Security Guidelines
You play an important role in safeguarding your personal data and account information:
Always ensure that your online account and password information is kept confidential. Failure to do so will expose you to the risks of fraud and loss. We will not be responsible for losses suffered by customers as a result of:
- Input errors or misuse of Internet services;
- Negligent handling or sharing of passwords;
- Leaving a computer unattended during an online session;
- Failure to report known incidents of unauthorised account access immediately.
The following are some security precautions that you can take when accessing our website.
Authenticity and security of Income's website
Always ensure that you are accessing a secure website before submitting any information via your web browser. To ensure you are accessing a secure website:
- Ensure the address of the website starts with “https://” instead of "http://" and look out for a padlock icon on the URL or status bar of the browser.
- Ensure that the website you are visiting belongs to NTUC Income (Income). You can do so by comparing the URL displayed in your browser with Income’s URL in the digital certificate. The digital certificate can be found by clicking on the padlock icon.
- Terminate your login session immediately and notify us at 6788 1777 if you notice any discrepancy in the SSL certificate or if there is a SSL server certificate warning.
- Always check the legitimacy of links shared. Income only uses the following domains: income.com.sg, einco.me and ntucinco.me. Take note that scammers may try to trick you into clicking on similar URLs that contain the word ‘income’, for example: income-login.com.sg or income-com-sg.net
Keep your User ID and password confidential
Your User ID and Password identify you when you access our services. Therefore, you should never disclose these details to anyone. Be alert and ensure no one is watching you while you enter your account details or any confidential information. This includes the One-Time Password (OTP) sent to your mobile phone as a second factor of authentication. Income and any of our representatives will never ask you for your password or any other confidential information under any circumstances.
Creating a strong password:
- Your password should comprise at least 8 alphanumeric characters with a mix of upper and lower case letters.
- Use the passphrase method to create a password that is difficult for others to guess.
- Do not choose a dictionary word as your password.
- Do not reveal your password to anyone.
- Do not store your passwords on your computer or write them down.
- Change your passwords regualrly.
- Log out and clear your browser cache after every transaction.
Remember that we will never ask you for your My Income account login password or One-Time-Password (OTP).
How to protect yourself from security threats?
Safeguards against online threats
Online threats designed to trick you into revealing confidential information such as phishing emails and scams are increasingly used to target unknowing consumers. Therefore, it is important to stay vigilant and safeguard your interests with the following tips:
- Do not use a computer or a device which you do not trust.
- Always install anti-virus, anti-spyware and firewall software on your personal computers and ensure that they are always updated.
- Ensure that your computer's operating system is updated with the latest security patches on a regular basis. Enabling automatic updates is a good practice.
- Do not install software or run program from an unknown source.
- Do not open any email or attachment from an unknown source.
- Regularly backup important data
- Never disclose your personal, financial or credit card information to unknown or suspicious websites.
- Protecting our customers' accounts and personal information is one of our highest priorities. If you notice any security issues, suspicious activities or fraud on your Income accounts, please let us know via this online form (select Rewards, Apps & Services > Fraud, Security Issues or Suspicious Activity Reporting)
What is a phishing scam?
Phishing is a form of identity theft or data theft that attempts to trick you into revealing personal or financial information by visiting a website or by clicking on a link. Phishing attacks typically use phony websites or email messages that appear to be from trusted businesses and brands to steal personal information such as usernames, passwords, credit card numbers etc.
The attachments may purport to be invoices, business accounting documents, user account information or other seemingly work-related attachments. When the attachments are opened, the malware infects your computers or devices to steal personal information, as well as login credentials.
Spoofed SMS
There have been recent reports of phishing SMSes being sent to customers of financial institutions in Singapore, where fraudsters masquerade as the financial institute by adopting the same alphanumeric sender ID, also known as alpha tag, as the financial institute.
Here is an example of what SMSes received in such a situation could look like.
The spoofed SMS alpha tag places both phishing and legitimate SMS messages in the same SMS conversation thread. This makes the phishing text message seem legitimate which increases the likelihood of people being tricked into clicking the link.
