Written Replies to Parliamentary Questions

Written Reply to Parliamentary Question on Whether MHA will Consider Partnering with IMDA to Remove the Use of Hyperlinks in SMS and Aggregator Messages

Published: 13 September 2022

Question:

Dr Shahira Abdullah:
To ask the Minister for Home Affairs (a) whether the Ministry will consider partnering with IMDA to remove the use of hyperlinks in SMS and aggregator messages, which is known to increase the risk of phishing; and (b) whether measures targeted at e-commerce sending of high volumes of SMSs apply to the SMS aggregators as well as the e-commerce entities.


Answer:

Mr K Shanmugam, Minister for Home Affairs and Minister for Law:


1.   The Inter-Ministry Committee on Scams (IMCS) takes a sector-based, risk-calibrated approach to the removal of hyperlinks in SMSes. This is in consideration of the tradeoffs, between the risks of phishing and the facilitation of services, which hyperlinks enable. 

2.   The IMCS has worked with the Association of Banks in Singapore to get banks to remove hyperlinks in SMSes sent to retail customers. As for Government agencies, hyperlinks in SMSes are still necessary in the provision of public services in certain circumstances, such as mobilising citizens to get vaccinated during COVID-19. To mitigate the risks, if the Government agency assesses that it is necessary to send hyperlinks in SMSes, the agency will only use a domain[1] ending with “.gov.sg”, and will not ask users to provide their credentials through websites accessed through the hyperlinks. 

3.   The IMCS will continue to study the use of hyperlinks in other sectors and work with sector partners to adjust their use if necessary. As scammers may pivot to other communication channels, the removal of hyperlinks in SMSes does not eliminate the risk of users falling prey to phishing attempts. Users should continue to exercise vigilance. 

4.   To further secure SMSes from scams, IMDA implemented the Singapore SMS Sender ID Registry (SSIR) in March this year. Organisations including e-commerce companies which wish to protect their SMS Sender IDs can register their Sender ID with the SSIR. The SSIR reduces the risk of SMS phishing by blocking messages using spoofed Sender IDs which had already been registered with the SSIR. SMS aggregators are required to refer to the SSIR, and block SMSes that use spoofed Sender IDs which had been registered with the SSIR.

5.   Registering with the SSIR is currently voluntary, applicable only to organisations which register their Sender ID. The public may therefore still receive phishing SMSes that spoof Sender IDs belonging to organisations that are not on the SSIR, or that use Sender IDs that do not belong to any organisation. To close this gap, IMDA is looking to make SSIR registration a requirement for all organisations that use Sender IDs by end-2022. SMSes with non-registered Sender IDs will then be blocked as a default.

6.   IMDA is also looking to introduce anti-scam SMS filtering solutions, to filter out malicious hyperlinks and scam messages, applicable to all SMSes sent through telecommunication networks. These filters are designed to work like a security firewall, using automated machine scanning to filter out malicious URL hyperlinks and scam messages.

7.   IMDA’s public consultations on these proposals are ongoing till 14 September 2022. The IMCS will work closely with IMDA to study the views received.



[1]   A domain is a unique address used to access websites such as ‘www.smartnation.gov.sg’.