As part of the multi-pronged effort by the Infocomm Media Development Authority (IMDA) and other stakeholders to combat scams and safeguard SMS messaging as a communications channel, the IMDA will implement two measures following a public consultation:
- Mandatory registration with the Singapore SMS Sender ID Registry (SSIR): Registration with the SSIR will be mandatory for all organizations that use SMS Sender IDs.
- Telecommunications operators to implement SMS anti-scam filtering solutions: Anti-scam filtering solutions will be implemented by telecommunications operators within their mobile networks to automatically filter potential scam messages before they reach consumers.
Full SMS sender ID registration
The pilot SSIR regime was first launched in August 2021. However, due to an increase in scam messages, the setting up of the SSIR was accelerated in March this year. As a result, there was a marked 64% reduction in scams through SMS between the end of 2021 to mid-2022.
Sender IDs permit the identification of the sender of an SMS message, so that a word or phrase appears instead of a number. The SSIR regime allows organizations to block messages sent by scammers attempting to use these registered Sender IDs. In this way, the regime aims to prevent scammers from impersonating banks and other organizations.
Though registration with the SSIR is currently voluntary, registration will be made mandatory with effect from 31 January 2023. Only SMSes with registered Sender IDs will be transmitted, and all other Sender IDs will be blocked.
Notably, both local and foreign organizations registering with the SSIR must first present a local unique entity number (UEN) that can be obtained through registration with the Singapore Accounting and Corporate Regulatory Authority (ACRA).
As some organizations may need time to prepare and register, and because organizations’ SMS messages will not be clearly differentiated from other SMS messages that come from unknown sources, all non-registered SMS Sender IDs after 31 January 2023 will be channeled to a Sender ID with the header “Likely-SCAM” for a period of approximately six months. According to the IMDA, this is akin to a “spam filter and spam bin”. To avoid their messages being labelled as such, the IMDA encourages merchants to have their Sender IDs registered with the SSIR as early as possible.
Anti-scam SMS filtering solutions
From the end of October 2022, key mobile operators will implement anti-scam filtering solutions in their networks. This involves the use of machine-reading technology and it will take place in two phases.
The first phase involves the automatic scanning of SMS messages sent via the telecommunications network for malicious links, allowing the upstream filtration of potential scam messages. The second phase involves detection of keywords, phrases and formats typical of fraudulent messages.
Some messages may require further human assessment, in which case personal data will be stripped by the machine before being channeled to technical personnel for additional review. The hope is that the accuracy of the artificial intelligence system will increase over time and keep pace with scammers’ evolving tactics.
Notably, mobile operators Singtel, Starhub, and M1 have voiced concerns over privacy violations and SMS disruptions with the roll-out of the two above-mentioned measures. In particular, members of the public may not be aware that their SMS messages will be scanned. The involvement of human review is also cause for concern, even with anonymization measures in place.
With regard to SMS disruptions, concerns are that due to the nascence of anti-scam filters, SMS delivery could be degraded, resulting in delays of the delivery of, for example, OTPs (one-time passwords). Overseas organizations that are unaware of the SSIR regime would also be disadvantaged, and may ultimately choose not to send SMS messages to their customers in Singapore due to additional costs.
Read the other measures introduced to combat SMS-phishing scams in our earlier newsletter here.