SINGAPORE - All organisations that communicate with the public through SMSes will have to list their SMS sender IDs with a government-backed central registry, if a multi-pronged proposal to tackle scams goes through.
Singapore's SMS Sender ID Registry (SSIR), which started operating in March this year, is said to be able to detect and block spoofed SMSes upfront.
It is operated by the Infocomm Media Development Authority's (IMDA) subsidiary Singapore Network Information Centre.
Since its launch, more than 120 public and private sector organisations have registered, said IMDA on Monday (Aug 15).
"To build stronger scam prevention capabilities, we intend to make SSIR registration a requirement for organisations that use sender IDs," said IMDA.
This means that only registered sender IDs will be allowed to send SMSes. All other non-registered sender IDs will be blocked by default.
"This further safeguards SMS as a communication channel," said IMDA.
Organisations that do not use sender IDs when sending SMSes will not be affected by this proposed measure.
To give organisations time to register, IMDA proposed a transition period from October to the end of this year.
Currently, there is a one-time registration fee of $500, and a yearly fee of $1,000 for protection of up to 10 sender IDs.
As an additional safeguard, IMDA also proposed that telcos use solutions based on machine-reading technology to identify and filter potential scam messages upstream on their networks. For a start, these solutions can detect and filter malicious links within SMSes.
The proposed measures are outlined in a consultation which will close on Sept 9.
Spoofed SMSes have come under greater scrutiny in Singapore since the start of the year, when a spate of phishing SMS scams saw 790 OCBC Bank customers lose $13.7 million in total.
The incident led to additional measures, including the removal of clickable links in SMSes or e-mails sent to retail customers, being imposed on banks.
The banks were also required to sign up for a pilot anti-SMS spoofing registry, which the SSIR later replaced.
Among organisations listed on the current registry is the Central Provident Fund (CPF) Board, which advised the public in July that all SMSes from sender ID "CPF Board" are legitimate.
The CPF Board now sends SMSes using only the sender ID "CPF Board" on matters pertaining to CPF, Workfare and Silver Support. It has stopped using sender IDs "SG-Workfare" and "SG-SSS".
The Straits Times understands that other organisations on the registry include major retail banks such as DBS, UOB and OCBC, e-commerce firm Shopee, insurer AIA, SPH Media and the Singapore Exchange.
Mr Teo Chee Hean, Coordinating Minister for National Security, said in July that all government agencies would progressively join the registry, and that they will use only domains ending with ".gov.sg" when sending SMSes with links.
Exceptions, such as websites that are collaborations between government and non-government entities, are listed on www.gov.sg/trusted-sites, Mr Teo added.
The SSIR is part of a slew of measures that the authorities have introduced in the past three years to curb the scourge of scam calls and SMSes.
Since 2019, telcos have been blocking scam SMSes, the malicious links embedded within such messages, and commonly spoofed local numbers, such as those impersonating local government agencies and emergency services.
Since 2020, automated scam calls - also known as robocalls - have also been blocked using pattern recognition technology, while a "+" prefix has been displayed for all incoming international calls to help consumers identify possible spoofed ones.
IMDA said measures to block spoofed overseas fixed-line and mobile numbers will be completed by the end of this year.
It is also exploring future measures that would allow consumers to choose whether to receive international calls and SMSes.