OVER 1,200 people have signed an online petition calling for the Infocomm Media Development Authority (IMDA) to enforce pre-registration for SMS sender IDs, in the wake of bank SMS phishing scams in Singapore.

Last month, it was reported that nearly 470 customers lost at least S$8.5 million in SMS phishing scams involving OCBC.

This happened when the bank's customers received SMSes purporting to be from the bank, claiming there were issues with their bank accounts. Victims then clicked on a link that mirrored the OCBC website - but was actually set up by scammers - and were asked to key in their Internet banking account login details.

While most banks use SMS number masking technology, in the case of the OCBC phishing scam, scammers managed to replace the phone number with an alphanumeric "spoofed header" or sender ID, which was the name of OCBC. The fake SMSes were also particularly believable as they showed up to customers in the same message threads of older but official OCBC messages.

Currently, most countries including Singapore do not mandate pre-registration to send SMS messages with sender IDs. However, some countries such as Hong Kong, Armenia and Qatar do require pre-registration to send messages with alphanumeric sender IDs.

The online petition, started by user Captain Sinkie on Change.org, pointed out that scammers can easily "abuse" the lack of a SMS sender ID pre-registration requirement in Singapore. It appealed to IMDA to consider enforcing such a requirement. 

GET BT IN YOUR INBOX DAILY

Start and end each day with the latest news stories and analyses delivered straight to your inbox.

Sign UpVIEW ALL

In response to queries from The Business Times, UOB U11 said that it was among the first to join IMDA's SMS Sender ID protection registry pilot in September 2021. 

Said UOB's group chief information security officer Tobias Gondrom: "Given the possibility of scammers to spoof SMS sender names in the current telecommunications infrastructure, we see this pilot as a positive step towards preventing scammers exploiting consumers." 

IMDA has since urged more businesses and banks to participate in a government pilot it has set up in collaboration with Monetary Authority of Singapore (MAS), which enables organisations to register the SMS sender ID headers they wish to protect.

Under the Singapore SMS SenderID protection registry pilot which was set up in August 2021, messages will be blocked when there is unauthorised use of protected SMS sender IDs, said IMDA on Monday (Jan 17). It was responding to a forum letter submitted by a member of the public, who called for telcos to be the first line of defence against spoof traffic.

"The success of this measure, however, requires business and organisations such as banks to participate in the pilot, which would include registering the SMS sender IDs they wish to protect, and choosing the approved SMS aggregators that are allowed to send SMSes on the banks' behalf," said IMDA.

READ MORE: 

• OCBC pays phishing victims; MAS says all customers should be treated fairly 

• Fake SMS scams: Do banks and telcos have a duty of care to customers?

• Scrap SMS use in wake of rising scams, banks urged

• OCBC to continue with physical tokens as it weighs fraud risks to customers

• Nearly 470 people lose at least S$8.5m in phishing scams involving OCBC