SINGAPORE - From Jan 31, all organisations will need to register with a government-backed central registry if they communicate with the public using SMS messages with sender IDs that bear brand names.
From end-October, telcos here will also start to roll out automated filters in their network to weed out potential SMS scams, as part of the latest countermeasures in the aftermath of January's phishing attempts that swindled $13.7 million from 790 OCBC Bank customers.
The mandatory registration applies to organisations using alphanumeric sender IDs, which typically contain brand names and may carry a mix of both letters and numbers.
The decision to roll out the twin countermeasures comes after a month-long public consultation that ended in mid-September.
In its decision issued on Friday, the Infocomm Media Development Authority (IMDA) said it received support by both the public and merchants to roll out these measures.
"This is part of the multi-pronged effort by IMDA and other stakeholders to further safeguard SMS as a communications channel," it said in a statement on Friday.
Singapore's SMS Sender ID Registry (SSIR), which started operating in March, is said to be able to detect and block spoofed SMSes upfront. So far, its use has been voluntary.
For a period of six months from Jan 31, however, all non-registered SMS Sender IDs will bear the header "Likely-SCAM".
After the six months, all SMSes with non-registered SMS Sender IDs will be blocked by default.
Only SMSes with registered sender IDs will be allowed through to the public.
The process is expected to give the public better assurance that only bona fide organisations are using sender IDs bearing their brand name.
OCBC customers fell for the phishing scams by clicking on embedded links earlier in the year as the SMS they received had spoofed OCBC Bank as the sender.
SSIR is operated by IMDA subsidiary Singapore Network Information Centre, which will charge a one-time registration fee of $500, and a yearly fee of $200 for each protected sender ID.
Since its launch, more than 120 public and private sector organisations - including major retail banks DBS, UOB and OCBC, e-commerce firm Shopee, insurer AIA, the Singapore Exchange and the Central Provident Fund Board - have registered.
Organisations - both local and foreign ones - registering with the SSIR must first present a local unique entity number (UEN).
More than 563,000 business entities listed with the Accounting and Corporate Regulatory Authority have been issued UENs.
All SMS aggregators that handle alphanumeric sender IDs must be licensed by IMDA and register with the SSIR before they can send out SMSes to the public.
So far, only banks are prohibited from including clickable links in SMSes or e-mails to retail customers.
"This new regime will be helpful to businesses and enable them to continue providing timely and trusted information to customers via SMS," said Mr Wong Wai Meng, chairman of the Singapore Business Federation's digitalisation committee.
The automated SMS filters that local telcos - Singtel, StarHub and M1 - must roll out in two phases from end-October have also been implemented in Australia and the United Kingdom.
The first phase involves automated scanning of malicious links and matching them against a known blacklist before filtering is done.
The blacklist will be updated continually to stay relevant against new threats.
The second phase involves identifying suspicious SMSes by keywords, phrases and formats typical of fraudulent messages.
Some messages may require further assessment by a human.
These messages will have personal data stripped by the machine before they are channelled to a technical personnel for a second layer of review.
Over time, the process will train the artificial intelligence system to develop higher accuracy and to keep pace with the evolving tactics of scammers.