SINGAPORE (THE BUSINESS TIMES) - Over 800 people have signed an online petition calling for the Infocomm Media Development Authority (IMDA) to enforce pre-registration for SMS sender IDs, in the wake of bank SMS phishing scams in Singapore.
Nearly 470 customers lost at least $8.5 million in SMS phishing scams involving OCBC last month.
This happened when the bank's customers received SMSes purporting to be from the bank, claiming there were issues with their bank accounts. Victims then clicked on a link that mirrored the OCBC website - but was actually set up by scammers - and were asked to key in their Internet banking account login details.
The online petition, started by user Captain Sinkie on Change.org, pointed out that scammers can easily "abuse" the lack of a SMS sender ID pre-registration requirement in Singapore. It appealed to IMDA to consider enforcing such a requirement.
While most banks use SMS number masking technology, in the case of the OCBC phishing scam, scammers managed to replace the phone number with an alphanumeric "spoofed header" or sender ID, which was the name of OCBC. The fake SMSes were also particularly believable as they showed up to customers in the same message threads of older but official OCBC messages.
Currently, most countries including Singapore do not mandate pre-registration to send SMS messages with sender IDs. However, some countries such as Hong Kong, Armenia and Qatar do require pre-registration to send messages with alphanumeric sender IDs.
IMDA has since urged more businesses and banks to participate in a government pilot it has set up in collaboration with Monetary Authority of Singapore (MAS), which ...