SMS hyperlinks from government agencies still necessary in certain circumstances: Shanmugam

SINGAPORE: Hyperlinks in SMSes from government agencies are still necessary when providing public services in certain circumstances, such as mobilising citizens to get vaccinated against COVID-19, said Home Affairs Minister K Shanmugam on Tuesday (Sep 13).

To mitigate the risks, if the government agency assesses that it is necessary to send hyperlinks in SMSes, the agency will only use a domain ending with .gov.sg, said Mr Shanmugam. It will also not ask users to provide their credentials through websites accessed through the hyperlinks.

Mr Shanmugam was responding to a parliamentary question from NMP Shahira Abdullah, who asked about the removal of hyperlinks from SMSes, which are known to increase the risk of phishing.

The Inter-Ministry Committee on Scams (IMCS) will continue to study the use of hyperlinks in other sectors and work with sector partners to adjust their use if necessary, Mr Shanmugam wrote in his answer.

"As scammers may pivot to other communication channels, the removal of hyperlinks in SMSes does not eliminate the risk of users falling prey to phishing attempts. Users should continue to exercise vigilance," he added.

Earlier this year, the Government said it was reviewing its use of SMS and clickable links when communicating with members of the public.

This came after a spate of online banking scams, including an SMS phishing scam involving OCBC Bank that affected hundreds of people and saw them lose a total of about S$13.7 million.

Mr Shanmugam said the IMCS takes a "sector-based, risk calibrated" approach to the removal of hyperlinks in SMSes. 

"This is in consideration of the tradeoffs, between the risks of phishing and the facilitation of services, which hyperlinks enable," he added.

The inter-ministry committee has worked with the Association of Banks in Singapore to get banks to remove hyperlinks in SMSes sent to retail customers, said Mr Shanmugam, who is also Law Minister.

To further secure SMSes from scams, the Infocomm Media Development Authority (IMDA) implemented the Singapore SMS Sender ID Registry (SSIR) in March this year.

Organisations including e-commerce companies that wish to protect their SMS sender IDs can register their sender ID with the registry. 

The registry reduces the risk of SMS phishing by blocking messages that use spoofed sender IDs of those already registered, said Mr Shanmugam.

Registering with the SSIR is currently voluntary, applicable only to organisations that register their sender ID.

"The public may therefore still receive phishing SMSes that spoof sender IDs belonging to organisations that are not on the SSIR, or that use sender IDs that do not belong to any organisation," said Mr Shanmugam. 

He added that IMDA is looking to make SSIR registration a requirement for all organisations that use sender IDs by the end of the year. SMSes with non-registered sender IDs will be blocked as a default.

IMDA is also looking to introduce anti-scam SMS solutions to filter out malicious hyperlinks and scam messages, applicable to all SMSes sent through telecommunication networks. 

These filters are designed to work like a security firewall, using automated machine scanning to filter out malicious hyperlinks and scam messages, said Mr Shanmugam.