An End To The Committee Of Privileges

The COP conclusion paints Pritam in a really bad light.
If you had just read the findings without watching the hearing, Pritam appears to be shifty, contradictory, evasive and seem to be a clueless leader.
An End To The Committee Of Privileges (Raeesah, Pritam and Faisal)

Context matters

But one should put his statements in context of a 9 hour long hearing, under intense questioning by Edwin Tong.
In the hearing, it seemed that Pritam conceded several contradictory points out of exhaustion or frustration under the aggressive questioning by Edwin Tong.
Taken out of context, on paper, these contradictions work to the PAP’s advantage. It allowed the COP to build a case that Pritam was trying to mastermind a cover up.

A criminal mastermind?

But the logic of a cover up has an Achilles heel.
Because there’s no credible evidence that Pritam ever explicitly told Raeesah to cover the lie up.
Despite trawling through thousand of pages of evidence, there were no WhatsApp screenshot, email documents or audio recording of Pritam ordering anyone to hide the truth.
There is one evidence provided, which is a second hand account by Raeesah that Pritam told her to take it to the grave. But Raeesah’s credibility is doubtful.

Pritam’s actions

Having said that context matters, one should also look at Pritam’s actions and words separated from his eloquence.
There’s no way to sugar coat this. Pritam made horrible decisions as a leader. While there’s no physical first hand evidence of telling Raeesah to take it “to the grave”, his inactions and inability to order Raeesah to tell the truth speaks poorly of him.
Waiting for Raeesah to tell her parents, caring for Raeesah’s feelings etc, no matter how hard Pritam tries to climb up the moral high ground, all his efforts have been futile.

Crafting a Narrative

How did the COP arrive at the conclusion that Pritam was attempting a cover up?
The COP maintains that Pritam, through inaction and vague instructions, was by default, asking Raeesah to cover up the lie in parliament.
They point to the contradictions by Pritam in the 9 hour arduous hearing as proof that he was dishonest.
Interpretations of evidences such as “told you it was your call”, “I will not judge you” are done in favour of building this narrative.
To be fair, the report is pretty convincing. Thousand of pages were spent carefully crafting and weaving this story.
However, because there’s lack of a smoking gun, you could also build a convincing report in 1000 pages that Pritam did not want a cover up.
Why was he vague, unclear and contradictory? Because he was an inept leader. Because he thought he was already clear. Because he thought Raeesah knew he expected her to tell the truth. All of these different conclusions can be substantiated with the current evidence.
Indeed, the lack of a smoking gun is the elephant in the room at the moment. The COP’s finding feels incomplete without it.
Perhaps, that could be also part of the reason why the COP recommended the referral to public prosecutor.

One thing we can all agree on, Pritam did not provide leadership when WP needed it the most.

Not directly ordering Raeesah to clarify the truth immediately once he found out, is a mistake that should have severe penalties.
On top of that, he allowed things to drag on for so many months. He waited for Raeesah to tell her parents while the integrity of the police and parliamentary institutions were at stake. This alone should call for questions on his judgment.
There are too many examples that we can point to over the course of the hearings that puts Pritam in a bad light. But that would be repetitive.

Faisal

I guess it’s worth reiterating that Faisal came across as clueless and inept as on paper in the special report, and on camera during the hearing.
Faisal needlessly incriminated himself for seemingly no reason.
The COP has every right to ask for information such as meeting minutes and schedule.
Why did Faisal decide there and then that he had to refuse? Your guess is as good as mine.
The cynic would say it was an inept attempt at hiding evidence. The supporters would say he was standing up to the bullies.
But I think most Singaporeans would just be scratching our heads at this futile attempt at something.
Which is regretful, by all accounts he abdicated his role as a leader in dealing with Raeesah's lie. That would be almost entirely bad for him as a leader.
Possibly, the only upside to this is that he could have pleaded ignorance and escape responsibility and punishment. But alas, somehow he still got himself into trouble.
If there was somebody else in WP who had been digging his own grave beside Raeesah from the start, it would be Faisal.

