More than 5,000 phishing e-mails impersonating Case officers sent after cyber attack
Cyber attackers hacked the mail server for Singapore's watchdog and impersonated its officers, sending out phishing e-mails to more than 5,000 consumers to tell them they had to make payment transactions to get monetary compensation.
The Consumer Association of Singapore (Case) said it started receiving reports of these phishing e-mails last Saturday.
Two mailboxes, "email@example.com" and "firstname.lastname@example.org" were affected. The first is used by the association to communicate with consumers who lodge complaints on Case's website, and the second is used for those whose complaints are escalated to mediation.
A total of 5,095 phishing e-mails were sent from both mailboxes.
In those e-mails, consumers were asked to participate in a live chat, and approach bank partners to perform payment transactions relating to their complaints to receive monetary compensation. No other details were available.
"While these e-mails were sent from e-mail addresses that Case may have used to communicate with consumers, the latest notifications they received did not originate from Case," said the consumer watchdog.
"Case will not direct consumers through e-mail or live chat to visit another website to key in their bank details."
Investigations confirmed that the unauthorised access was limited to consumers' e-mail addresses and all other personal information remained secure, said Case.
It said that once it learnt its mail server had been hacked, it worked with its IT vendors to suspend the affected mailboxes and reconfigure its e-mail accounts to stop more phishing e-mails from being sent. It said it would also work with the vendors to strengthen its cyber security systems to avoid a further recurrence.
Case said it is carrying out further investigations, and has reported the incident to the police and the Personal Data Protection Commission (PDPC) to resolve it.
It advised consumers who have received those e-mail notifications not to click on the links and disclose personal and bank details. Those who have performed the payment transactions should lodge a report with the police, and the anti-scam hotline at 1800-722-6688 as soon as possible.