Taipei, Taiwan – October 23, 2025
Authorities have issued a warning after a surge in phishing scams targeting users of Taiwan’s iPASS and EasyCard systems, resulting in financial losses exceeding NT$10 million. Fraudsters posing as official representatives of iPASS or EasyCard have been sending fake text messages and emails claiming to offer account updates, membership rewards, or new service features.
According to the Criminal Investigation Bureau (CIB), the messages include links to fraudulent websites that mimic the official iPASS platform. Unsuspecting users who click the links are asked to provide personal and banking details, including names, ID numbers, iPASS Money passwords, and credit card information. Once submitted, the data is immediately exploited for unauthorized transactions.
The CIB reported that the first case was filed on October 10. By October 21, at least 173 complaints had been received, accounting for losses of NT$8.72 million. One cross-border case recorded 21 fraudulent transactions, totaling NT$183,572 — the single largest reported loss.
Investigators found that the phishing sites used deceptive URLs resembling the official iPASS domain. Fake links often appear as “https://ipass-spayx.net/ipay/#/page/index” or “https://ipass-walletb.com/twpay/#/page/success,” instead of the legitimate “https://www.i-pass.com.tw/”. The misleading addresses are designed to confuse users into believing they are accessing the real site.
The CIB also noted that, after iPASS-related scams were disrupted, fraud groups quickly shifted to impersonating EasyPay. Between October 21 and today, 19 additional cases were reported, resulting in losses of NT$1.37 million.
Officials are urging both businesses and consumers to strengthen online security. Companies managing customer data should improve server protection and firewall systems, while the public is advised to verify URLs carefully and avoid entering personal or payment information into unfamiliar websites.
Authorities emphasize that legitimate organizations will never request sensitive details or one-time passwords (OTP) via text or email. Anyone who suspects fraudulent activity should immediately contact their bank or report the case to the local police.