Will whitelisting SMS Sender ID (Caller ID) help cut down SMS phishing attacks?

iPhone 14 Pro

In end 2021, 790 bank customers collectively lost S$13.7 million in phishing attacks. The phishing attacks were successful due to a confluence of events, namely;

  1. Covid pandemic resulting in call centres being less staffed than usual,
  2. Attacks came at the year end where call volumes were generally higher.
  3. While the customers could call the bank via the Interactive Voice Response (IVR) hotline, there was no ‘kill-switch’ to stop the outflow of funds from the victims’ bank accounts.

Even myself had experienced much longer wait times with the other banks’ call centres during the same period. It was a well-timed and well-coordinated attack which exploited the primary weaknesses in people, process and technology.

A slew of measures were put in place to address such SMS phishing (also known as Smishing) attacks. New measures included a SMS Sender ID registry (SSIR) set up on 4th March 2022 for organisations to register their business or product name(s) for sending SMS. This is to protect their customers holding Singapore phone numbers from receiving SMS with spoofed Sender ID.

Q: What's SMS Sender ID?
A: SMS Sender ID shows the SMS sender's name and appears the same way how incoming calls and SMSes are shown on your phone.
A SMS Phish (also known as a Smish, using phone number instead of a URL as trigger)
Q: How different is this from Caller ID?
A: From the enduser's or consumer's perspective, Caller ID is the same as SMS Sender ID.
Q: What does spoofing mean?
A: Spoofing means pretending to be someone else other than yourself. So to spoof a SMS Sender ID means to send the SMS while pretending to be someone else.

Spoofing a SMS Sender ID is very simple two-step process. All you need is (1) an account with a SMS service provider, (2) then use the provided SMS API to send SMSes while pretending to be, say a bank. Some SMS service providers further the convenience by providing a webpage to enter the message and SMS Sender ID.

However, SMS service providers will soon be regulated and such SMS Sender ID spoofing activities will decrease.

Organisations who intend to communicate with the public through SMSes, with a SMS header identifying the organisation, need to register with the SSIR. The SSIR charges S$500 for a one-time setup fee and S$1000 for a block of 10 Sender IDs per year, excluding prevailing taxes.

SMS service providers or SMS gateways will need to check SMS senders against the SSIR whitelist before sending the SMS to the end user.

Q: Can I set SMS Sender ID with my GSM phone or smartphone?
A: The short answer is no. You are not able to modify the SMS Sender ID when SMS is sent from your phone.

Besides implementing the SSIR, organisations were told not to include URLs or hyperlinks in SMSes. The ubiquitious 140 character SMS is universally accepted by nearly every mobile phone on Earth and is commonly used as a baseline channel to reach customers. Moreover, message apps in smartphones will automatically convert strings starting with www… or https:// or http:// or semblance of a URL into a blue hyperlink (on iOS). Coupled with a compelling call-to-action message, these URLs can be used to direct the unsuspecting customer to a scammer-controlled URL or website.

All these changes do come at a price. This SMS URL restriction has caused marketing teams to lose a channel for customers to respond to targeted campaigns. In return, this has also resulting in one less method to scam customers.

IMDA is proposing for a full registration regime where:

1. Merchants/organisations that use SMS Sender IDs must register with the SSIR using their Unique Identity Number (UEN, as known as the company registration number)

2. Aggregators (refers to SMS service/gateway providers which may include telcos) who wish to handle SMS with Sender IDs must participate in the SSIR and verify merchants/organisations sign-ups through their UENs.

A transition period is proposed starting from October 2022, before the full SSIR registration requirement commences in end-2022. IMDA is also seeking public feedback. Documents can be found here. Do give your feedback to be heard!

Will whitelisting SMS Sender IDs help cut down SMS phishing (smishing) attacks?

Whitelisting SMS Sender ID is a step towards cutting down smishing attacks, but is not the silver bullet. Scammers can still send SMS without the Sender ID, which would bypass the SSIR whitelist, this means there need to have other methods to stop scammers from reaching the inbox in your smartphone.

Second, whether or not an organisation would have potential liability when it does not use SMS Sender ID is another question.

Lastly, only Singapore phone numbers are protected under this regime.

There is no magic pill to fix smishing attacks. The best solution can only be continuous education and for consumers to take responsibility for their actions.

The nex post will discuss how signing up with the SSIR can help your business reputation and why Anti-scam SMS Filtering Solutions sometimes render a false sense of security in the next post.

Would you know someone who would benefit from this article? Please share this article using the links below.

Leave a Reply

Your email address will not be published. Required fields are marked *