The Infocomm Media Development Authority (IMDA) has moved to set up a full-fledged Singapore SMS SenderID Registry (SSIR) that can identify spoofed messages using protected SMS sender IDs and block these messages upfront. This more-proactive stance to better protect consumers is a regulatory requirement going forward.
SSIR has already begun the process of onboarding organisations – in particular banks, government agencies and other interested organisations. They will have their registered sender IDs protected once fully onboarded. Together with the Monetary Authority of Singapore, IMDA introduced the SSIR as a pilot in August 2021 in collaboration with the UK Mobile Ecosystem Forum as a commercial service provider.
MEF had previously informed that IMDA’s requirements to meet Singapore’s needs going forward are not consistent with its business model. As IMDA will be moving towards a more fully-fledged SSIR, the MEF and IMDA have therefore jointly decided to conclude our pilot which has provided them with useful inputs to move on with their new model.
In previous scams, nearly 470 customers of a major Singapore financial institution lost at least SGD 8.5 million to SMS-phishing scams. Fake SMSes appeared in the same thread as legitimate text messages previously sent by the bank for OTPs and transaction alerts.
The scammers impersonated the bank, setting their sender IDs to be identical to that of the bank and thus causing it to appear in the same thread on the customers’ mobile devices. These fake messages claimed that there were issues with the customer’s bank accounts or credit cards and instructed them to click a link, which led them to fake websites or requests for banking details.
These SMS scams are successful, firstly, because the grouping of fake messages with previous legitimate ones immediately makes them seem genuine. Secondly, phishing links in these fake SMSes are often shortened to disguise the actual URLs, making it difficult for victims to check their validity. Thirdly, the links lead to fake banking websites that also seem authentic.
The IMDA announced that a national registry would be rolled out. The IMDA urged all telecommunication companies, banks, and SMS aggregators in Singapore to register, and it reportedly may soon be made a requirement for these companies and organisations to do so.
Sender IDs permit the identification of the sender of an SMS message such that a word or phrase appears instead of a number. When scammers try to send messages using a registered sender ID, organisations may choose to block them from being sent. This prevents scammers from impersonating banks and other organisations and specifically targets situations like the most recent incidents.
As reported by OpenGov Asia, following the recent spate of SMS-phishing scams targeting bank customers, The Monetary Authority of Singapore (MAS) and the Association of Banks in Singapore (ABS) are introducing a set of additional measures to bolster the security of digital banking.
MAS expects all financial institutions to have in place robust measures to prevent and detect scams as well as effective incident handling and customer service in the event of a scam. The growing threat of online phishing scams calls for immediate steps to strengthen controls, while longer-term preventive measures are being evaluated for implementation in the coming months.
Banks will continue to work closely with MAS, the Singapore Police Force, and the Infocomm Media Development Authority (IMDA) to deal with this scourge of scams. This includes working on more permanent solutions to combat SMS spoofing, including the adoption of the SMS Sender ID registry by all relevant stakeholders. MAS is also intensifying its scrutiny of major financial institutions’ fraud surveillance mechanisms to ensure they are adequately equipped to deal with the growing threat of online scams.