Keeper Security’s Recommendations as Impersonation Scams Rise in APAC
Manipulating Caller IDs, Replicating Official Language, and Leveraging Urgency to Coerce Victims

Impersonation scams are proliferating across the APAC region, and governments are intensifying measures to protect residents. One example is Singapore’s recent announcement that calls made by police officers to residents will carry a standardised prefix, and messaging platforms such as WhatsApp will have to implement tighter anti-scam measures to combat spoofing.
Recent figures from Singapore’s Ministry of Home Affairs have highlighted how criminals are increasingly using WhatsApp spoofing to impersonate government officials and exploit public trust. Singapore’s move to require the “+” prefix for international calls is a practical friction point, but it should be viewed as a visibility control rather than a fail-safe.
These scams are engineered rather than opportunistic, with attackers manipulating caller IDs, replicating official language, and leveraging urgency to coerce victims into disclosing sensitive information or making payments. The rapid rise in government impersonation scams reflects how attackers are deliberately targeting institutions that carry inherent authority and credibility.
Spoofing is effective because it undermines a core assumption in digital communication—that the sender is who they claim to be. When a message appears to come from a trusted government source, many individuals instinctively lower their guard. The same tactics are routinely deployed against organisations, where a single compromised credential or intercepted one-time passcode can open the door to larger fraud, data breaches, or business email compromise.
For individuals, the fundamentals remain critical: never share passwords, one-time passcodes, or authentication prompts; avoid continuing conversations initiated through unexpected channels; and independently verify communications through official channels. No legitimate government agency will request sensitive credentials over messaging platforms. Any request that creates urgency around payment, arrest, or account suspension should be treated with heightened scepticism.
For organisations, the strategic priority must focus on reducing the blast radius of inevitable human error. That means enforcing phishing-resistant multi-factor authentication, eliminating shared credentials, deploying privileged access controls, and adopting passwordless or zero-trust models where possible. Centralised visibility into credential hygiene and dark web exposure further strengthens resilience.
Why Impersonation Has Become a Growing Problem
By ensuring that authentication is tied to strong cryptographic verification rather than knowledge-based factors or SMS codes, organisations materially reduce the impact of spoofing, even when employees are deceived. Modern privileged access management platforms help contain impersonation risk by limiting standing access, enforcing least privilege, and monitoring high-risk sessions in real time, ensuring that a single compromised identity does not cascade into broader system compromise.
Spoofing attacks will continue to evolve and make impersonation scams even more believable and dangerous, particularly with the rise of AI-enabled voice and message manipulation. Awareness campaigns are important, but sustainable protection depends on resilient identity architecture that assumes deception will occur and designs controls accordingly. In today’s threat landscape, trust must be continuously verified, not assumed.