Raeesah

Liberal progressive ideas are attractive.
Especially in the social media age, showing off liberal ideas is the easiest way to virtue signal. Or more simply put, it is the easiest way to get likes and shares on twitter.
But a social media savvy charlatan can easily ride on these ideas and expouse them in a way to get political support.
With Raeesah, I feel that we have dodged a bullet. At least she was exposed and caught early in her career.
If she had gotten away with this, it might embolden her to build a political platform based on lies and perceived outrage.
Trying to become a hero by inciting outrage is never the solution.
Fruitful discussion based on facts and truth will help us achieve progress for the minorities (sexual assault survivors in this case) in our country.
Lies on the other hand, cause doubt and mistrust to seep in, it makes Singaporeans suspicious of each other resulting in infighting to our detriment.
Make no mistakes, her lies were aimed not to unite Singaporeans together. She was seeking to divide us from one united people, based on (perceived) injustice and inequality, so as to achieve progress for her goals.

Sigh

Past history suggest to us how things would end for the opposition. I’m sure Pritam is painfully aware.
A likely outcome is that he might end up getting fined more than 2k, which will result in him losing his parliamentary seat and barred from having one for five years.
The leader of the opposition and Secretary General of WP, without a parliamentary seat. This is effectively political exile.
Perhaps he would be fined less than 2k and be allowed to retain his seat. Either way the credibility of the position of leader of opposition is forever smeared.

What’s next for Pritam

It must have been a rollercoaster journey so far.
From leading the opposition to its greatest victory to having Raeesah singlehandedly bring everyone to its knees… sigh
Firstly, Pritam will need to fight an internal fire. Reports have came out about unrest in WP. A leadership challenge might come out of the blue in the next election (internal).
On the ground morale has taken a hit, volunteers are leaving WP.
Regardless of what happens in the Parliament, Pritam needs to reconsolidate support and power internally.
Alongside this effort, Pritam also needs to question how the Raeesah episode became the way it did.
There are many moments for introspection. But most importantly, Pritam should look at how so much power was centralised between Sylvia, Faisal and himself.
The CEC, despite its responsibility to provide oversight, only found out about the incident a few months after, slightly before the public. Why wasn’t CEC immediately made aware of such an important issue?
Perhaps if the CEC was more involved, things would not have ended the way they did.
Sylvia and Faisal seem comfortable in the backseat, not questioning Pritam’s decisions. This reeks of poor leadership and organisation structure.
Pritam should also evaluate the party’s internal process for selecting members. WP should be careful about fielding unready candidates like Raeesah Khan.

On the Bright Side

Ironically though, WP has also excelled at identifying talents.
Dr Jamus has came out of nowhere to dazzle and impress over the last year. And he was the only one from WP who came out of the COP hearing looking better.
Nicole Seah put up a strong showing in her maiden performance on WP and her team had a valiant effort against once potential PM Heng Swee Keat.
Meanwhile, members such as Gerald Giam and He Ting Ru are growing from strength to strength with experience.

A way forward?

I think it would make sense actually for Pritam to resign internally and seek a new election as the Sec Gen of WP.
It would show that he understands a mistake was made and he is not beyond reproach. If he wins, it will refresh his mandate internally, and increase the morale of volunteers on the ground.
Even if he loses, to be honest, he has still the best showing among all the other WP members, including Jamus. It wouldn’t be long before the position is restored to him.
Yes, it might look like a dog and pony show, but the positives far outweigh the negatives.

Hero’s Journey

Great heroes like Steve Jobs and Winston Churchill have compelling stories of overcoming failure to success.
Could Pritam similarly have a Singapore flavoured hero’s journey? I think the possibility is there.
Despite the mistakes here, he still has a sizeable base.
He is charismatic enough to garner support from the masses, and he has (relative) youth on his side.
LHL and 3G were never his true political rival. Pritam can bide his time to regroup and prepare for the long fight against the 4G ministers.
He has also proven to be a worthy opponent in elections, and should give the 4G PAP a good fight.
Also importantly, you could sense the political support leaning to opposition in the new younger generation.

What’s next for us?

There are other societies where politicians are building platforms based on untruths. We should be extremely watchful that we do not “import” such values into Singapore.
With that said, Singapore did great! No matter who you support, we as a country soundly rejected the lies of Raeesah and she was removed in a public and transparent process.
But there’s a creeping air of despair for opposition. The first ever leader of opposition has imploded. OYK, potential pm, came out to reiterate reasons why a two party system will not work in Singapore.
Despair can easily be massaged into anger by fringe politicians. Fringe politicians are… basically almost everybody not in WP at the moment. And it feels increasingly “fringe”.
PAP should be careful with how the situation will end.
Yes, the short term by product is that the biggest threat in the opposition was neutralised. But the long term cost is anger and frustration at a dominant party that feels increasingly out of touch with the people.
Intermingled with bread and butter issues such as inflation, a tough job market, bto unavailability/delays, global looming recession, increasing GST etc, voting opposition may present a Hail Mary option for undecided voters who are going to use their votes not to vote, but to voice their anger.

