The victims would be requested to enter their Internet banking details and one-time passwords (OTPs) received on their mobile phones.
They would only realise they had been scammed after being notified of unauthorised transactions from their bank accounts, the authorities said.
“While the authorities work swiftly to take down phishing websites, user vigilance is crucial in our fight against evolving scams,” they added.
In the joint release, the authorities also said that IRAS does not send SMSes containing links asking members of the public to log in with their credentials such as passwords and Singpass login details.
They advised members of the public to be on “heightened alert” and follow crime prevention measures such as always verifying the authenticity of claims about problems with their income tax status with the official IRAS website.
Members of the public should also ensure the Singpass website domain they are accessing is singpass.gov.sg, with a lock icon in the address bar.
Users should update their contact details registered with Singpass and enable notifications via their Singpass app so that they can be promptly alerted of suspicious logins and contact Singpass to secure their account.
This includes when a login on a new device or Internet browser is detected.
Logins to Government services should only be done at websites with domains ending with “.gov.sg”, said the police and IRAS.
Members of the public can check against the list of trusted websites at www.gov.sg/trusted-sites if they receive a link that does not end with “.gov.sg”.
They should also never disclose their personal or Internet banking details or OTPs to anyone and report any fraudulent transactions to their bank immediately.
Those with information relating to such crimes can call the police hotline at 1800-255-0000 or submit it online.