SINGAPORE (THE BUSINESS TIMES) – Over 800 people have signed an online petition calling for the Infocomm Media Development Authority (IMDA) to enforce pre-registration for SMS sender IDs, in the wake of bank SMS phishing scams in Singapore.
Nearly 470 customers lost at least $8.5 million in SMS phishing scams involving OCBC last month.
This happened when the bank’s customers received SMSes purporting to be from the bank, claiming there were issues with their bank accounts. Victims then clicked on a link that mirrored the OCBC website – but was actually set up by scammers – and were asked to key in their Internet banking account login details.
The online petition, started by user Captain Sinkie on Change.org, pointed out that scammers can easily “abuse” the lack of a SMS sender ID pre-registration requirement in Singapore. It appealed to IMDA to consider enforcing such a requirement.
While most banks use SMS number masking technology, in the case of the OCBC phishing scam, scammers managed to replace the phone number with an alphanumeric “spoofed header” or sender ID, which was the name of OCBC. The fake SMSes were also particularly believable as they showed up to customers in the same message threads of older but official OCBC messages.
Currently, most countries including Singapore do not mandate pre-registration to send SMS messages with sender IDs. However, some places such as Hong Kong, Armenia and Qatar do require pre-registration to send messages with alphanumeric sender IDs.
IMDA has since urged more businesses and banks to participate in a government pilot it has set up in collaboration with Monetary Authority of Singapore (MAS), which enables organisations to register the SMS sender ID headers they wish to protect.
Under the Singapore SMS SenderID protection registry pilot which was set up in August 2021, messages will be blocked when there is unauthorised use of protected SMS sender IDs, said IMDA on Monday (Jan 17). It was responding to a forum letter submitted by a member of the public, who called for telcos to be the first line of defence against spoof traffic.
“The success of this measure, however, requires business and organisations such as banks to participate in the pilot, which would include registering the SMS sender IDs they wish to protect, and choosing the approved SMS aggregators that are allowed to send SMSes on the banks’ behalf,” said IMDA.