SMS providers, telcos to be required to block spoof SMSes from unregistered senders: Josephine Teo
SINGAPORE — The Infocomm Media Development Authority (IMDA) will require short message service (SMS) providers and telecommunications companies to check SMS senders against a national registry aimed at curbing scams, Communications and Information Minister Josephine Teo said.

- SMS providers and telcos will need to verify SMS senders against a national registry, block messages when senders' details do not match
- All organisations seeking to send SMS messages using IDs registered with the registry must have a valid unique entity number
- The number of suspected scam websites blocked jumped from 500 in 2020 to 12,000 in 2021
- Every month, telcos block 15 million incoming overseas calls
- They are planning to boost their capacity to block up to 55 million a month
SINGAPORE — The Infocomm Media Development Authority (IMDA) will require short message service (SMS) providers and telecommunications companies to check SMS senders against a national registry aimed at curbing scams, Communications and Information Minister Josephine Teo said.
The SMS service providers and telcos will have to block spoofed messages sent under a registered sender ID when the sender’s details do not match the registry’s records, she added.
Mrs Teo, who is also the Minister-in-charge of Smart Nation and Cybersecurity, announced this in a ministerial statement in response to 39 parliamentary questions filed by Members of Parliament on online phishing and spoofing scams in the wake of the recent OCBC phishing scam.
Sender IDs are names that identify the sender of an SMS message so that a word or phrase (such as "OCBC"), instead of a number, is displayed on the recipient's mobile phone.
All organisations seeking to send SMS messages using IDs registered with the SMS Sender ID protection registry must also have a valid unique entity number (UEN), which is an identification number issued to a registered entity.
This, she said, will help the police with investigations in the event of a scam.
However, even with the extra safeguards, Mrs Teo warned that the SMS system was never designed for secure messages and urged organisations to practise more restraint when sending such messages.
“It is like postal services. They are generally safe, but we would not send very valuable items even using registered post.Communications and Information Minister Josephine Teo”
“It is like postal services,” she said. “They are generally safe, but we would not send very valuable items even using registered post.”
And while the authorities have required banks in Singapore to stop sending clickable links in SMS messages to retail customers, Mrs Teo said that expanding this rule to other organisations will cause inconvenience and could even be “detrimental” to public health.
“Members will know that clickable links are everywhere,” she told the House.
“They are used extensively, because they are highly effective in getting people to take action. For example, using such links, millions of vaccination appointments were quickly and conveniently booked.”
A blanket removal must therefore be very carefully considered, she added.
SENDER ID
The authorities will also consider requiring all users of sender IDs to be registered so that scammers will not be able to send SMS messages using sender IDs except by joining the registry.
Many victims in the OCBC phishing scam had been tricked by fake SMS messages that appeared in the same thread as legitimate text messages from OCBC for one-time passwords and transaction alerts.
The swindlers impersonated the bank by putting their sender ID as “OCBC”, claiming that there were issues with the customer’s bank accounts or credit cards.
The authorities said last month that they were working on getting all telcos, banks and SMS aggregators in Singapore to sign up for the SMS Sender ID protection registry and TODAY reported that this will be made mandatory.
Mrs Teo confirmed this on Tuesday, saying that the Monetary Authority of Singapore has decided that all major retail banks must sign up to register the sender IDs they use to communicate with their customers.
WEBSITE, CALL BLOCKING
In the OCBC phishing scam, victims who received the spoofed SMS were led to a fake website that looked indistinguishable from the real OCBC website. They were tricked into keying their log-in credentials and one-time passwords into the scam websites, which the scammers used to make fraudulent transfers.
Mrs Teo said that in the OCBC case, more than 350 scam websites were blocked. At the peak, the authorities blocked about 52 sites in a single day.
The police and IMDA work closely with internet service providers to block these websites, she added.
In 2020, about 500 suspected scam websites were blocked. This jumped to 12,000 last year.
Mrs Teo said that the authorities have the capacity to block many more suspicious sites, but scammers often react quickly and can quickly create new websites.
Having said that, website blocking remains important and government agencies will explore using artificial intelligence technologies to identify and block scams websites quicker, she added.
By the third quarter of this year, the National Crime Prevention Council will also start a WhatsApp channel to crowdsource information on scam websites and messages from the public.
Besides blocking websites and spoofed SMS messages, telcos have also been blocking scam calls — most of which are from overseas.
Every month, the telcos block about 15 million, or one in seven of all incoming calls to Singapore from overseas.
“We expect the number of scam calls to rise, given the changing tactics of scammers to increase their reach,” Mrs Teo said.
The telcos are planning to strengthen their capacity to block more suspected scam calls and it is estimated that up to 55 million calls will be blocked every month.
“Across the ecosystem, making these changes may result in additional cost and some loss of convenience,” she added. “But they are necessary to better safeguard our people from scams.''