Removal of Hyperlinks in SMS and Aggregator Messages to Reduce Risk of Phishing
Ministry of Home AffairsSpeakers
Summary
This question concerns Dr Shahira Abdullah’s inquiry on removing hyperlinks in SMSes to prevent phishing and the applicability of e-commerce measures to aggregators. Minister K Shanmugam replied that while banks have removed hyperlinks, the Government retains them for essential services using secure ".gov.sg" domains. He highlighted that the Singapore SMS Sender ID Registry (SSIR) blocks spoofed IDs and will become mandatory for all organisations by late 2022, with aggregators required to block non-compliant messages. Furthermore, the Infocomm Media Development Authority is exploring automated SMS filtering solutions to identify and block malicious links across telecommunication networks. These measures form a multi-layered, sector-based strategy to mitigate phishing risks while balancing service facilitation.
Transcript
6 Dr Shahira Abdullah asked the Minister for Home Affairs (a) whether the Ministry will consider partnering IMDA to remove the use of hyperlinks in SMS and aggregator messages, which is known to increase the risk of phishing; and (b) whether measures targeted at e-commerce's sending of high volumes of SMSes apply to the SMS aggregators as well as the e-commerce entities.
Mr K Shanmugam: The Inter-Ministry Committee on Scams (IMCS) takes a sector-based, risk-calibrated approach to the removal of hyperlinks in SMSes. This is in consideration of the trade-offs between the risks of phishing and the facilitation of services, which hyperlinks enable.
IMCS has worked with the Association of Banks in Singapore to get banks to remove hyperlinks in SMSes sent to retail customers. As for Government agencies, hyperlinks in SMSes are still necessary in the provision of public services in certain circumstances, such as mobilising citizens to get vaccinated during COVID-19. To mitigate the risks, if the Government agency assesses that it is necessary to send hyperlinks in SMSes, the agency will only use a domain1 ending with ".gov.sg", and will not ask users to provide their credentials through websites accessed through the hyperlinks.
IMCS will continue to study the use of hyperlinks in other sectors and work with sector partners to adjust their use if necessary. As scammers may pivot to other communication channels, the removal of hyperlinks in SMSes does not eliminate the risk of users falling prey to phishing attempts. Users should continue to exercise vigilance.
To further secure SMSes from scams, the Infocomm Media Development Authority (IMDA) implemented the Singapore SMS Sender ID Registry (SSIR) in March this year. Organisations, including e-commerce companies which wish to protect their SMS Sender IDs, can register their Sender ID with SSIR. SSIR reduces the risk of SMS phishing by blocking messages using spoofed Sender IDs which had already been registered with SSIR. SMS aggregators are required to refer to SSIR and block SMSes that use spoofed Sender IDs which had been registered with SSIR.
Registering with SSIR is currently voluntary, applicable only to organisations which register their Sender ID. The public may, therefore, still receive phishing SMSes that spoof Sender IDs belonging to organisations that are not on SSIR, or that use Sender IDs that do not belong to any organisation. To close this gap, IMDA is looking to make SSIR registration a requirement for all organisations that use Sender IDs by end-2022. SMSes with non-registered Sender IDs will then be blocked as a default.
IMDA is also looking to introduce anti-scam SMS filtering solutions, to filter out malicious hyperlinks and scam messages, applicable to all SMSes sent through telecommunication networks. These filters are designed to work like a security firewall, using automated machine scanning to filter out malicious URL hyperlinks and scam messages.
IMDA's public consultations on these proposals are ongoing till 14 September 2022. The IMCS will work closely with IMDA to study the views received.