An Update on the SMS Phishing Sender Id Spoof Vulnerability

IMDA reply to Captain Sinkie
On the 15th Jan, the ease of SMS phishing scam was raised on this blog.
Thankfully, it was picked up and reported by main stream media:

IMDA Reached Out

IMDA reached out on Twitter on the 21st Jan regarding the issues raised.
IMDA reply to Captain Sinkie
We had a Zoom meeting on the 28th Jan. IMDA is extremely receptive to the suggestions from the public with regards to securing sender ids for SMS messages.

What Was Proposed

The suggestion from the ground is to regulate third Party SMS Aggregators such that registration is required for companies to send SMS with certain sender names.
By default, all other unauthorised sender names are blocked. Effectively, this is a whitelist approach.
Indeed 51 other countries have adopted solutions such as this. Many more countries outright block sender name changes. Source

What’s next

IMDA has acknowledged that the registry is a pilot and will be looking to improve it.
It’s definitely not a simple or quick change that will fix this. And while it is an important problem, we should also have patience and give the gov time and space to fix it.
I will check it in a month’s time on the 28th Feb 2022 to see if SMS can be sent with custom sender names. Hopefully, the issue will be fixed by then.
I’m sure the public will be unhappy if this vulnerability is still around then. It feels like a ticking time bomb in our backyard, just waiting to blow up.

Change.org

Do share this with your loved ones to add more support for this issue.

Scams

If there’re any vulnerabilities that can be used by scammers, we have to quickly fix it.
Which is why I’m glad the information here has been handed to and acknowledged by the authorities. I won’t be writing about the SMS phishing issue for a while unless there are updates on this.

OCBC Scam: Exposing the Roles of Third Party SMS Aggregators in SMS Phishing

TLDR: Third Party SMS Aggregators Allow for Scammers to Send Scam SMS Phishing Messages to Singaporeans.
how sms works
By now, you must have seen many examples of the SMS phishing scams and screenshots of spoof messages.
even more malicious smishing
While we are looking for a solution to stop the SMS phishing scam, it's important to understand in detail how it actually works.
I will show how the scam messages were sent and what exactly is going wrong with our system.
Hopefully, this will allow us to work towards a solution to reduce SMS phishing scams.

How does SMS sending work?

We can understand how SMS work by looking at things from three angles - from the perspectives of a normal sender, a company and a scammer.

1. Normal Senders

normal users sms flow
Normal senders are just you and me. We send SMS from our phones to the telcos enroute to end users. Nothing fancy here.

2. Organisations & Companies

companies sms flow
Organisations & companies make use of third party SMS aggregator services to send messages through their services.
You might have heard of Twilio. They are one such company that provides these SMS services. These companies are able to tell the telcos to send a SMS to us.
So in general, companies, such as OCBC, don't directly interface with the telcos. They communicate with the third party SMS aggregators, telling them the target phone number and the SMS message they would like to send.
Interestingly enough, it is also at this point that companies provide something called a senderId. It changes the sender name of a SMS, which is how you can receive text with the name "OCBC" even though you didn't have that name in your contacts.

3. Scammers

scammers sms flow
Lastly, how do scammers send the SMS to us? Well, this is the important part. They make use of the same third party aggregators to send the SMS..
How did the scammers send text with the name OCBC? Remember the senderId field? Well, scammers make use of that too.
Basically they just tell the SMS aggregators to send the message with the name OCBC. And what do you know, the SMS aggregators pass it along to the telcos and the scam messages reach our phone without any verfication process.
Not only does it show up with the sender name OCBC, the scam messages are also grouped into the same channel as the real OCBC messages.

Was this how the scammers did it?

To be fair, there's no concrete evidence the scammers use them.
But this is exactly how I was able to use the services and send the scam SMS messages to different phone numbers.

This sounds bad

Is it easy enough to send scam messages? Yes, it is very, very simple. Worryingly simple.
Why on earth could these third parties send custom senderIds to telcos without any checks? Well, I'm not sure too - this is an opaque process to outsiders.
Perhaps there is already some regulation in place that is not enforced by the SMS aggregators?
We don't know.
But right now, it looks like we are asking third party SMS providers to check themselves. Insert obligatory meme here.
Ownself Check Ownself

Why didn't Singapore do anything then to patch this?

