Govt agencies exploring use of AI to block scam websites faster: Josephine Teo

Fake sites played a large part in the scams that caused 790 OCBC customers to lose $13.7 million from December to January. PHOTO ILLUSTRATION: ST FILE

SINGAPORE - Government agencies are looking into using artificial intelligence (AI) to quickly detect and block scam websites through telco networks to protect the public from being scammed.

To complement this, the National Crime Prevention Council will also launch a WhatsApp channel by the third quarter of this year to source information on scam websites from the public.

These come in the wake of a spate of SMS phishing scams that targeted OCBC Bank customers recently.

Announcing the new moves on Tuesday (Feb 15), Minister for Communications and Information Josephine Teo said in Parliament that one of the Government's upstream measures to combat scams is disrupting the ability of scammers to reach potential victims through communications infrastructure such as telco networks.

A key part of that is blocking scam websites because of how such sites allow scams to be “processed with greater scale and speed” than through phone calls or SMS texts, she said.

No direct human interactions are needed when phishing through a scam website, in contrast to phishing for victims' credentials and personal data by phone or SMS.

Mrs Teo, who is also Minister-in-Charge of Smart Nation and Cybersecurity, was delivering one of three ministerial statements addressing the Government's approach to fight scams, in response to 39 parliamentary questions filed on the matter.

The Infocomm Media Development Authority (IMDA) and police work with Internet service providers to block scam websites, which helps protect most Singaporeans - more than nine in 10 - who go online daily.

The Ministry of Home Affairs (MHA) told The Straits Times that the police have  been using analytics to detect and block scam websites.
This includes using image and text analytic tools that look for tell-tale characteristics of scam websites, such as domain names that look like those of others, and websites whose content mimics that of official or genuine entities.

In 2020, about 500 suspected scam websites were blocked. But this number jumped in 2021 to 12,000 with the use of analytics, said MHA.

Fake sites played a large part in the scams that caused 790 OCBC customers to lose $13.7 million from December to January. Crooks had spoofed OCBC's name to send SMSes to victims, claiming there were issues with their banking accounts.

This caused the scam texts to be grouped together with legitimate SMSes from the bank, which many victims said led them to think the fake messages were genuine.

The scam SMSes prompted victims to click a link which led them to a fake OCBC website where they were asked to key in their banking details.

Mrs Teo said that in the OCBC cases, more than 350 scam websites had been blocked, with around 52 sites blocked in a single day at the peak.

However, she said that the crooks were quick to create new websites over the course of their scam campaign, and that this kind of behaviour will persist.

So, using AI to help detect and block such sites, as well as having the new WhatsApp scam channel, could help the Government strengthen its ability to tackle scam sites and be more responsive.

MHA said  the use of AI to identify scam websites is relatively less developed than using it to identify malicious websites that pose cyber-security issues.

“The police are working with other government agencies, such as the Cybersecurity Agency of Singapore and IMDA, to explore how such technological tools can help identify scam websites for our local context,” said the ministry.

These tools would help the police to more efficiently and effectively detect and block the huge number of scam websites being put up, said MHA.

On the upcoming WhatsApp scam channel that allows the public to report scam websites and messages, MHA  that the National Crime Prevention Council will share information on the sites with the police so  they can be blocked.

The publicly sourced scam information from the channel can also be used by the council and the authorities to help detect and study new scam trends, as well as take action more quickly, such as issuing early alerts to the public.

Another important measure to upset scammers' plans is to block suspected calls made by them, mostly from abroad, that try to trick victims by scaring them.

The Government expects the number of scam calls to rise, due to the changing tactics of scammers to increase their reach.

To address such scam calls, Mrs Teo said on Tuesday that the telcos here plan to build additional analytics capabilities to block more of these calls.

IMDA told The Straits Times it expects the telcos to do this by the end of the year.

The Government estimates that up to 55 million calls will be blocked each month by the telcos as a result, up from 15 million currently or one in seven of all incoming overseas calls to Singapore.

This is on top of existing measures - for instance, since April 2020, telcos have added a "+" prefix to all incoming overseas calls to help the public identify potential scam calls from overseas that may spoof local numbers to appear more legitimate.

To a query by Mr Melvin Yong (Radin Mas) on whether scam calls made over the Internet, such as through messaging apps like WhatsApp, can be blocked too, Mrs Teo said that these are currently not blocked.

Still, she said that the Government is “constantly looking at what channels are being exploited for scams to be perpetrated”.

As for criminals spoofing legitimate organisations' names to send scam SMSes to victims, like what happened in the OCBC scams, Mrs Teo reiterated that the Government will consider requiring all users of SMS sender names, also called alphanumeric identities, to be registered with the Government's anti-SMS spoofing registry.

This should mean that scammers will not be able to use an SMS sender name, such as another organisation's, unless they sign up with the registry.

IMDA will engage the industry on this later this year.

The Singapore SMS SenderID Protection Registry was set up by IMDA and the Monetary Authority of Singapore (MAS) in August last year as a pilot scheme to register and protect from misuse names used for sending SMSes.

Currently, MAS has decided that all major retail banks must register the SMS sender names they use to communicate with customers. The Government has said that all its agencies will do the same.

SMS service providers and telcos have also been required by IMDA to check SMS senders against the registry, so that SMSes sent by spoofed names will not be delivered if the sender details do not match registry records.

To help the police with investigations when a scam occurs, all organisations that send SMSes using registered names here must also have a valid Unique Entity Number (UEN) for identification.

Mr Gerald Giam (Aljunied GRC) asked if it would still be possible for overseas scammers to send scam texts using unregistered SMS sender names.

To this, Mrs Teo explained that when a party approaches an SMS service provider to send messages using an SMS sender name, the provider has to check the name against the registry.

The party will be turned away by the SMS service provider when the following conditions are met: if the name that the party wants to use is already on the registry, and if the details of the party do not match registry records, such as its UEN and the path used to send the SMS.

This happens regardless of who the party is and where it is requesting the SMS service.

To plug the gap posed by unregistered and therefore unprotected SMS sender names, IMDA told The Straits Times last month that it is considering making it mandatory for all organisations to join the anti-SMS spoofing registry to register the sender names they want to use.

Mrs Teo said on Tuesday that it will take time to implement these measures and they come at a cost.

If implemented, companies that do not register their SMS sender names will have their SMSes appear only with their phone number instead of the company's name, like "ABC company". The businesses' customers could save these numbers in their contact lists to help them recognise such numbers.

Due to these implications, Mrs Teo said IMDA will study the matter carefully before mandating the registration of all SMS sender names.

But she also urged organisations to rethink how they use SMS to communicate with customers, adding that SMS is old technology and that the system was "never designed for secure communications".

Mrs Teo said that more restraint is needed when SMSes have or will lead to sensitive and confidential information or high value transactions.

And while many different measures are being adopted and considered to tackle scams, she said that the best defence against new types of scams is a vigilant public, pointing to efforts by the public and private sectors, as well as community initiatives, to educate people against online threats.

While the anti-scam measures may result in additional cost and some loss of convenience, Mrs Teo said that “they are necessary to better safeguard our people from scams”.

“Equally importantly, they will help to uphold confidence in our digital journey,” she added.

Join ST's WhatsApp Channel and get the latest news and must-reads.