IMDA urges more businesses to sign up with anti-SMS spoofing registry to combat scams

Number masking, which is used by most organisations, including banks, has been blamed for the recent OCBC SMS scams. PHOTO: ST FILE

SINGAPORE - The Infocomm Media Development Authority (IMDA) has urged more businesses to sign up with a government pilot programme that was launched in August 2021 to allow organisations to register SMS sender IDs they wish to protect.

With this, SMS messages will be blocked when there is unauthorised use of the protected sender IDs, said the IMDA in a letter published in The Straits Times Forum on Monday (Jan 17).

It added that some banks have already signed up for the registry, without specifying which banks or when they had signed up.

OCBC Bank, whose customers have been plagued by SMS scams, confirmed it is participating in the pilot scheme. But it did not say when it had signed up.

Other companies such as Singapore Post and e-commerce platform Lazada have also signed up, IMDA said.

It was responding to a Forum letter by Mr Koh Wai Kit, who called for telcos to be the first line of defence against spoofed calls and SMS messages.

IMDA was also responding to ST articles about the recent OCBC Bank SMS scams in which nearly 470 customers lost at least $8.5 million in December last year.

Number masking, which is used by most organisations, including banks, has been blamed for the recent OCBC SMS scams.

This technology allows an SMS message sent by a bank to show up on a customer's phone as being from the bank, rather than an unfamiliar phone number. What is displayed in lieu of the phone number is the bank's SMS sender ID.

Scammers have been using number masking to impersonate banks by replacing any phone number with the bank's SMS sender ID. This allows the scam messages to appear in the same thread as other legitimate messages from the bank.

IMDA said the Singapore SMS SenderID protection registry pilot scheme, which was launched in collaboration with the Monetary Authority of Singapore, is part of ongoing work by the authorities to combat spoofing scams.

Other initiatives include blocking commonly spoofed numbers and prefixing all incoming international calls with "+65" to alert the public to a potential scam call.

However, the success of the SMS protection registry, which was developed in 2018 by the Mobile Ecosystem Forum, a global trade body, and first trialled in Britain in 2019, depends on the participation of businesses and organisations.

This is because the organisations need to specify which SMS sender IDs need to be protected and what parties are approved to send SMS messages on their behalf using the sender IDs, said IMDA.

The approved parties are called SMS aggregators, and only Tier 1 SMS aggregators are licensed to handle commercial SMS traffic. SMS messages with the protected sender IDs but are sent by unauthorised aggregators are flagged and blocked.

Some countries such as Armenia and Qatar require pre-registration before messages with alphanumeric sender IDs can be sent, The Business Times reported.

But most countries - Singapore included - do not mandate pre-registration.

IMDA did not respond by press time to queries on the number of participating organisations, why the registry has not been made mandatory, or what has been done to encourage more participation.

Singtel said number masking technology has been on the rise and the telco has, for five years, been blocking incoming SMS messages with alphanumeric sender IDs that are not officially routed through Tier 1 SMS aggregators.

Each year, Singtel blocks an estimated 40 million messages originating from overseas mobile operators, said a spokesman.

Given the increasing sophistication of online scammers, Singtel said it also regularly updates its SMS firewall and uses artificial intelligence and analytics to block messages with harmful Web links.

"The security of our mobile subscribers is of paramount importance and we believe everyone in this communication chain - from companies to mobile network operators to aggregators - has a critical role to play," the telco told ST.

"We urge all subscribers to stay hyper vigilant against SMSes containing hyperlinks that solicit OTPs (one time passwords) for the purpose of transactions."

Join ST's Telegram channel and get the latest breaking news delivered to you.