In a forum letter, IMDA revealed there was a registry protection program that asks companies to register names which can then be restricted from use by the hackers.
This was started in August last year. Singpost, Lazada and DBS were examples of companies which have registered on this program.
Unfortunately, this registry protection just does not work at the moment!
I tried and noticed spoof messages were able to be sent from DBS, DBS Bank, Singpost and Lazada. Notice all these names should by right be on the registry protection.
Does The IMDA Protection Registry Work
This is also independently verified by other testers and journalists. Thanks to @ImStillDissin on twitter for verifying on the 20th Jan 2022.
ImStillDissin

Registry Details are not Clear

It is also unclear at which stage of the process does this registry "block" scam messages. Indeed, details of this registry has been weirdly vague.
Continuing to ask companies to join a registry that does not work is not a good look too.
I know many questions have been addressed to IMDA. Hopefully there's some clarity on this soon, so we can regain trust in the SMS services.

So should we blame third party SMS aggregators for the SMS phishing scams?

Yes and no.
Firstly, more should have been done to stop the scammers from sending the messages with the name of OCBC.
But, they could argue that it is not their responsibility, since there was no regulation for them to have oversight.

So what now?

It is tragic that an eye popping $8.5 million was stolen from right under our noses. We must not let this continue.
One possible solution is to regulate these third party SMS aggregators such that registration is required for companies to send messages with a certain name.
Example, Grab has to apply to have their SMS be sent with the name “GRAB”. Upon verification by authorities, the company now has the ability to do it. No one else is allowed to send SMS with that name.
what we propose to stop the SMS phishing scam
By default, all other sender names are not allowed to be set. Any new SMS sender names must go through a verification process before it can be used.
This also mean that the responsibility now lies on the third party SMS aggregators to build an authentication and white list service, mapping sender names to authorized companies.
If aggregators do not perform due diligence and allow for the sending of phishing SMSes, then penalties can be introduced.
Indeed, it is not unlike solutions adopted in 51 other countries to regulate this. Mandatory registration is required for third party SMS aggregators to use a custom sender name. Many more countries, in fact, outright ban third party aggregators from changing senderIds.

Petition

There is a petition to ask IMDA to exercise greater regulation around this process of authenticating sender names. It's asking for a layer of checks and balances that is enforced by regulatory bodies.
Whether it can be built on top of the "registry protection program" or it must be something new remains to be seen.
It will require significant effort. But of course, the important thing is to stop potential future scams from happening.
If you had read to the end and found the article useful, feel free to share this on social media by copying the shortened link here.
https://cpt-sg.link/3rd-party-sms-exposed
By sharing more awareness, we will be able to reduce the amount of scams happening in our country.

IMDA Is Vulnerable to SMS Phishing & The Protection Registry Does Not Work

This is a follow up to the previous article. Many other organisations, including IMDA is vulnerable to potential SMS phishing attacks. Even worse, the protection registry does not appear to work.
Demo of SMS Phishing Scam Multiple Lesser Potential Names Outside of Black List
IMDA announced that there was a protection scheme against SMS phishing. More information is detailed here.
Basically, it requires organisations to register the names of SMS senders that they want to restrict. When there is unauthorised use of this protected SMS sender ID, the messages will be blocked.
This is a good step. But it’s still not the best solution. And obviously, it did not work during the OCBC scam attack.
Two reasons why this is insufficient:
  1. Companies might not have registered certain names which are vulnerable for phishing.
  2. Scammers are still able to creatively come up with other fake names to scam victims.
  3. And most importantly... It doesn't even appear to be working! [19th Jan 2022]
There’s also a solution which would better protect Singaporeans from such potential scams.

1. Companies might not have registered certain names which are vulnerable for phishing.

The first problem is that this is a voluntary process. Companies need to register to restrict specific sender names.
What if they did not register? Scammers can still spoof their identity in the SMS.
This is a blacklist approach. We are counting on companies to register names for blocking. But not all companies would do so. And once the scam has happened, it would be too late. Which is what happened in the OCBC attack.
I tested and found out that GRAB, for example, is still vulnerable. NETFLIX and GOOGLE are also possible to be spoofed. The findings are available on Mothership here.
As I was testing these, I asked myself, what about IMDA itself? Can a hacker pretend to be from IMDA.
Turns out a hacker can. I managed to send a spoof text as IMDA.
Imagine if you received a POFMA from this sender. Will you believe? Victims might. Nobody expects hackers to have the ability to do this.
POFMA SMS Phishing scam
If IMDA themselves can be spoofed, this solution is definitely not the most foolproof.
Adding on to the point, that companies might not register for this. At the point of IMDA's response in the forum letter, only 6 organisations have signed up for the registry. So any organisation not part of the 6 could have been spoofed. Source

