SIM Swap Scams Targeting Singtel, StarHub, and M1 Users in Singapore

Your mobile phone number is far more than a way for people to call you. In Singapore, it is the key to your banking OTPs, Singpass authentication, PayNow transactions, and two-factor authentication for virtually every online service. A SIM swap attack — where a scammer transfers your phone number to a SIM card they control — gives them access to all of this in one move.

SIM swap fraud has been growing globally, and Singapore's heavy reliance on SMS-based OTP verification makes it a particularly attractive target. Singtel, StarHub, and M1 — Singapore's three main telcos — have each had customers fall victim to this increasingly sophisticated attack.

How SIM Swap Fraud Works

A SIM swap attack follows a predictable pattern:

Step 1: Information Gathering

The scammer collects your personal information — name, NRIC number, date of birth, address, phone number, and sometimes answers to security questions. This information comes from data breaches, social media, phishing attacks, or dark web purchases.

Step 2: Contacting Your Telco

Armed with your personal details, the scammer contacts Singtel, StarHub, or M1 — either by calling customer service, visiting a retail store with fake identification, or using online account management tools. They request a SIM replacement, claiming they lost their phone or damaged their SIM card.

Step 3: SIM Transfer

If the telco's verification process is bypassed, your phone number is transferred to the scammer's SIM card. Your phone immediately loses signal — calls, SMS, and data stop working.

Step 4: Account Takeover

With control of your phone number, the scammer now receives all SMS OTPs sent to your number. They use this to:

• Log into your bank accounts (DBS, OCBC, UOB)
• Access your Singpass
• Reset passwords on your email, social media, and other accounts
• Authorize PayNow transfers
• Bypass 2FA on cryptocurrency exchanges

The entire process from SIM swap to account drain can happen in under an hour.

Warning Signs of a SIM Swap Attack

Warning Sign	What It Means
Your phone suddenly shows "No Service" or "Emergency Calls Only"	Your number may have been transferred to another SIM
You receive unexpected SIM change notifications	Someone may be attempting to swap your SIM
You cannot make calls or send texts	Your SIM has been deactivated
You receive emails about password resets you did not request	Scammer is using your number to reset passwords
Your banking app shows login attempts from unknown devices	Your OTPs are being intercepted
Contacts tell you they received unusual messages from your number	The scammer is using your number

Telco-Specific Security Measures

Singtel

Singtel has implemented additional verification steps for SIM replacements and number porting requests. Customers can set up a Singtel security PIN that must be provided for any account changes. Enable this through the My Singtel app or by calling 1688.

StarHub

StarHub requires in-person verification with original NRIC for SIM replacement at retail stores. For added security, set up a StarHub account PIN through the My StarHub app or by calling 1633.

M1

M1 has strengthened its SIM replacement verification process. Customers can set a service restriction PIN through the My M1 app or by calling 1627. This PIN is required for all SIM-related changes.

SIM Swap Prevention Checklist

1. Set up a telco security PIN — Contact Singtel (1688), StarHub (1633), or M1 (1627) to add a PIN required for any SIM changes
2. Enable SIM lock on your phone — Requires a PIN to use the SIM in a different device
3. Monitor your phone signal — Sudden loss of service is the earliest warning sign
4. Use app-based 2FA instead of SMS — Google Authenticator, Microsoft Authenticator, or hardware keys
5. Limit personal information shared online — Less data means harder impersonation
6. Set up account alerts with your telco for any SIM or account changes
7. Register for IMDA's Do Not Port list if you do not plan to switch telcos
8. Use strong, unique passwords for your telco account — it is often the weakest link

What to Do If You Suspect a SIM Swap

Time is critical. Every minute counts once a SIM swap has occurred.

1. Contact your telco immediately — Call from another phone:
   • Singtel: 1688
   • StarHub: 1633
   • M1: 1627
2. Contact your banks urgently — Request emergency account freeze:
   • DBS: 1800-111-1111
   • OCBC: 1800-363-3333
   • UOB: 1800-222-2121
3. Log into Singpass from a computer and review recent activity
4. Change passwords for email, banking, and critical accounts from a secure device
5. File a police report immediately
6. Contact the Anti-Scam Centre at 1800-722-6688
7. Alert contacts that your number may be compromised

Moving Beyond SMS-Based Security

The most effective long-term protection against SIM swap attacks is reducing your reliance on SMS-based OTP:

Authentication Method	SIM Swap Vulnerable	Recommendation
SMS OTP	Yes	Avoid for critical accounts
App-based TOTP (Google Authenticator)	No	Use wherever available
Singpass Face Verification	No	Enable for Singpass
Hardware security key (YubiKey)	No	Best for high-value accounts
Biometric (fingerprint/face)	No	Enable on banking apps

Protect Your Phone Number

Your mobile phone number has become your digital identity in Singapore. When you need to share your phone number or other personal details with trusted parties, avoid sending them through messaging apps where they remain permanently. Use LOCK.PUB to create a password-protected, auto-expiring link containing the information. Once the recipient views it, the data disappears — reducing the risk of your details being harvested from compromised chat histories.

The Bottom Line

A SIM swap gives a scammer the keys to your entire digital life in Singapore — banking, Singpass, email, and social media. The attack is silent, fast, and devastating. Your most important defenses: set up a telco security PIN today, switch from SMS OTP to app-based authentication wherever possible, and act within minutes if your phone suddenly loses signal.

If you need to share sensitive contact or identity information, use LOCK.PUB instead of plain text in chats. Your phone number is no longer just a number — it is your digital identity. Protect it accordingly.