SINGAPORE: Authorities blocked more than 350 scam websites in the OCBC SMS phishing case, Communications and Information Minister Josephine Teo told Parliament on Tuesday (Feb 15), adding that up to 52 websites were blocked in a single day.
“But the scammers were quick to create new websites over the course of their campaign,” she said. “This pattern of behaviour will persist.”
Mrs Teo was giving a ministerial statement on tackling online phishing and spoofing scams, after a total of S$13.7 million was lost in phishing scams involving SMSes impersonating OCBC Bank, affecting 790 customers mostly during the year-end festive period last year.
Victims received unsolicited SMSes purportedly from OCBC claiming that their accounts had issues, and that these issues needed to be resolved by clicking on a link.
They were redirected to fake bank websites that requested they key in their iBanking account log-in details. They then received actual notifications on unauthorised transactions in their accounts – which is when they found out they had been scammed.
The police and the Infocomm Media Development Authority (IMDA) work closely with Internet service providers to block scam websites and alert users to be vigilant, Mrs Teo said on Tuesday.
They blocked about 500 suspected scam websites in 2020 before casting the net “much more widely” in 2021 to block 12,000 such websites, she said. “Countless more victims would have otherwise been scammed.”
“In fact, we have the capacity to block many more suspicious websites,” she added. “However, this does not mean that they will completely disappear from our screens. This is because scammers react quickly and dynamically to such blocks.”
Despite that, Mrs Teo said website blocking remains important, and institutions will continue to strengthen detection and reporting mechanisms to be more responsive.
Banks will improve their fraud surveillance systems, she said, while government agencies will explore the use of artificial intelligence to more quickly identify and block scam websites.
“In addition, the National Crime Prevention Council will start a WhatsApp channel to crowdsource from the public information on scam websites and messages,” she said adding that it will be launched by the third quarter of this year.
While Mrs Teo said website blocking is part of upstream measures to disrupt scammers’ plans, she acknowledged that victims could first be contacted by phone or SMS before being lured to these websites.
She pointed to China officials impersonation scams, where scammers called from overseas and used “social engineering” techniques to cause fear and panic in victims. They will often try to appear more credible by spoofing local numbers.
Telcos block around 15 million suspicious incoming overseas calls each month, or one in seven of all incoming overseas calls, Mrs Teo said.
But she said the number of scam calls is expected to rise, given that scammers are changing tactics to increase their reach.
For example, they use numbers that resemble phone numbers of local government agencies or emergency services, or add the “65” country code – without the "+" prefix – to give the impression they are calling from within Singapore.
To help alert customers, telcos have also added the "+" prefix for all incoming overseas calls since April 2020, Mrs Teo said.
Still, she said more was needed. Telcos plan to build in additional analytics capabilities to block more of these suspected scam calls, she said, estimating that up to 55 million calls will be blocked each month.
As for the Do Not Call registry, Mrs Teo said it was not designed to prevent scam messages, but to allow individuals to opt out of receiving unsolicited telemarketing messages or calls.
“Scammers will of course, not take the trouble to check this registry before conducting their illegal activities,” she said.
SMS SPOOFING IDs
Even if telcos can block millions of incoming overseas calls, Mrs Teo warned against a false sense of security, noting that scammers could turn to other channels like SMS, as was in the OCBC case.
In that case, scammers used the same alphanumeric ID as OCBC’s to enter the message thread between the legitimate business sender and its customer, she said.
This alphanumeric ID allows legitimate businesses to make themselves more easily known to customers, allowing them to receive an SMS from a named entity instead of a string of numbers.
“However, this alphanumeric ID is not automatically protected as part of the SMS protocol,” Mrs Teo said.
IMDA and the Monetary Authority of Singapore (MAS) have identified this gap, Mrs Teo said, adding that the agencies last year launched the pilot SMS sender ID protection registry.
“An organisation can register the alphanumeric ID that they use, thus reducing the risk of an illegitimate sender spoofing the same alphanumeric ID, and having the message appear within the same message thread,” she said.
MAS has decided that all major retail banks must sign up to register the alphanumeric IDs they use, while the Government has also committed that all its agencies will do likewise, she said.
In addition, IMDA will require SMS service providers and telcos to check SMS senders against the registry. This means that SMSes that try to spoof registered IDs will not be delivered, as the sender details would not match registry records.
All organisations that want to send SMSes using registered IDs to phone subscribers in Singapore must also have a valid Unique Entity Number (UEN) to help police with investigations in the event of a scam.
“Once these immediate measures are completed, the threat surface will be reduced,” Mrs Teo said.
Nevertheless, observers have also pointed out that scammers can use similar-looking alphanumeric IDs that are not in the registry, to confuse potential victims.
“To further close these gaps, we will consider requiring all users of alphanumeric IDs to be registered,” Mrs Teo said. “Scammers will then not be able to send SMS using alphanumeric IDs except by joining the registry.”
However, Mrs Teo said these further measures will take time to implement and come at a cost, including to businesses.
Those that choose not to register alphanumeric IDs will have their SMS messages appear only as their telephone number. Customers can choose to save these numbers in their contact list to help them recognise future messages.
“Given the implications, IMDA will study the matter carefully before deciding whether or not to mandate the registration of all alphanumeric IDs,” Mrs Teo said. “At the same time, organisations should rethink how they use SMS to communicate with their customers.”
SMS was never meant for secure communication, she said, urging for “more restraint” if the message contains or will lead to the transmission of sensitive, confidential information or high-value transactions.
“It is like our postal services. They are generally safe, but we would not send very valuable items even using registered post,” Mrs Teo added.