SINGAPORE: Financial adviser Tan Zhi Liang thought he had been scammed after buying flight tickets to South Korea from Trip.com, when he saw a booking verification SMS flagged as “likely scam”.

Tan, 29, said: “I thought I had made a purchase from a scam site. I found it weird at first, but I double-checked my booking and it was there, so I didn’t worry too much then.”

He is among a handful of Internet users who received SMSes marked as “likely scam” after a new system by the Infocomm Media Development Authority (IMDA) dubbed the SMS Sender ID Registry kicked in on Tuesday to alert users to possible scam messages.

But some of these SMSes marked as “likely scam” have come from legitimate businesses for genuine communications, leading to confusion among some Internet users.

Tech consultant Tricia Chia hesitated to log into her firm’s insurance provider Cigna to make a medical claim when she received an SMS with the “likely scam” label containing a verification code.

“I got scared and didn’t dare to complete my task because I didn’t want to get scammed,” said Chia, 25.

She later logged in to her account using the verification code after a friend told her about the SMS registry, and the possibility of legitimate business communications being wrongly labelled at the start.

Civil servant Xin Ng, 28, thought she had received a scam message after she tried to reset her login details on the online portal for insurance company Singlife with Aviva.

She said: “I thought it was a potential scam at first, but I felt that the SMS came as expected, and it started with the words ‘Singlife’, so I was more assured it was genuine... I checked again on the browser site I was on, and requested for the one-time password (to be sent) again before proceeding.”

Ng said that while it was difficult to recognise which firms are in the clear and which are genuine scams, the registry serves as an added layer of protection for users in the long run.

The registry, which is able to detect and block spoofed SMSes upfront, currently labels SMSes that use alphanumeric sender names as “likely scam” if the senders have not listed with it. From July, SMSes from businesses not listed on the registry will be entirely blocked.

Konstance Lim, 26, who received a one-time verification code from event planning app Partiful, said she thought it was a new function by the mobile network provider to flag sources that may not be widely-known.

“But I continued with it since the website was recommended by a friend, so I trusted that it won’t be a scam,” said the product manager.

Users have also received SMSes marked “likely scam” from video games platform Steam, insurance providers Great Eastern and Singlife with Aviva, and co-working platform Switch, according to screenshots seen by The Straits Times.

ST has contacted these companies for a comment. ST has also asked IMDA what it plans to do to educate users and businesses to minimise confusion.

Users had also received such SMSes from Okta, a widely-used access management provider that issues authentication codes to users. Okta told ST that it is in the midst of registration.

It is understood that several companies, including Trip.com and Meta, have applied for the registry and are in the midst of getting various sender names approved. During this period, Facebook, WhatsApp and Instagram users may receive authentication SMSes labelled with a five-digit number in the interim, instead of a typical sender ID.

Nearly 2,000 companies including major telcos, ecommerce sites, and online platforms like Google have signed up as at Monday for the registry to have their company identities clearly seen in SMSes sent to users. It is also not known how many firms use alphanumeric SMS sender names to communicate with customers.

Firms need to pay a one-time set-up fee of S$500 and a yearly fee of S$200 for each registered sender name to get on the IMDA’s SMS Sender ID Registry, designed to tackle SMS sender name spoofing. Scammers had spoofed OCBC’s sender name in SMSes, and swindled a total of S$13.7 million from 790 OCBC Bank customers in December 2021 and January 2022.

American cloud computing company PagerDuty alerted customers in an email on Saturday that its SMS notifications may be marked as “likely scam” as the company is in the midst of getting its application approved by the IMDA.

It urged users with a local number to update their contact information and use an alternative notification channel like email before Jan 31 to reduce the chance of any disruption.

Things to know about Singapore’s SMS Sender ID Registry

Objective: The SMS Sender ID Registry is a new measure by Singapore authorities to crack down on spoofing messages sent by scammers using alphanumeric sender names nearly identical to ones used by legitimate organisations.

Pricing: A one-time fee of S$500 and an annual charge of S$200 per registered sender name.

What it does: The registry only allows approved companies to have their alphanumeric sender names seen by users. SMSes from non-registered companies that use alphanumeric sender names will be flagged as “likely scam” for a transition period of six months, before being blocked completely from July.

Companies already listed: 2,000 including Google, Shopee, Lazada, Alibaba Cloud, M1, Singtel, StarHub and RedOne

Companies being flagged as ‘likely scam’: Trip.com, Amazon, Okta, Steam, Cigna, Great Eastern, Partiful, Switch, Singlife with Aviva. – The Straits Times (Singapore)/Asia News Network