Once you click on the link, you would be directed to a fraudulent website requesting your user credentials like your customer portal username, password and One-Time Password. Once these are entered, the fraudsters can use these stolen credentials to log into your customer account and perform unauthorised transactions.
Scam Advertisements on Google Search
Fraudsters would post fake advertisements or phishing web links on search sites so that they would appear when victims searched for a specific Financial Institutions contact numbers or websites.
A screenshot of an advertisement posted by scammers on Google Search
Believing that the search results are legitimate, victims would call the number shown in the fake advertisements and speak to a fraudster impersonating as FI staff, where victims would be social engineered into performing fund transfer to the fraudster’s account. Victims could also be led to a phishing website and divulge their online financial services credentials, setting the stage for fraudulent activities.
How to protect yourself?
-
Do not click on any suspicious link, open any attachment or respond to suspicious SMSes as this is the first clue of a phishing attempt. Instead, always enter the full URL for Income web site into your browser address bar.
-
Avoid downloading applications from unofficial third-party application stores.
-
Always ensure that you’re using a secure website when submitting personal or other sensitive information via your web browser.
-
Ensure your devices are updated with the latest anti-virus software, software security patches and have a personal firewall installed and activated.
- Always verify the authenticity of the information with numbers listed on official institutions websites;
-
Do not reveal your online login password, One-Time-Password (OTP) or hardware token details to anyone. (Note: Income will never ask you for your password under any circumstances.)
-
Watch out for usage of urgent or threatening language. Fraudsters hope to instill panic and fear to trick you into providing confidential information. Be wary of phrases like 'urgent action required' or 'your account will be terminated'. If you have a good reason to believe it is a scam, delete the message immediately.
-
If you notice any security issues, suspicious activities or fraud on your Income accounts, please let us know via this online form. (Select Rewards, Apps & Services > Fraud, Security Issues or Suspicious Activity Reporting)
Learn more on how to spot phishing
What is a phone scam?
There are recent scams targeting Singapore residents via interactive automated voice message. The calls claim to be made from courier companies, banks or the police. If you receive an unexpected phone call from someone purporting to be an official from banks, DHL, customs, police, be wary as this could be a scam call.
In another variant of this scam, the caller might claim to be an employee or representative of financial / banking institutions who then asks – and even threatens – you to give them personal particulars such as passport details or online login credentials or One-Time Password (OTP).
How to protect yourself?
-
Do not follow the caller’s instructions.
-
Refrain from giving online login details, credit card numbers, OTP codes from tokens or passport numbers to strangers over the phone.
- If you have any information related to such crime, please call the Police hotline.
What is a malware?
Malware (short for “malicious software”) is considered an annoying or harmful type of software intended to secretly access a device without the knowledge of the owner. Once your computers or devices are infected, the malware will attempt to steal your login and authorization credentials (such as password, one time password (OTP) or other personal information.) by altering the login flow of the Income website.
You should take precaution and not let your devices be infected by malware.
How to protect yourself from malware:
-
Do not click on hyperlinks, attachments provided in emails messages from suspicious or unknown sources.
-
Avoid accessing unknown and unsecured websites.
-
Install and maintain the latest anti-virus software on your mobile devices / computer.
-
Secure your mobile device with a password, pin or a relevant mechanism to prevent unauthorised use.
-
Do not reveal your online login password, One-Time-Password (OTP) or hardware token details to anyone.
-
Keep us updated with your current mobile number and email address so you are alerted to transactions or account activities.
Remember to log out
Always remember to log out from your internet sessions when you have completed your transactions. Do not leave your computer unattended while Internet transactions are being processed.
Clear your browser's cache
It is advisable to clear your browser's cache and history after each session.
Disclaimer
We shall in no event be liable to you, our customers or any other party for any damages, loss or expense including without limitation, direct, indirect, special, consequential or punitive damages, or economic loss, loss of profits, loss of opportunity, loss of business or goodwill as a result of, arising from or in connection with the following:
- any breach in security measures that are undertaken by us;
- any system, server or connection failure, modification, suspension, discontinuance, error, omission, interruption, delay in transmission, or computer virus;
- your omission or failure to observe the terms and conditions set out in this Security Policy; or
- your negligence or fault.