Privacy Ninja



        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Phishing scams unmasked: What really happens from planning to their aftermath

Phishing scams
Phishing scams do not take much time to pull off, that is why it is rampant nowadays

Phishing scams and attacks through emails and text messages have been intensifying in recent times. Often, the ones who fall prey to such scams are those who are less tech-savvy, like the elderly or those who know of such scams happening.

Meanwhile, other customers fall into the deception because the phishing scams are just too realistic. For OCBC’s case, the SMS messages were spoofed and appeared in the bank’s official thread.

Preparations work bad actors do to plan phishing scams

As you can see, all of the aforementioned current phishing scams are localized, which means they are unique to Singapore. If the scammers are located abroad, they are most likely collaborating with someone local, or the team may be partially or totally locally.

These persons must understand the typical flow of what a targeted victim should or would expect to go through when they visit a phishing scam website (under the impression that it is a legitimate activity); thus, the local person(s) here will supply that knowledge.

Also Read: January 2022 PDPC Incidents and Undertaking

Phishing scams
Phishing scams are all over the internet put up by bad actors

The time it takes to design a phishing scams website and the possibility to take down phishing scam websites

There are open source or proprietary tools that scammers or hackers can use to clone any website’s frontend UI in under a minute. This type of software mimics the HTML/CSS code to make it look exactly like the original or targeted site.

The hacker only needs basic coding knowledge to create a forwarding or backend to receive the keyed-in credentials that victims enter on the phishing site. The URL plays a critical role. For example, scammers can purchase, even the real OCBC banking sites such as,,, or, which all these domains are available for purchase right now at the time of writing.

Having an SSL certificate lends credibility to the site by displaying a padlock icon in the URL bar, and anyone can obtain free, open-source SSL certificates online.

Such phishing sites can be taken down by informing the original or targeted site owners, for example, OCBC. They will immediately contact the web hosting provider using legal procedures to remove such sites.

Reporting to the police or relevant agencies, such as MAS, are other options, but they will almost certainly notify the concerned party, in this case, OCBC. Singapore Police Force, in collaboration with IMDA (at their discretion), can also prevent the specific site from being accessed from Singapore by requiring Internet Service Providers in Singapore to refuse access to its internet customers.

It should be noted that scammers will also attempt to conceal their true identities, so the name and registration information are usually falsified, as are payment card details using disposable debit cards, or in some cases, paid with cryptocurrency for web hosting providers that accept such payment methods.

To verify the availability of the specified available domains, go to and enter them.

Phishing scams
Phishing scams are targeting non-tech savvy individuals who are susceptible to clicking phishing scam websites

If the phishing scam website is being taken down, they can still scam people by setting up a new phishing website in a short period of time

Scammers can reroute the URL to another hosting server where the exact same site can be operational immediately in a few minutes. Alternatively, scammers may have already purchased numerous similar domain names, a practice known as “domain parking,” which means that if the authorities and block have detected, the scammers can quickly activate

They only need to alter the hyperlink in their email or SMS to the recipients of such messages.

Where does the money go, and is it difficult for the authorities to recover?

Once a scammer has stolen a victim’s login credentials and OTP, they can use this information to set up a digital token in another phone’s OCBC app to receive OTP, preventing the victim from receiving SMS.

The scammer can cheerfully and slowly create as many third-party accounts as payee receivers and begin transferring funds, keeping an eye on the daily limit, and avoiding doing any activity that will cause an SMS to be sent to the victim’s phone.

Even if SMSes are delivered to the victim’s phone, such fund siphoning is often done in the early hours, when the victim is most likely sleeping.

Furthermore, even if a user calls the bank urgently, even though it has a 24/7 hotline for banking individuals, it may take a long time to connect, and by then, funds have already been transferred out or withdrawn from ATMs from those 3rd party accounts. The customer service officer on the helpline also requires specific approval to freeze or pause any funds transfer, giving scammers plenty of time.

Scammers will either withdraw money from such 3rd party accounts via ATM (while taking care not to let the ATM camera catch their faces), transfer money overseas via various fast remittance services, purchase cryptocurrencies and send them to new decentralized wallet addresses, or purchase expensive items from online stores.

Phishing scams
Phishing scams are rampant. One must always be vigilant before clicking suspicious links.

How many people could be in the team to run such a scam?

It can be as simple as an OMO (One Man Operation) with the appropriate information or as complex as a syndicate of tens of people. There is an Operations department, a Technology department, a Marketing department, a Finance department, and a Cyber Security department, just as in a business.

Operations include the planning and execution of various department tasks, as well as the acquisition of victim credentials and an OTP to set up a digital token. Web hosting, domain name acquisition, and mass email/SMS blasting software are all examples of technology.

Marketing: Creating victim profiles and obtaining “leads” is simple with a dictionary attack on mobile phones or by purchasing mobile number databases.

Finance: In charge of preparing 3rd party/proxy bank accounts, typically by paying a fixed amount of money to debt-ridden individuals looking for “quick cash” in exchange for their existing or new bank accounts, or purchasing bank accounts and ATM login information from foreign workers who are returning to their home countries and no longer require their local bank accounts.

Cyber security: Utilizing forged credentials to sign up for required internet accounts, using a VPN to hide their IP address while conducting scams, and so on.

Tips to prevent falling to scams

Always call back the main hotline to confirm facts by looking up the contact information online. Do not click on any links in SMSs or emails. The Monetary Authority of Singapore (MAS) and the Association of Banks in Singapore (ABS) have ordered that banks delete clickable links in emails and SMSs in the future.

Always double-check and double-verify URLs. If you receive a call from the authorities, ask for their name, designation, and department, as well as a publicly verifiable phone number where you may contact them back. Normally, they will terminate the call at this point.

SMS, which we are all used to receiving notifications, can simply be faked to convert the sender ID to a recognized entity such as a bank, CPF, or government. Always check in to your web account or mobile app separately to confirm any notifications.

If something appears to be too good to be true, it most likely is. Trust your instincts if something doesn’t feel right.

Also Read: Managing employee data under Singapore’s PDPA



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us