5 ways to keep your Singpass safe | How-to guide

Did you know that Singpass is almost 20 years old? Launched in 2003, Singpass has come a long way from being a login to transact with the government to become an all-encompassing digital identity with its feature-packed mobile application.

It's truly Singapore's trusted digital identity, serving as our 'Digital IC' for secure and convenient access to a vast array of e-services. With Singpass, you can access essential government services (such as CPF, HDB, and IRAS), securely authourise transactions, and even pre-fill forms with MyInfo. This tool enables us to access sensitive personal information, such as our CPF balances and address details, highlighting its importance.

While its security has been constantly enhanced, such as when Two-Factor Authentication (2FA) was introduced in 2015, with more transactions conducted online and scams continuously evolving, user vigilance is as crucial as the technical and operational safeguards put in place.

GovTech is relentlessly working to protect users by introducing better fraud detection mechanisms, running public awareness campaigns, and developing anti-scam tools. Read on to learn more about these five security tips and how you can play an active role in keeping your Singpass secure.

Key takeaways

• Never share your Singpass details – keep your login credentials private.

• Do not click on hyperlinks or scan QR codes sent over SMS or WhatsApp claiming to be “Singpass.”

• Always check the Singpass website’s URL – avoid fraudulent websites and make sure you are on the official Singpass website.

• Act promptly if you receive an alert about unusual login activity.

• Only use one Singpass app on your device at a time for added security.

• Stay vigilant and report any suspicious activity or scams immediately to authourities.

Rise in Singpass scams

Unfortunately, we’ve seen a concerning rise in Singpass-related scams in recent times, highlighting the growing vulnerability of this digital identity tool. Scammers are becoming increasingly sophisticated, making prevention more critical than ever.

For instance, on 17 May 2024, the police announced that scammers had stolen the Singpass credentials of at least 219 people since January of the same year, under the guise of job screening. This alarming statistic highlights the importance of securing your Singpass and following best practices, as prevention is always better than a cure. Such incidents often prevent victims from receiving crucial notifications, further complicating matters.

Common tactics used by scammers

Scammers employ various deceptive tactics to exploit Singpass information, often by:

• Sending phishing emails or SMS messages that impersonate official government services.

• Creating fake Singpass websites designed to steal your login details.

• Using social engineering tactics, whereby scammers pose as officials or trusted sources to manipulate users into disclosing sensitive information.

How Singpass can be compromised?

Singpass accounts can be compromised through several common methods:

• Using weak passwords or reusing credentials across multiple services.

• Clicking on malicious links or scanning fraudulent QR codes from unverified sources.

• Failure to respond promptly to unusual login alerts, giving scammers more time to act.

Consequences of Singpass being compromised

A compromised Singpass can have severe repercussions, including:

• Unauthourised access to your personal information, such as CPF, medical records, and tax details.

• Potential identity theft, leading to fraudulent transactions or activities carried out in your name.

• Loss of control over your government-related services and personal digital identity.

How to protect yourself?

While GovTech implements robust safeguards, we all have a vital role to play in preventing these risks. By following these simple yet crucial steps, you can significantly enhance the security of your Singpass.

1. Do not share your Singpass details

Do you know that Singpass can be used to access thousands of government and private sector services, and it contains a lot of your personal information?

Just as you would not hand over your physical identity card to just about anyone, you should never disclose your Singpass ID, password, and 2FA details to others. Your Singpass ID is a unique and sensitive identifier.

You should also register only your own biometric information on your mobile device. Don’t allow strangers to use your device and potentially gain access to your Singpass app!

2. Do not click on hyperlinks or scan QR codes sent over SMS or WhatsApp by “Singpass”

Singpass does not send hyperlinks or QR codes over SMS or social messaging apps such as WhatsApp. So, never click on the hyperlinks or scan the QR codes if you receive such a message.

As an added layer of security, the Singpass app is programmed to recognise only legitimate Singpass QR codes and displays an error message if an invalid QR code is scanned.

If you see such an error message, your guard should go up, and don’t attempt to scan the QR code using another QR code reader. The fraudsters may very well be relying on you to do so after being rejected by the Singpass app.

