SINGAPORE - Financial adviser Tan Zhi Liang thought he had been scammed after buying flight tickets to South Korea from Trip.com, when he saw a booking verification SMS flagged as “likely scam”.
Mr Tan, 29, said: “I thought I had made a purchase from a scam site. I found it weird at first, but I double-checked my booking and it was there, so I didn’t worry too much then.”
He is among a handful of Internet users who received SMSes marked as “likely scam” after a new system by the Infocomm Media Development Authority (IMDA) dubbed the SMS Sender ID Registry kicked in on Tuesday to alert users to possible scam messages.
But some of these SMSes marked as “likely scam” have come from legitimate businesses for genuine communications, leading to confusion among some Internet users.
Tech consultant Tricia Chia hesitated to log into her firm’s insurance provider Cigna to make a medical claim when she received an SMS with the “likely scam” label containing a verification code.
“I got scared and didn’t dare to complete my task because I didn’t want to get scammed,” said Ms Chia, 25.
She later logged in to her account using the verification code after a friend told her about the SMS registry, and the possibility of legitimate business communications being wrongly labelled at the start.
The registry, which is able to detect and block spoofed SMSes upfront, currently labels SMSes that use alphanumeric sender names as “likely scam” if the senders have not listed with it. From July, SMSes from businesses not listed on the registry will be entirely blocked.
Ms Konstance Lim, 26, who received a one-time verification code from event planning app Partiful, said she thought it was a new function by the mobile network provider to flag sources that may not be widely-known.
“But I continued with it since the website was recommended by a friend, so I trusted that it won’t be a scam,” said the product manager.
Users also received SMSes marked “likely scam” from e-retailer Amazon and online gaming site Stream, according to screenshots seen by The Straits Times.
ST has contacted Trip.com, Partiful, Cigna, Amazon and Stream for a comment. ST has also asked IMDA what it plans to do to educate users and businesses to minimise confusion.
Users had also received such SMSes from Okta, a widely-used access management provider that issues authentication codes to users. Okta told ST that it is in the midst of registration.
ST understands the Meta has applied for the registry and is in the midst of getting various sender names approved. During this process, some Facebook, WhatsApp and Instagram users may receive authentication SMSes labelled with a five-digit number in the interim, instead of a typical sender ID.
Nearly 2,000 companies including major telcos, e-commerce sites, and online platforms like Google have signed up as at Monday for the registry to have their company identities clearly seen in SMSes sent to users. It is also not known how many firms use alphanumeric SMS sender names to communicate with customers.
Firms need to pay a one-time set-up fee of $500 and a yearly fee of $200 for each registered sender name to get on the IMDA’s SMS Sender ID Registry, designed to tackle SMS sender name spoofing. Scammers had spoofed OCBC’s sender name in SMSes, and swindled a total of $13.7 million from 790 OCBC Bank customers in December 2021 and January 2022.
American cloud computing company PagerDuty alerted customers in an e-mail on Saturday that its SMS notifications may be marked as “likely scam” as the company is in the midst of getting its application approved by the IMDA.
It urged users with a local number to update their contact information and use an alternative notification channel like e-mail before Jan 31 to reduce the chance of any disruption.
What you need to know about the SMS Sender ID Registry
Objective: The SMS Sender ID Registry is a new measure by the authorities to crack down on spoofing messages sent by scammers using alphanumeric sender names nearly identical to ones used by legitimate organisations.
Pricing: A one-time fee of $500 and an annual charge of $200 per registered sender name.
What it does: The registry only allows approved companies to have their alphanumeric sender names seen by users. SMSes from non-registered companies that use alphanumeric sender names will be flagged as “likely scam” for a transition period of six months, before being blocked completely from July.
Companies already listed: 2,000 including Google, Shopee, Lazada, Alibaba Cloud, M1, Singtel, StarHub and RedOne
Companies being flagged as “likely scam”: Trip.com, Amazon, Okta, Steam, Cigna, Great Eastern, Partiful, Switch, Singlife with Aviva.