When she received a text message from her "bank" last Thursday, Ms Kyan Tan did not suspect anything.
It came from the same number that United Overseas Bank (UOB) had used to send her genuine one-time passwords (OTPs) when she performed previous transactions.
So Ms Tan did as she was told: She tapped on the link that was supposed to verify her device, which she assumed was her bank token.
This was to prevent her account from being blocked, the message had claimed.
It was a mistake which cost her $4,000.
"I thought since it came from the number that UOB always uses, then it must have been legitimate," Ms Tan, 32, an assistant manager in the finance industry, told The New Paper yesterday.
The link took her to what looked like the UOB iBanking page and she signed in with her account details. Ms Tan then received a string of messages purportedly sent from UOB containing several OTPs for her to enter the system.
After she keyed in the last OTP into her token, she was given a set of numbers to input into the iBanking page.
In just seconds, Ms Tan received two new messages informing her that a new payee had been added, and that her funds transfer was successful.
Ms Tan said: "When I saw those messages, I had a sense that something was very wrong because I never intended to transfer any money." She called the bank immediately and was told that $4,000 had been transferred out of her account.
Ms Tan said: "I was in shock and disbelief. To find out that you lost $4,000 just like that was painful for me."
She rushed down to a branch and claimed a staff member told her that it was the first case of its kind. She also lodged a police report that night.
TNP understands that the bank's security system was not compromised and that it was an external phishing attempt.
A spokesman for UOB told TNP that the bank is aware of phishing attempts targeting customers via SMS.
He said: "Upon identification of the phishing attempts, we notified our customers via our mobile banking app, UOB Mighty, and Internet banking, advising them to stay vigilant.
"We have also posted information on our Facebook page on the matter."
Mr Priyesh Panchmatia, director of solutions consulting from cyber security firm i-Sprint Innovations, said attackers often focus on the weakest link - humans, in this case, the end users.
He said: "The attacker may masquerade as a legitimate source by using SMS originator spoofing, send a message that appears to come from the legitimate source and deceive the user into providing his credentials to them via a malicious website."
This article was first published in The New Paper. Permission required for reproduction.