All banks to register alphanumeric SMS IDs after OCBC phishing scam: Josephine Teo

Communications and Information Minister Josephine Teo in Parliament. (PHOTO: Screenshot/MCI YouTube channel)
Communications and Information Minister Josephine Teo in Parliament. (PHOTO: Screenshot/MCI YouTube channel)

SINGAPORE — All major retail banks in Singapore will be required to register their alphanumeric identifications onto the new SMS sender ID protection registry, in the wake of the recent OCBC Bank SMS phishing scam.

Josephine Teo, Minister for Communications and Information, told Parliament during her ministerial statement on Tuesday (15 February) that alphanumerical IDs – which allow legitimate businesses to make themselves more easily known to customers allowing them to receive an SMS from a named entity instead of a string of numbers – were used by scammers to enter the message thread between the legitimate business senders and their customers, as it was the OCBC scam case.

"This alphanumeric ID is not automatically protected as part of the SMS protocol,” she said.

"An organisation can register the alphanumeric ID that they use, thus reducing the risk of an illegitimate sender spoofing the same alphanumeric ID, and having the message appear within the same message thread."

Besides all major retail banks, Teo said that all government agencies will also commit to likewise register their alphanumeric IDs onto the protection registry.

In addition, the Infocomm Media Development Authority (IMDA) will require SMS service providers and telcos to check SMS senders against the registry. This means that SMSes that try to spoof registered IDs will not be delivered, as the sender details would not match registry records.

Teo said that all organisations that want to send SMSes to phone subscribers in Singapore must also have a valid Unique Entity Number to help police with investigations in the event of a scam.

“To further close these gaps, we will consider requiring all users of alphanumeric IDs to be registered,” she added. “Scammers will then not be able to send SMS using alphanumeric IDs except by joining the registry.”

Telcos to boost analytics to block suspect spam calls

In the OCBC phishing case, which started amid the year-end festive period last year, a total of S$13.7 million was lost in scams involving SMSes impersonating OCBC Bank, and affected 790 customers.

Victims received unsolicited SMSes claiming that their OCBC bank accounts had issues and needed to be resolved by clicking on a link. The link, however, redirected the victims to fake bank websites that required them to key in log-in details that eventually resulted in unauthorised account transactions.

Teo said in her ministerial statement that, while blocking scam websites is part of upstream measures to disrupt scammers’ plans, scam calls and SMSes employ “social engineering” techniques to cause fear and panic among victims to lead them to the fake websites.

She added that IMDA and the police have blocked about 500 suspected scam websites in 2020, before casting the net more widely in 2021 to block 12,000 such websites.

In addition, telcos block around 15 million suspicious incoming overseas calls each month, or one in seven of all incoming overseas calls. The number of scam calls is expected to rise, given that scammers are changing tactics to increase their reach.

"Our telcos plan to incorporate additional analytics to block more of these suspected scam calls. We estimate that up to 55 million calls will be blocked each month," Teo said.

Stay in the know on-the-go: Join Yahoo Singapore's Telegram channel at