SINGAPORE - A slew of measures will be implemented by the Government to ensure that phone users in Singapore can interact with SMS messages safely, both by foiling would-be scammers and shoring up user education.

In a written response to a question from MP Sharael Taha (Pasir Ris-Punggol GRC), Mr Teo Chee Hean, Coordinating Minister for National Security, outlined four measures the Government will take to prevent, detect and mitigate any SMS messages that impersonate legitimate senders.

Mr Teo's response comes after the Smart Nation and Digital Government Group wrapped up its review of the use of SMS and clickable links for government agencies.

The review was announced in January after a spate of online banking scams, including phishing scams that caused OCBC customers to lose $13.7 million.

The four measures are: using the SMS Sender ID Registry (SSIR) to block messages sent by those that spoof the IDs of legitimate senders; screening out scam messages and calls; strengthening scam detection in government transactions and speeding up the response to scams, said Mr Teo.

In his reply on Monday (July 4), Mr Teo said over 50 organisations - including government agencies and banks - have come on board the SSIR, which was established in March.

He added that all government agencies will progressively join the registry.

"We are also studying the requirement for all users of alphanumeric sender IDs to be onboarded to prevent scammers from sending SMSes using alphanumeric sender IDs," said Mr Teo, who oversees the Smart Nation and Digital Government Group in the Prime Minister's Office.

As for screening out scam messages and calls, he said the Government will work with telcos to improve their ability to block such messages and calls, including robocalls and those spoofing numbers of local Government agencies and emergency services.

The ScamShield mobile application developed by the National Crime Prevention Council (NCPC) to filter out scam SMS messages and calls, and various education campaigns to alert citizens to different types of emerging scams, are also in place, he noted.

Multi-factor authentication on Singpass, including the use of biometrics, to provide added layers of protection to Singpass accounts and to prevent them from being easily taken over by scammers, has been introduced to strengthen scam detection for government transactions.

"Like other major technology companies, we are also using and continuously improving our fraud analytics to detect and notify users of suspicious logins, such as logins from a new device or browser."

For major transactions, government agencies will check that payments are made to bank accounts owned by the correct person, he said.

"This will complement similar measures that the banks are taking to mitigate the risk of fraudulent transactions, such as enhancing fraud monitoring systems to facilitate timely detection and blocking of suspicious transactions, and alerting customers of outgoing transactions that exceed established risk thresholds so that they can report unauthorised transactions as soon as possible."

To speed up the response to scams, the NCPC will launch a WhatsApp channel by the third quarter of 2022 for citizens to quickly report suspected scams, to rapidly crowdsource information and respond to scam websites and messages, said Mr Teo.

The Infocomm Media Development Authority (IMDA) and the Singapore Police Force (SPF) will also work together to identify and block suspected scam websites, he said, noting that 12,000 were blocked last year.

"In addition, the SPF works with financial institutions to swiftly freeze bank accounts suspected to be involved in scams.

"Combating scams will be a constant battle as scammers' tactics will keep changing."

Other than the four measures, the Government will also use only domains ending with ".gov.sg" when sending SMS messages with links.

Any logins to government services, such as keying in Singpass credentials or scanning the Singpass QR code, should only be done at genuine Government websites with domains ending with ".gov.sg".

But Mr Teo added: "There are some exceptions such as websites that are collaborations between government agencies and non-government entities.

"Such legitimate websites are listed on www.gov.sg/trusted-sites which users are encouraged to check if they are asked to transact on unfamiliar website domains."

Mr Teo also said that for messages delivered to citizens through SMSes, the Government will only use links where it is important to mobilise large numbers quickly and other channels are assessed to be less effective.

"We will not ask users to provide their credentials, such as passwords, through websites directly accessed through SMS links."

In his response, Mr Teo also said removing links in SMSes, e-mails or other messaging platforms does not eliminate the risk of users falling prey to phishing attempts.

"SMS can reach anyone with a mobile phone, even if they do not use a smartphone or e-mail, with nearly 100 per cent coverage," he said, noting that the Government has attached links in SMSes to mobilise citizens to get vaccinated during Covid-19.

"Given the above trade-offs between reach and vulnerability to spoofing, the Government will implement a number of measures in order to have safeguards and give users confidence when interacting with SMSes."