Review of use of SMS and Clickable Links (PQ Reply by Senior Minister Teo Chee Hean)
Completion of review of use of SMS and clickable links for Government agencies by Smart Nation Digital Government Group
Fourteenth Parliament of Singapore – First Session for the Sitting on 4 July 2022
Mr Sharael Taha asked the Prime Minister when will the Smart Nation Digital Government Group (SNDGG) complete its review of the use of SMS and clickable links for government agencies.
Written answer by Mr Teo Chee Hean, Senior Minister and Coordinating Minister for National Security (for the Prime Minister)
The SNDGG has reviewed the use of links by Government agencies. Removal of links in SMSes, emails or other messaging platforms does not eliminate the risks of users falling prey to phishing attempts, e.g. phone numbers that members of the public are asked to call or continued attempts by scammers to use phishing links. Instead, we will implement prevention, detection and mitigation measures at the backend, and continue with user education to better protect citizens from scams perpetrated through the use of links.
SMS is a core text messaging component of most mobile devices. Because SMS is based on open standards, its main advantage is its widespread reach. SMS can reach anyone with a mobile phone, even if they do not use a smart phone or email, with nearly 100% coverage. Hence, SMS is widely used for many services, including communications and marketing. For example, the Government has attached links in SMSes to mobilise citizens to get vaccinated during COVID-19.
However, there are deficiencies in the open SMS standards that allow spoofing. Scammers can impersonate legitimate senders, such as Government agencies, to send SMSes with links to illegitimate websites to trick users to give up their user credentials and transfer monies.
Given the above tradeoffs between reach and vulnerability to spoofing, the Government will implement a number of measures in order to have safeguards and give users confidence when interacting with SMSes.
When sending SMSes with links, the Government will only use domains1 ending with “.gov.sg”. Any logins to Government services (e.g. keying in Singpass credentials or scanning the Singpass QR code) should only be done at genuine Government websites with domains ending with “.gov.sg”. There are some exceptions such as websites that are collaborations between Government agencies and non-government entities. Such legitimate websites are listed on www.gov.sg/trusted-sites which users are encouraged to check if they are asked to transact on unfamiliar website domains.
The Government will also regularly remind the public that its links will always have domains1 ending with “.gov.sg”, which users should confirm before clicking to transact with public agencies. For messages delivered to citizens through SMSes, the Government will also only use links where it is important to mobilise large numbers quickly and where we assess other channels to be less effective. We will not ask users to provide their credentials, such as passwords, through websites directly accessed through SMS links.
In addition to these preventive and protective measures by the Government and users when interacting via SMS, the Government is implementing backend prevention, detection and mitigation measures to address attempts to conduct scams by impersonating legitimate senders.
First, we are reducing the possibility of SMS sender IDs from being spoofed. The Singapore SMS Sender ID Registry (SSIR) was established in March 2022 to block SMSes that spoof the sender IDs of participants, which includes Government agencies and banks. To date, more than 50 organisations have onboarded the SSIR, with all Government agencies progressively onboarding. We are also studying the requirement for all users of alphanumeric sender IDs to be onboarded to prevent scammers from sending SMSes using alphanumeric sender IDs.
Second, we will implement measures to screen out scam messages and calls upstream. We are working with the telcos to build up in-network capabilities to block scam messages and calls, including robocalls and those spoofing numbers of local Government agencies and emergency services. We have developed the ScamShield mobile application to filter out scam SMSes and calls. We are also running various public education campaigns to alert citizens to different types of emerging scams.
Third, we are strengthening our detection of scams in our Government transactions with citizens. For Government services, we have implemented multi-factor authentication on Singpass, including use of biometrics, to provide added layers of protection to Singpass accounts and to prevent them from being easily taken over by scammers. Like other major technology companies, we are also using and continuously improving our fraud analytics to detect and notify users of suspicious logins, such as logins from a new device or browser. For major transactions with citizens, Government agencies also conduct checks to ensure that payments are made to bank accounts owned by the correct person. This will complement similar measures that the banks are taking to mitigate the risk of fraudulent transactions, such as enhancing fraud monitoring systems to facilitate timely detection and blocking of suspicious transactions and alerting customers of outgoing transactions that exceed established risk thresholds so that they can report unauthorised transactions as soon as possible.
Fourth, we are speeding up our response to scams. The National Crime Prevention Council (NCPC) will be launching a WhatsApp channel by 3Q2022 for citizens to quickly and conveniently report suspected scams, so that we can rapidly crowdsource information and respond to scam websites and messages. The Infocomm Media Development Authority (IMDA) and the Singapore Police Force (SPF) also work together to identify and block suspected scam websites. In 2021, 12,000 suspected scam websites were blocked. In addition, the SPF works with financial institutions to swiftly freeze bank accounts suspected to be involved in scams.
Combating scams will be a constant battle as scammers’ tactics will keep changing.
A domain is a unique address used to access websites such as ‘www.smartnation.gov.sg’. ↩