Anti-SMS spoofing: What it is, why no mandate for it yet

Victims of a massive bank scam rampant last month were fooled because fake SMS messages appeared in the same SMS thread as genuine ones sent previously by the bank for one-time passwords (OTPs) and transaction alerts.

It turns out the SMS sender name "OCBC" was spoofed by scammers, who lured victims to click on fraudulent links to access a fake banking website. Nearly 470 customers lost at least $8.5 million, making it one of the largest scams to date involving a single bank.

A government-backed registry launched in August last year to allow firms to list protected sender names was designed to stop such spoofing.

The Straits Times explains how the Singapore SMS SenderID Protection Registry works and why it still has not been mandated.

The first registry was developed in 2018 by global trade body, the Mobile Ecosystem Forum. It was first trialled in the United Kingdom in 2019, with the support of major telcos BT, O2, Three and Vodafone.

The development followed a rise in spoofing by SMS, in which scammers impersonate commercial entities using their trade names in lieu of a phone number.

It allows organisations such as banks, retailers, telcos and government agencies to register and protect their brand names - be it DBS, Singtel or the Ministry of Health (MOH) - in SMS headers.

Any unauthorised party that tries to send SMS messages using the registered names will be flagged and blocked on mobile operators' networks.

ST understands that the Infocomm Media Development Authority (IMDA) and the Monetary Authority of Singapore (MAS) created a version of the same registry here to deal with the growing threat of SMS scams that target banks, for a start. It was launched in August last year.

ST also understands that some of the major banks here - including DBS Bank, UOB and OCBC Bank - have listed their brand names on the registry. When asked, OCBC did not say when it joined the registry.

IMDA said companies such as Singapore Post and e-commerce platform Lazada have also signed up.

According to the Mobile Ecosystem Forum, major banks and government brands in the UK have registered 352 names to date.

The registry has blocked over 1,500 unauthorised variants, and counting. Of these variants, about 300 sender names are linked to the UK government's coronavirus campaign.

Sender names set up by fraudsters - comprising misspellings and special characters to impersonate genuine merchants and brands - are also being blocked by telcos and messaging platform operators in the UK via a "denied list".

Ireland, too, launched a similar registry in July last year to block unauthorised SMS senders who use names listed in the registry. So far, banks, retailers, utilities providers, government agencies and merchants have registered.

Smartphones cannot tell if a sender is genuine or fake. The SMS system in smartphones groups all messages with the same sender name in the same thread. This is why the SMS SenderID Protection Registry plays a key role in screening scam messages.

ST understands that the registry was meant to be a pilot at first, involving voluntary participation.

Its launch last August followed a spate of SMS scams targeting online banking customers earlier in the year. According to the police, 374 bank customers lost $1.07 million from January to May last year from such scams.