In the month of December 2022, the Police have observed a sharp increase in the number of a phishing scam variant involving fake buyers on Carousell. Scammers would pose as buyers on Carousell and victims would be asked to key in their banking details on spoofed websites to facilitate payment or delivery. At least 975 victims, with reported losses amounting to at least $938,000, had fallen prey to this scam from January 2022 to November 2022. However, since the beginning of December 2022, at least 877 victims had fallen prey to date, with total losses amounting to at least $836,000.
In this variant, scammers would approach victims on Carousell and express interest in items that the victims had listed on the platform. After agreeing to the sale of the items, the scammer would request for the victims’ contact details to receive a link to facilitate payment or delivery of the item. Depending on the contact details provided by the victims, victims would then receive an email, SMS or WhatsApp message from the scammer with dubious URL links or QR codes (e.g. cutt.ly/31uXCDu, carousell.quick-funds.in/266780736). Upon clicking on the links or scanning the QR codes, victims would be redirected to a spoofed website to provide their internet banking login credentials, bank card details and/or One-Time Password (OTP). Victims would realise that they had been scammed when they discovered unauthorised transactions made from their bank accounts/cards. Refer to Annex A for illustrations of the scammer’s approach.
Members of the public are advised to note and follow these crime prevention measures:
- Always verify the buyer’s profile on online marketplaces by checking the account's verification status, creation date, reviews, and ratings;
- Do not click on dubious URL links and always verify the URL links. Only domains that end with carousell.com or carousell.sg are Carousell domains. URLs such as carousellpay.com, carousell.xxx.com, carousell-pay.com, carousell.pay-sg.com are NOT Carousell domains. Carousell does not send links via SMS, and would only send OTPs via SMS. This OTP should only be keyed into the Carousell application or webpage;
- If in doubt, always verify the authenticity of the information with the e-commerce platform directly;
- Never disclose your personal or internet banking details and OTP to anyone;
- Report any fraudulent transactions to your bank immediately; and
- Report any suspicious user and fraudulent transaction from the online marketplace to the e-commerce platform.
Carousell users are advised to be wary of buyers asking for an email address or phone number on the pretext that these details are required for the buyer to make an order through Carousell Protection. Carousell does not ask for payment, order confirmation, or card details via external sites or email. For more information on differentiating real Carousell websites from phishing sites, spotting scam trends, or transacting safely on Carousell, users may wish to check out Carousell’s Help Centre. Refer to Annex B for examples of fake Carousell websites.
If you have any information relating to such crimes or if you are in doubt, please call the Police Hotline at 1800-255-0000, or submit it online at www.police.gov.sg/iwitness. All information will be kept strictly confidential. If you require urgent Police assistance, please dial ‘999’.
For more information on scams, members of the public can visit www.scamalert.sg or call the Anti-Scam Hotline at 1800-722-6688. Join the ‘Spot the Signs. Stop the Crimes’ campaign at www.scamalert.sg/fight by signing up as an advocate to receive up-to-date messages and share them with your family and friends. Together, we can help stop scams and prevent our loved ones from falling prey to scams.
Images 1 - 2: Conversations between the victims and scammers over Carousell or WhatsApp
Image 1: Example of conversation between scammer and victim on Carousell
Image 2: Example of conversation between scammer and victim off Carousell
Images 3 - 4: SMS or in-app message with links to phishing websites
Image 3: SMS from spoofed Carousell sender ID (with uppercase ‘i’ followed by a lowercase ‘L’) with link to phishing website
Image 4: QR code that leads to phishing website
Images 5 - 6: Phishing websites
Image 5: Spoofed Carousell Protection phishing website
Image 6: Phishing website
Image 7: Phishing website after submission of credit card details
Images 8 - 9: Examples of fake Carousell websites. Only domains that end with carousell.com or carousell.sg are Carousell domains.
Image 10: Example of spoofed SMS with URL to phishing website. Carousell does not send you links via SMS.
SINGAPORE POLICE FORCE
28 December 2022 @ 10:00 PM