2. Scammers are still able to creatively come up with other fake names to scam victims.

Scammers are always on the lookout for new ways to scam us.
They could always come up with new names that seems authentic to attempt a phishing attack.
Think of all the legit names they could come up with. GRABPAY, SGPAYNOW, POLIS, MMTF, MINSHAN, JOTEO, SMARTNATION, CYBERSEC, SKILSFUTURE, the list goes on.
I tried some of the names and most if not all, worked.
This registry program means we are always on the back foot, only adding sender names restrictions after a potential scam has happened.
Obviously this is not as convincing as the OCBC scam. But still, scammers might be able to dupe unsuspecting Singaporeans with this:
Example SMS Phishing Scam With Minshan
Example SMS Phishing Scam With JoTeo
Example SMS Phishing Scam With MMTF
Example SMS Phishing Scam With Lazada

3. Worst of all, the protection registry does not work at the moment [19th Jan 2022]

On 19th Jan, u/kimmyganny posted a screenshot on reddit that DBS has also been spoofed in a new SMS attack.
According to news report, DBS was already registered on the list. How on earth could scammers still do it?
Well the reason is, quite plainly put, this registry did not work. I went about testing and sure enough, company names listed in the registry could still be spoofed.
Does The IMDA Protection Registry Work
I have notified the relevant parties on this here.

So what can be done?

We are suggesting a different approach, where we restrict all sender names by default.
i.e. No one can modify the sender names in the SMS message. Only when companies register for certain names, then IMDA (or relevant authorities) can allow them to change SMS to that specific name.
Example, Grab has to apply to have their SMS be sent with the name “GRAB”. Upon verification by authorities, the company now has the ability to do it. No one else is allowed to send SMS with that name.
This will definitely require significant engineering work on top of the current SMS network. A layer needs to be build to authorise the sender names. And it's a herculean effort.
Indeed, 51 other countries require such a registration process. Many countries even go a step further and restrict custom sender names altogether.

We are still vulnerable to SMS Phishing attacks

As long as hackers have this loophole to use, we are still very vulnerable to SMS phishing attacks.
The next attack might not happen on OCBC anymore. But customers of other platforms, business and organisations are still vulnerable to be phished.
One Singaporean scammed is one too many. We must work together to stop the scams from happening.
There is a petition on change.org here to bring more awareness of this issue to the government. Kindly sign it if you agree and help to spread more awareness on this issue.

How the OCBC SMS Phishing Scam Works and Who Else is Vulnerable

TLDR: The OCBC sms phishing attack can be used on other companies too. For example, DBS Bank is also vulnerable to this.
ocbc-scam-victims
The recent OCBC's sms phishing attack is absolutely a lot more dangerous and serious than what we thought.
If you are not in the loop, hackers managed to spoof smses from OCBC to Singaporeans. Because the message sender shows in the SMS as "OCBC", many Singaporeans fell prey and a collective $8 million were lost.
How did the hackers send the sms in the first place? Who else is vulnerable? Could this be prevented? I wanted to understand how this was done too.
In the end, I found out that this is actually a lot more serious and dangerous than what I thought. And also, DBS Bank and many more companies are vulnerable to this attack.

How did the hackers send the sms in the first place?

Initially, I thought that it's possible OCBC had a vulnerability that allowed hackers to send the fake sms. But that's not correct. OCBC is not at fault for the fake smses this time.
The problem is that SMS are poorly designed. Each sms is sent with a "senderId" field that is invisible to normal users like us.
But hackers can easily spoof the protocol by adding a "senderId" field on sms services. Our phones will show the messages with sender's name as the modified senderId.
In fact, just by spending a couple of hours on the internet, I managed to find a sms service that allowed me to write code and send sms with fake senderId headers to myself.
The worst thing is that phones are coded to group messages by senderIds. So the fake message is automatically placed in the same channel as real ones, making them more authentic.

Who else is affected?

