- hello@group8.co
- 12 Marina View, Singapore
Phishing attacks are no longer the clunky, obvious scam emails of the past. Today, they are polished and frighteningly convincing, and Singapore businesses are very much in the crosshairs. Phishing scams ranked among the top ten scam types in Singapore in the first half of 2025, with 3,779 cases reported and a total of S$30.4 million lost, as reported by the Singapore Police Force. What's more alarming is that spear phishing is becoming increasingly common in the corporate world.
The good news is that you do not have to sit back and wait to become a statistic. Whether you run a small business or manage IT security for a larger enterprise, there are practical, proven ways to reduce your exposure. Even as awareness of phishing has grown, with 80% of survey respondents in Singapore indicating they know what phishing is, only about one in ten people could accurately distinguish between all phishing and legitimate content in 2024, according to the Cyber Security Agency of Singapore (CSA). That gap between awareness and real-world recognition is exactly where attackers thrive. Here are five ways to close it.
Your employees are your first line of defence, and they are also your most targeted entry point. A well-crafted spear phishing email can fool even experienced professionals. Regular phishing simulation training is one of the most effective tools available. This involves sending fake phishing emails to staff to see who clicks, then providing immediate, contextual feedback. The key word here is regular. A once-a-year workshop simply does not cut it when attackers are evolving their tactics monthly.
Training should include scenarios based on real and current threats, including new tax refund spoofing tactics in Singapore that have seen criminals impersonate official government agencies like IRAS to steal SingPass credentials and banking details. Keep sessions short, engaging, and tied to real examples your team would actually encounter. The goal is to build instinct, not just knowledge.
Most phishing emails work because they look like they come from someone you trust. The technical fix for this is a set of email authentication standards that verify whether a sender is who they claim to be.
The three you need to know are Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting and Conformance (DMARC). Together, these protocols make it significantly harder for attackers to spoof your domain or impersonate trusted partners to your staff.
IRAS itself advises businesses and individuals to check that their email service provider is compliant with DMARC, particularly in the context of tax-related phishing scams where sender IDs are routinely spoofed. If a government body is recommending it, your business should have it implemented. Setting these up correctly requires some technical expertise, but the protection they provide is well worth the effort.
Even if a phishing attack is successful and a password is stolen, multi-factor authentication (MFA) acts as a crucial backstop. With MFA enabled, an attacker who has obtained login credentials still cannot access your systems without a second form of verification, typically a code sent to a mobile device or generated by an authenticator app.
This is especially important for email accounts, finance systems, cloud platforms, and any tool that holds sensitive data. Business email compromise (BEC) often begins with a single compromised inbox. Business email compromise scams featured among the top loss-generating scam types in Singapore in 2025, and a large proportion of these incidents could be limited in damage if MFA were in place.
MFA is not foolproof, and more advanced attacks can attempt to bypass it, but it dramatically raises the bar for attackers and is considered a baseline security measure by most cybersecurity frameworks.
Knowing your vulnerabilities is half the battle. Penetration testing services allow businesses to proactively identify weaknesses in their email infrastructure, employee behaviour, and security configurations before a real attacker exploits them.
A phishing-focused penetration test involves a team of ethical hackers crafting and sending realistic phishing and spear phishing campaigns against your organisation. The results reveal which staff are most susceptible, which departments are at the highest risk, and where your technical controls are falling short.
Singapore recorded a 49% increase in phishing attempts in a recent reporting period, with the banking and financial services sector most targeted. But no industry is immune. Penetration testing services give you an honest, evidence-based picture of where you stand and a clear roadmap to improve. It is not a one-off exercise either; ideally, it should be conducted at least annually or after any major change to your systems or workforce.
Technology alone cannot stop phishing, but it can filter out a significant proportion of threats before they ever reach your staff. Modern email security solutions go well beyond basic spam filters. They use machine learning to detect suspicious patterns, flag unusual sender behaviour, scan links in real time, and sandbox attachments before they are opened.
Look for solutions that offer:
Pair this with robust endpoint protection on all devices, including mobile phones, which are increasingly used to access corporate email. Twelve per cent of phishing emails in Singapore have been found to contain AI-generated content, making them harder to detect visually. The more layers of technical protection you have in place, the less reliant you are on a single employee making the right call at the right moment.
Phishing and spear phishing are not going away. Attackers are becoming more resourceful and convincing. But organisations that combine solid employee training, strong technical controls, and a culture of vigilance are significantly harder to compromise than those that rely on luck. The five strategies above are the foundation of a resilient security posture for any Singapore business operating in today's threat environment. The sooner you start, the better protected you will be.
If you would like expert guidance on assessing and strengthening your defences, Group8 can help. From tailored security assessments to hands-on implementation support, Group8 works with businesses across Singapore to build cybersecurity programmes that are practical and built for the long haul. Get in touch with our team today to find out where your greatest risks lie and what to do about them.