SMS spoofing: Has Singapore finally found the answer to stop scammers?

• With recorded cases increasing from 16 to 5,020 in just four years, phishing is still a major issue in Singapore
• The Infocomm Media Development Authority (IMDA) has unveiled a new SMS Sender ID registry (SSIR) that can ban spoof texts

Every new technological development coincides with a corresponding improvement in the fraud industry. From the very first email scams in the early days of the internet to the most recent developments in nefarious tech scams, such as SMS spoofing. It seems reasonable to believe that this is how things will always be – evolving.

There has been a lot of uproar about this in Singapore. According to CNA, 60 victims have actually lost between SG$60 and SG$3,000 as a result of recent phishing scams. There was also the major SMS phishing campaign involving OCBC bank earlier this year.

As such, In Singapore, phishing is still a major issue, with the number of reported occurrences rising from 16 to 5,020 in a span of four years. This is a problem, but there is hope. The Infocomm Media Development Authority (IMDA) has launched a new SMS Sender ID register (SSIR) that can ban spoof messages “upfront and at source,” which may spell the end for SMS scammers in Singapore.

Accordingly, spam messages that could be exploited for phishing will automatically be prevented by not being included in this new ID register.

SMS spoofing can be blocked

Legal experts from Rajah and Tann and Drew & Napier LLC point out that the IMDA-developed register is more effective at guaranteeing that firms and organizations in Singapore are spoof-proof since it has a “more proactive” phishing strategy.

On March 7, the previous registry was shut down. According to Lim Chong Kin, head of Telecommunications, Media & Technology Practice at Drew & Napier LLC, it used a “blacklist-based” strategy, whereby companies and organizations would register their SMS sender ID and a blacklist of lookalike SMS sender IDs would be distributed to SMS aggregators for automatic blocking.

Rajesh Sreenivasan, head of Technology, Media and Communications for Rajah & Tann, claims that because this strategy was “confirmation-based” and customers continued to receive counterfeit messages, it was ineffective in stopping phishing scams.

The fact that “potentially suspicious messages originating from non-approved aggregators would still have to be investigated before being added to the blacklist” explains why some customers continued to receive fake SMSes, according to Lim.

“This method relied on businesses and organizations’ specifying their protected SMS sender IDs, as well as the approved aggregators authorized to send SMSs on their behalf,” Lim added.

He described how businesses can register their protected SMS sender IDs against their Unique Entity Number (UEN) under the new registry’s “whitelist-based” approach. SMSes sent using a registered sender ID will be prohibited when the sender’s information does not match the registry’s data, and telcos and SMS service providers will be forced to validate SMS senders against the registry.

Do it for the consumers

If OCBC losing SG$13.7 million as a result of phishing scams isn’t enough to persuade companies to join the national registry, Lim advised them to at least do it to safeguard customers.

“Apart from the financial losses which victims of SMS spoofing and phishing scams may suffer, such scams may also result in the unauthorised collection, use, or disclosure of users’ personal data without their consent,” Lim explained.

According to Lim, companies that enroll in the SSIR will also experience an increase in customer trust and brand reputation because the registry would give them a reliable defense against the possibility of having their sender IDs exploited fraudulently in SMS frauds.

Sreenivasan, on the other hand, cautioned that companies that want to utilize SMS but did not take “baseline protection” measures like registering at the SSIR can face heavy penalties if a breach occurs.

Enhancing Singapore’s data protection standards

The SSIR not only assists companies in reducing the danger of financial losses brought on by phishing, but also maintains customer confidence in Singapore’s data protection framework, according to Sreenivasan.

“This is part of a larger series of steps that [the] government is taking to maintain and ensure the high cybersecurity trust levels for e-commerce and digital trade in Singapore,” he added.

---

---

---

---