This is the scary part. From what I see, it looks like most companies are affected.
I tried spoofing a message to myself as "DBS Bank", which is what DBS have been using to send messages to me. Scarily enough, it actually worked.
smishing attack example
Notice that the parameters of the attack is exactly the same as OCBC's. In this case, the hacker (me) sent a message with the name (senderId) as DBS Bank. It ended up in the channel where the actual DBS has been sending me notifications.
It could be even more malicious like this.
even more malicious smishing
Notice that the dbs.limited is a phishing site that I created for this example.
I submitted a vulnerability report to DBS bank urging them to take a look at this.
dbs vulnerability form
Could I fake a reservist callup from the dreaded 72255? (only sg guys will understand). Again, it is possible. My company has actually already MR-ed, but perhaps I could prank my army mates.
reservist call up smishing
What about fake covid 19 numbers from GovTech?
gov.sg ba sing se

Could this be prevented?

The short answer is no.
There is no way that you can block a senderId since it is not a number. If you do block it, you will lose service from the actual businesses.
Telcos are unable to outright block senderIds, because this will affect those legitimate businesses.
And worse yet, if the hackers used a third party provider to send these smses, then it is virtually untraceable back to the perpetrators.

Why this is dangerous?

The level of sophistication in the OCBC attack is actually not difficult. As shown in the examples above, it's quite easy to carry out.
There are third party providers that allow malicious actors to send spoof smses without needing to even write code. I thought it would be difficult to send phishing smses, but it is in fact extremely easy.
But, this recent scam is definitely much more advanced than the usual Nigerian prince emails or Tik Tok is looking for at home workers. This is a highly planned and orchestrated attack.
Somehow, hackers identified ways to overcome OCBC's check and balances. By combining the fake sms technique on OCBC customers, these hackers have stolen millions.
These hackers could have sent fake smses for other services or banks. But they specifically coordinated and targeted only OCBC because they had identified how to overcome daily withdrawal limits, add overseas payer etc.
Indeed, even the timing (end of year, festive period with more international volume) seems opportune. Based on the victims' screenshots, multiple phishing sites were built too, not just one. And multiple messages were sent using "OCBC" headerId to build authenticity.
Such level of understanding, planning and co-ordination should send chills down our spines.
We tend to laugh at the lousy quality of phishing emails and sms that we have become largely numb to them.
But make no mistakes, this was a daring well planned heist. And the victims are fellow Singaporeans who have lost everything to a small mistake, which could have easily happened to any of us too.
I'm worried that they might be planning their next attack by exploiting more complex methods to scam Singaporeans.

What's the solution?

Firstly, companies need to take more steps to protect customers. In this case, it's ridiculous that OCBC could transfer tens of thousands of dollars out of people's account and could not lock the accounts when customers called their hotline.
Companies can also fully switch to secure app based notifications for facial verifications (e.g. Singpass), instead of using SMS OTP. However, not all companies can afford to build mobile apps. And I'm also sure we don't want to install 101 apps on our phones to log in for different services. Plus this will also affect non tech savvy seniors.
I think (not certain) Telcos can whitelist phone numbers to give access for specific senderIds. But this will be something that telcos need to work out building on top of sms protocols. However, it might be difficult to whitelist all names. A hacker could creatively use different senderIds to spoof / social engineer and hack a victim.
Edit: upon doing more research on this, I realise that there are countries which require registration before you are allowed to use a custom senderId. So Singapore could do this, for example if our law makers pass a law to enforce telcos to do so. Help to sign this petition to ask our Gov to consider doing this.
Until SMSes are secure, we should not rely so much on it. Many companies use them for authentication purposes because they think it is safe. We need to push back on this narrative and understand that SMS can be very very dangerous.
The best solution is still education. We will need to spend more time building awareness and teaching Singaporeans to look out for phishing attempts.
Even if the smses look very legit, hackers will still need to redirect you to a phishing website to steal information. Singaporeans need to learn how to identify phishing urls and domains and steer clear of them.
It's easier said than done. But we need to start now because the next sms phishing attack might be even more dangerous.

Phishing Education

To educate other Singaporeans on the dangers of phishing, you can show them this website https://dbs.limited.
On the surface, it looks like a legitimate DBS website with believable enough urls and links.
But it's actually a fake site that was built under an hour by copying the front end code from DBS. The site warns you when you try to punch in your details.
This is an example of how hackers can steal your passwords. They take your details after you enter them. Some websites can even redirect you to the proper service and help you to login too. You won't suspect a thing until it's too late.
If you had read to the end and found this helpful, consider also sharing this article with others to prevent sms phishing scams from happening.
Afterword: upon doing more research on this, I realise that there are countries which require registration before you are allowed to use a custom senderId. So Singapore could do this, for example if our law makers pass a law to enforce telcos to do so. Help to sign this petition to ask our Gov to consider doing this.

