[Singapore] Police advisory on phishing scams involving fake buyers
The Singapore Police Force (SPF) have observed an increase in a phishing scam variant involving fake buyers on Carousell. Scammers would pose as buyers on Carousell and victims would be asked to key in their banking details on spoofed websites to facilitate payment or delivery.
Users are advised to be wary of buyers asking for an email address or phone number on the pretext that these details are required for the buyer to make an order through Carousell Protection. Carousell will never ask for payment, order confirmation, or card details via external sites or email.
The scammers approach in this variant (images presented in Annex A):
- Scammers would approach victims on Carousell and express interest in items that the victims had listed on the platform
- After agreeing to the sale of the items, the scammer would request for the victims’ contact details to receive a link to facilitate payment or delivery of the item.
- Depending on the contact details provided by the victims, victims would then receive an email, SMS or WhatsApp message from the scammer with dubious URL links or QR codes (e.g. cutt.ly/31uXCDu, carousell.quick-funds.in/266780736).
- Upon clicking on the links or scanning the QR codes, victims would be redirected to a spoofed website to provide their internet banking login credentials, bank card details and/or One-Time Password (OTP). Victims would realise that they had been scammed when they discovered unauthorised transactions made from their bank accounts/cards.
Users advised to note and follow these crime prevention measures:
- Always verify the buyer’s profile on online marketplaces by checking the account's verification status, creation date, reviews, and ratings;
- Do not click on dubious URL links and always verify the URL links. Only domains that end with carousell.com or carousell.sg are Carousell domains. URLs such as carousellpay.com,carousell.xxx.com, carousell-pay.com, carousell.pay-sg.com are NOT Carousell domains. Carousell does not send links via SMS, and would only send OTPs via SMS. This OTP should only be keyed into the Carousell application or webpage;
- If in doubt, always verify the authenticity of the information with the Carousell directly;
- Never disclose your personal or internet banking details and OTP to anyone;
- Report any fraudulent transactions to your bank immediately; and
- Report any suspicious user and fraudulent transaction from the online marketplace to the Carousell.
If you have any information relating to such crimes or if you are in doubt, please call the Police Hotline at 1800-255-0000, or submit it online at www.police.gov.sg/iwitness. All information will be kept strictly confidential. If you require urgent Police assistance, please dial ‘999’.
1. Example of conversation between scammer and victim off Carousell
2a. Example of SMS from spoofed Carousell sender ID (with uppercase ‘i’ followed by a lowercase ‘L’) with link to phishing website. Carousell does not send you links via SMS.
2b. Example of QR code sent with link to phishing website
3. Example of phishing websites