3. Check the Singpass URL link carefully

Think that you must be on the Singpass login page because it looks real and bears the Singpass logo? Think again! Scammers are constantly updating their methodologies, and phishing websites can look very similar to real websites.

That’s why you should always check the URL domain on the Singpass website before you proceed. Look for "singpass.gov.sg" in the address bar. This will help to protect you from phishing websites that trick you into disclosing your login details.

4. Do not ignore the alert about an unusual login

Singpass will send you an alert when a login is performed on a device or Internet browser that you don’t usually use. This is part of the real-time fraud analytics deployed to identify suspicious behaviour.

Don’t ignore the notification! If you did not perform the login, report the incident immediately to the Singpass Helpdesk at 6335 3533 (operates from 8am to 10pm on Mondays to Fridays, and from 8am to 6pm on Saturdays, Sundays and public holidays) or support@singpass.gov.sg (responds in 3 working days) to secure your account.

Also, remember to update your contact details registered with Singpass so that you can receive these transactional and security alerts promptly.

5. Can I install Singpass on 2 phones?

No, you cannot install the Singpass app and have it active on two phones simultaneously. This is a crucial security feature designed to protect your digital identity and prevent unauthorised access or identity theft. If you need to transfer Singpass to a new phone, you simply activate it on the new device, and the old one will automatically deactivate.

Only one active Singpass app at a time

The Singpass app can only be installed on one mobile device at a time, ensuring there is only one copy of your credentials actively linked. This is a fundamental security measure.

This will come in handy should you misplace your mobile device or suspect that your account has been compromised.

Simply install and activate the app on another device, and the app on the lost device will be automatically deactivated. Alternatively, you can deactivate the Singpass app via the Singpass portal. This process also applies if you are trying to transfer Singpass to a new phone with the same number on an Android or any other device.

What to do if your Singpass is compromised?

If you suspect your Singpass has been compromised, act swiftly. Immediately change your Singpass password via the official Singpass website or app. Contact the Singpass Helpdesk at 6335 3533 without delay to report the incident and freeze your account if necessary. It’s also wise to check your bank accounts and other linked services for any suspicious activity and report them to the relevant authorities.

Best security practices for managing your Singpass

Keeping your Singpass safe goes beyond just reacting to threats. By following these best practices, you can strengthen your digital security every day.

Log out of your Singpass after use

It’s always a good practice to log out of your Singpass account, especially when using public or shared computers. This minimises the risk of unauthorised access to your digital identity.

To logout, simply tap on the 'More' tab in the app, then select 'Log out'. This will ensure that your session is securely ended.

Regularly update your Singpass app

Keeping your Singpass app updated is vital for security. Updates often include bug fixes and security enhancements that protect you against the latest threats. Enable automatic updates on your device to ensure you always have the most secure version.

Frequently asked questions about Singpass

Why is my Singpass deactivated?

You may wonder why your Singpass has been deactivated. Well, it can happen for several reasons, including prolonged inactivity, multiple failed login attempts, or if you have recently registered your Singpass on a new device (which automatically deactivates the previous one). If you believe your Singpass has been deactivated in error or need assistance, you can contact the Singpass Helpdesk for support.

How to transfer Singpass to a new phone securely? 

To transfer Singpass to a new phone securely, simply download the Singpass app on your new device and follow the on-screen instructions to set it up. The app will guide you through a secure verification process, which usually involves Singpass Face Verification. Once successfully set up on your new phone, the app on your old device will automatically be deactivated.

How do I change the device linked to my Singpass?

To change devices, you just need to install and activate the Singpass app on your new mobile device. This process will automatically link your Singpass to the new device and deactivate it on the old one. This ensures that only one device is actively linked to your Singpass credentials at a time for security.

Staying safe in this digital world

If in doubt, pause before doing anything. Take a moment to verify the authenticity of the website or follow up on a security alert, and you can save yourself a lot of time and grief. Remember to explore our guide on online scams in Singapore and learn more about comprehensive scam prevention strategies.

If you see others who may be engaging in unsafe digital practices, remind them that we can all do our part to protect our digital identity and data. The more people we can help spread the word to, the more we can keep safe from scammers.

Together, we can keep scammers away!