Tidbits from Raeesah's 22nd Dec COP hearing

Committee of Privileges Hearing on 22 December 2021 - Ms Raeesah Khan screenshot
I was worried when the previous special report mentioned that the hearing has “largely concluded”, and there was no mention of calling up Raeesah to clarify her contradictions.
So I was pleasantly surprised when Raeesah was called up on the 22nd. It was an explosive hearing as she doubled down on her earlier statements.

Tidbits:

  1. This hearing gave Raeesah an opportunity to reconfirm her account of events.
    She stood by all of her earlier statements. Much of which directly contradicted testimonies from the WP leaders.
  2. Raeesah attributed the source of the “take the truth to the grave” quote back to Pritam.
    She clearly testified that it was Pritam who used the words, “take it to the grave”. In her account, the words were used in the presence of Sylvia and Faisal too.
    She further added it was not a phrase that she would usually use.
  3. Raeesah’s demeanour has changed.
    In the previous hearings, she came across as someone who was ready to face consequences for her mistakes in parliament.
    But today, there's a definite air of defiance. With a bright red blazer and a slick hair cut, she doubled down on her earlier statements that Pritam and the leadership had given her instructions to continue the lie.
  4. Mental health has come to the forefront of the hearing.
    Raeesah was visibly frustrated multiple times in the hearing.
    She was offended that Pritam made allegations regarding her emotional and mental state and suggested for her to be sent for a psych review in his hearing. She called his actions “out of line”.

Afterword:

  1. To be fair, Raeesah was the one who brought up her mental health in the first place.
    She was the one who submitted a medical report from her therapist to the WP leaders after the DP hearings, with mentions of the possibility of PTSD.
    She was also the one who brought up the term “dissociation” with Pritam to offer an explanation why she might have lied.
    I think it’s a little disingenuous for Raeesah to play the victim now and accuse Pritam of casting doubts on her mental state, when she was the one who first brought it up.
    Dissociation symptoms
  2. Just because you are outraged, it doesn’t mean you are right.
    I hope we are not distracted by Raeesah’s outrage that her mental and emotionally capabilities were questioned by Pritam.
    I notice there’s a tendency in people to gravitate towards angry individuals who seem to be championing a noble cause.
    We have to be careful that Raeesah does not distract us from the hearings about her lie and whether WP wanted to cover it up.
    While Raeesah could say it’s “out of line” for Pritam to question her mental state, she should perhaps reserve a little more outrage for the COP that actually sent her to get the two psychiatric assessments.
  3. What’s the point of telling witness to keep the hearing confidential until the COP has submitted findings to parliament?
    All the videos of the hearings are already available publicly on Youtube.
    You could see that Raeesah was ready to refute many of the points that were mentioned in the other hearings.
  4. That’s the problem with lying: it’s hard to believe a liar again once they have been caught.
    Is Raeesah truthful now? It’s really hard to tell. That’s why we tell children the story of the boy who cried wolf.
    Raeesah’s credibility is in tatters now, and that’s detrimental to her hearing in the court of public opinion.
  5. Where are the minutes from the multiple meetings in WP?
    WP needs to tighten its SOP.
    Firstly, let’s not meet at homes anymore for important issues. Yes, they can meet socially outside of work and drop off baby stuffs. But to discuss important issues, such as what course of action to take in parliament, shouldn’t there be a more formal location?
    Next, they should ensure that minutes are taken, or better yet, recordings. Especially for important meetings, such as a disciplinary hearing.
    By this, I’m of course making the assumption that WP is not hiding any minutes from the COP.
  6. Will the real Edwin please stand up?
    Joo Chiat Comedy Festival
    Unlike the Edwin that showed up to Pritam’s first hearing, he didn’t interrupt Raeesah’s hearing.
    There were no “just say yes or no” retorts. By giving Raeesah the floor, she could narrate her account across articulately. He even gave her the chance to “paraphrase” his questions.
    Obviously, it helps the PAP if WP leaders and Raeesah get into an endless cycle of mudslinging.
    In that way, the disparity of Edwin’s performance in the COP makes perfect sense.
  7. Did Raeesah succeed?
    She was championing liberal progressive issues such as sexual assault and mental health. Both of which were brought into the public consciousness of Singaporeans through the hearing.
    I think most Singaporeans will agree that such topics are highly important and deserve to be discussed in parliament and the greater public. But I’m sure there are less divisive ways of starting the conversation than how Raeesah did.
    By needlessly inserting herself as the hero in the account of a sexual assault survivor, Raeesah is unclear in her purpose.
    By characterising herself as a victim of mental health stigma by Pritam, Raeesah is unclear in her intention.
    Let us be aware of such manipulative actions, lest important conversations be hijacked for dubious means.
  8. So what happens next?
    I guess calling the hearing "largely concluded" was premature prior to Raeesah's 22nd hearing. But now that she has had a chance to submit her testimony, I think we are close to the conclusion.
    In a court of law, witnesses could submit differing testimonies, the judge/jury will decide on the sentence after lawyers have presented their case.
    COP of course works different from court, but it’s probably the closest thing we can draw a comparison with. In this case, the COP is the judge/jury.
    I think both sides have submitted all their evidence and there’s little chance anyone will budge from their positions.
    The fates of Raeesah, WP leaders and indeed, WP, are now in the hands of the COP.
  9. I can’t help but feel the conclusion of the hearing will be divisive for Singaporeans.
    This is because the testimonies are so contradictory and there’re no physical evidence to back up anyone.
    Looking online, most Singaporeans are feeling fatigued by the onslaught of information and are starting to tune out. Most have already made up their minds on who to believe before the COP comes to a conclusion.
  10. Regardless of who is telling the truth, WP needs to find a way forward.
    End of the day, the party is more important than any individual including Pritam.
    It might be controversial to say this, but I think it’s an option for Pritam to consider resigning as party secretary. Regardless of what the truth is, there are multiple leadership failures that are brought to light which he needs to be responsible for.
    It’s going to be a painful process, there isn’t a long list of candidates to take over from him. But WP needs to think about how best to limit the fallout from this.
    If Pritam stays on, his tenure will forever be mired by this debacle. But if he resigns as party secretary and continue to work in WP, he could show that he is not above party discipline and is ready to take responsibility and accept punishments.
    In fact, it fits into the narrative of WP wanting accountability and responsibility.
    It is still possible for Pritam to run for party sec again in the future. Singaporeans love to see a redemption arc. Pritam has the chance to play that role perfectly.
    In my view, whether Pritam and gang or Raeesah is right, it’s not as important as the fate of the WP. Pritam, as the party sec, needs to prioritise that above everything else, including himself.

