1. The Singapore Police Force (SPF), as the Competent Authority under the Online Criminal Harms Act (OCHA), has issued Implementation Directives to Apple and Google on 24 November 2025.[1] The Directives require Apple and Google to put in place measures to prevent the spoofing of Singapore Government agencies via iMessage and personal Rich Communication Services messaging on Google Messages (hereinafter referred to as “Google Messages”) respectively, by 30 November 2025.[2]
2. To protect the public from impersonation scams, Government agencies have been using the “gov.sg” SMS sender ID to send SMSes since July 2024 to help the public identify legitimate government SMSes easily. While we have imposed this and other safeguards like the SMS Sender ID Registry (SSIR) on SMSes, they currently do not apply to messages sent via iMessage and Google Messages.
3. Government agencies do not use the “gov.sg” ID to send messages via iMessage and Google Messages. However, members of the public may assume that messages they receive from accounts claiming to be from “gov.sg” on iMessage or Google Messages are legitimate because messages sent through iMessage and Google Messages appear alongside and are not easily distinguishable from SMSes.
4. The Police have already seen scams involving the impersonation of other SSIR-registered SMS sender IDs on iMessage and Google Messages, including over 120 cases involving the impersonation of SingPost. There is therefore a need to put in place measures to deter the abuse of iMessage and Google Messages by scammers.
5. MHA has worked with Apple and Google to take steps in this regard, and in accordance with the Implementation Directives issued, Apple and Google will be required to implement the following measures to prevent the spoofing of gov.sg and Singapore Government agency names on iMessage and Google Messages:
(a) Measure 1: Prevent accounts and group chats from displaying names which spoof “gov.sg” or Singapore Government agencies, or filter messages from accounts and group chats with names which spoof “gov.sg” or Singapore Government agencies; and
(b) Measure 2: Ensure the profile names of unknown senders are not displayed or are displayed less prominently than their phone numbers. This would help users better identify and be wary of unknown senders.
6. Apple and Google have indicated that they will comply with the Implementation Directives. We urge the public to regularly update the iMessage and Google Messages apps on their mobile devices, to ensure that the latest anti-spoofing safeguards are in place.
[1] The Online Criminal Harms Act (OCHA) was passed on 5 July 2023. Under the Act, the Competent Authority may issue the provider of a designated online service an Implementation Directive to put in place any system, process or measure, if it is satisfied that this is necessary or expedient to address a relevant offence under the Second Schedule. Failure to comply with the Implementation Directive without reasonable excuse would render the provider of the designated online service liable on conviction to a fine of up to $1 million and, in the case of a continuing offence, to a further fine of up to $100,000 for every day or part of a day during which the offence continues after conviction.
[2] Separate Implementation Directives were issued to Apple and Google. The content of the Implementation Directives is similar but tailored to the different context of each platform.
Annex
