the company’s official domain. Look out for typos in the domain and free email services like gmail.com or yahoo.com, which are red flags.
One quick way to check a suspicious email is to copy its email subject and search for it online with quote marks around it and the word “phishing”, said Palo Alto’s Mr Lim.
“Most likely, you’re not the first person to be phished by the scammer and you will see (many search results) indicating that this is a phishing email,” he said.
Phishing emails are typically automated and use generic greetings instead of addressing you by name. Check also for phrasing, grammar or spelling errors in the email text.
If in doubt, check the delivery company’s website. Some have dedicated anti-scam webpages listing their legitimate sender IDs and web domains, and calling out fraudulent ones.
In general, be wary of messages or emails that claim to be urgent, or contain unusual requests. Phishing emails will typically ask you to do something without delay, said Mr Lim.
You can independently verify the request by calling the organisation, or logging into your account in the usual way and checking your message inbox there.
A fraudulent SMS will often contain a shortened URL to hide the final destination of the link.
Before clicking, hover your mouse over the link to preview the URL, said Mr Lim. Check that the link destination matches the link that is displayed, and that it is a legitimate website.
Look out for “https://” at the start of the URL and a padlock symbol in the address bar when the URL is entered.
This indicates that Secure Socket Layer (SSL) encryption is in place, which most legitimate organisations would use for sensitive transactions, said Mr Lim.
“If there’s no other alternative, click on the link on an iPad or an Android tablet. The reason for this is that most malicious links are designed to exploit the Windows operating systems,” he said.
“If the target system is not a Windows machine, the malware will not be able to run the exploit.”
The use of clickable links in messages by government agencies is under review in Singapore. For now, some delivery companies still use clickable links, and this is a practice that scammers exploit.
One company, DHL Express, cited convenience as the reason why it still sends clickable links, in addition to alerts from its mobile app.
“Phishing scams are indeed a concern, which is why we take necessary measures to address the issue rather than removing clickable links,” it said.
You’ve endured the wait and your package is finally arriving. If you’ve chosen to pay when the delivery is made, be careful of cash-on-delivery scams. 
According to Ninja Van Singapore’s head of commercial Kooh Wee Hou, this involves scammers sending cash-on-delivery parcels that are assigned to third-party logistics providers.
The logistics provider delivers the parcels accordingly. This lures victims to pay for items that they did not buy, or that are below their expectations.
Mr Kooh said Ninja Van drivers have been briefed on how to handle rejected cash-on-delivery parcels, and to advise the public when they come across suspicious parcels during delivery.
Look out for deliveries of items that you haven’t actually bought, as well as suspicious parcels or payment requests.
While SingPost said demand for its cash-on-delivery service is “very low”, Ninja Van said migrant workers dormitory areas have the highest percentage of issues with such parcels.
Be among the first to know the Breaking news
This service is not intended for persons residing in the E.U. By clicking subscribe, I agree to receive news updates and promotional material from Mediacorp and Mediacorp's partners.
Copyright© Mediacorp 2023. Mediacorp Pte Ltd. All rights reserved.
We know it’s a hassle to switch browsers but we want your experience with CNA to be fast, secure and the best it can possibly be.
To continue, upgrade to a supported browser or, for the finest experience, download the mobile app.
Upgraded but still having issues? Contact us

source