Some users confused as SMSes from legitimate firms get flagged as ‘likely scam’

A handful of Internet users received SMSes marked as “likely scam” after a new system by IMDA dubbed the SMS Sender ID Registry kicked in on Tuesday. PHOTO: ST READER
Osmond Chia
Updated
Feb 02, 2023, 11:59 AM
Published
Feb 01, 2023, 11:49 AM

SINGAPORE – Financial adviser Tan Zhi Liang thought he had been scammed after buying flight tickets to South Korea from Trip.com, when he saw a booking verification SMS flagged as “likely scam”.

Mr Tan, 29, said: “I thought I had made a purchase from a scam site. I found it weird at first, but I double-checked my booking and it was there, so I didn’t worry too much then.”

He is among a handful of Internet users who received SMSes marked as “likely scam” after a new system by the Infocomm Media Development Authority (IMDA), dubbed the SMS Sender ID Registry, kicked in on Tuesday to alert users to possible scam messages.

But some of these SMSes marked as “likely scam” have come from legitimate businesses for genuine communications, leading to confusion among some Internet users.

Tech consultant Tricia Chia, 25, hesitated to log into her company’s insurance provider Cigna to make a medical claim when she received an SMS with the “likely scam” label containing a verification code.

“I got scared and didn’t dare to complete my task because I didn’t want to get scammed,” said Ms Chia.

She later logged in to her account using the verification code after a friend told her about the SMS registry, and the possibility of legitimate business communications being wrongly labelled at the start.

Civil servant Xin Ng, 28, thought she had received a scam message after she tried to reset her login details on the online portal of insurance company Singlife.

She said: “I thought it was a potential scam at first. I checked again on the browser site I was on, and requested (that) the one-time password (be sent) again before proceeding.”

Screenshots readers sent to The Straits Times also show genuine confirmation messages from DBS Bank – which has listed on the registry – flagged as “likely scam”.

The registry, which is said to be able to detect and block spoofed SMSes upfront, labels SMSes that use alphanumeric sender names as “likely scam” if the senders have not listed on it. From July, SMSes from businesses not listed on the registry will be entirely blocked.

Ms Konstance Lim, 26, who received a one-time verification code from event planning app Partiful, said she thought it was a new function by the mobile network provider to flag sources that may not be widely known.

“But I continued with it since the website was recommended by a friend, so I trusted that it wasn’t a scam,” said the product manager.

Users have also received SMSes marked “likely scam” from video game platform Steam, insurance providers Great Eastern and Singlife, and co-working platform Switch, according to screenshots seen by ST.

Companies such as Cigna and Singlife said they had registered and are checking to find out why their SMSes are being flagged as “likely scam”.

A Great Eastern spokesman said the company registered and paid the relevant fees in August 2022, adding: “We are working with the relevant parties to resolve this issue affecting legitimate SMSes by us as soon as possible.”

Singlife group head of technology and operations Romil Sharma said it is working with its partnering authentication provider Okta to resolve the issue of SMSes being flagged. He advised customers who receive Singlife SMSes that are being flagged to ensure the information in the messages is consistent with their activity on the app or website.

Users had also received such SMSes from Okta, a widely used access management provider that issues authentication codes to users. Okta told ST that it is in the midst of registration.

ST understands that several companies, including Trip.com, have applied to be listed on the registry and are in the midst of getting various sender names approved. Meta has also registered its sender identification names.

When contacted, IMDA said consumers should check with their family or friends if they are unsure about an SMS that has been flagged as “likely scam”, and to consider approaching the merchant to verify the authenticity of the message.

The initiative aims to raise awareness and remind users to exercise caution, said IMDA, adding: “It is working as intended if consumers are reminded to be more careful.”

IMDA added that it had contacted business associations and worked with all telcos to inform their subscribers individually about the initiative. It also set up an anti-scam website for the public to learn more.

ST also asked IMDA why SMSes from some registered organisations also ended up getting flagged as “likely scam”, but IMDA did not reply to this query by press time.

At least 2,100 companies, including major telcos, e-commerce sites and online platforms like Google, have signed up with the registry as at Wednesday to have their company identities clearly seen in SMSes sent to users. It is not known how many companies use alphanumeric SMS sender names to communicate with customers.

IMDA has said that after the registry was set up in March 2022, Singapore saw a 64 per cent reduction in scams through SMSes from the last quarter of 2021 to the second quarter of 2022.

Companies need to pay a one-time set-up fee of $500 and a yearly fee of $200 for each registered sender name to be listed on IMDA’s registry, which is designed to tackle SMS sender name spoofing.

Scammers had spoofed OCBC Bank’s sender name in SMSes and swindled $13.7 million from 790 customers of the bank in December 2021 and January 2022.

American cloud computing company PagerDuty alerted customers in an e-mail last Saturday that its SMS notifications may be marked as “likely scam” as the company is in the midst of getting its application approved by the IMDA.

It urged users with a local number to update their contact information and use an alternative notification channel like e-mail before Jan 31 to reduce the chances of disruption.

What you need to know about the SMS Sender ID Registry

Objective: The SMS Sender ID Registry is a new measure by the authorities to crack down on spoofing messages sent by scammers using alphanumeric sender names nearly identical to ones used by legitimate organisations.

Pricing: A one-time fee of $500 and an annual payment of $200 per registered sender name.

What it does: The registry allows only approved companies to have their alphanumeric sender names seen by users. SMSes from non-registered companies that use alphanumeric sender names will be flagged as “likely scam” for a transition period of six months, before being blocked completely from July.

Companies already listed: 2,000, including Google, Shopee, Lazada, Alibaba Cloud, M1, Singtel, StarHub, Meta and redONE.

Companies being flagged as “likely scam”: Trip.com, Amazon, Okta, Steam, Cigna, Great Eastern, Partiful, Switch, Singlife.

More On This Topic
Telcos raise concerns over possible privacy violations, SMS disruptions with new anti-scam measures
Scam scourge here to stay, other countries learning from Singapore’s anti-scam approach: Police

Join ST's Telegram channel and get the latest breaking news delivered to you.

Available for
iPhones and iPads
Available in
Google Play

MCI (P) 066/10/2023. Published by SPH Media Limited, Co. Regn. No. 202120748H. Copyright © 2024 SPH Media Limited. All rights reserved.

Back to the top