Iron & Compassion

Trigger Warning: Includes mentions of suicide and sexual assault.
Why were Pritam and the leadership so vague with the instructions to Raeesah? They said it was because they were worried about her well-being. She revealed she was raped (exact word used). Pritam thought her well-being was priority, and gave her space to square things with her parents, then tell the truth in parliament.
WP Raeesah Press Conference
He thought his instructions were clear, but events turned out very differently. Pritam conceded he could have been more direct in hindsight during the hearing.
If you are/were a WP supporter, it must be frustrating to watch things come to light in the hearing. If only any of the WP leaders had just communicated, in clear precise terms, for Raeesah to stop lying.

Leaders must have “that iron” LKY said

I sympathise with Pritam. It’s not easy to be an opposition member in Singapore. And it’s probably one thousand times more difficult to be its leader. Pritam had to contend with important issues such as the FICA and CECA debate while dealing with a delinquent Raeesah.
But there’re no excuses. As the leader of the opposition, Pritam should have expected to face challenges like this. As LKY put it, “Whoever governs Singapore must have that iron in him”. If Pritam wants WP to one day, become the government of SG, he must quickly find “that iron”.

Communicating clearly with compassion and iron

WP leaders built a narrative that because they were concerned about Raeesah’s well-being, so perhaps instructions were unclear and WP dragged its feet
But why must “compassion” and “clarity in instructions” be mutually exclusive choices in any situation? It’s a fallacy. WP leaders could and should show compassion, but at the same time, clearly lay down to Raeesah what needs to be done to make things right.

We must not divorce compassion from leadership though

The tragedy of Teh Cheang Wan keeps coming to my mind throughout this episode. He was the Minister for National Development in 1986 under LKY, when he was investigated for corruption. Though Teh maintained his innocence, he committed suicide before being charged for the offences, on December 14.
I can only imagine what despair he must have felt, and what mental state he was in, that drove him to this. Could the tragedy be avoided? What if the leaders then showed him similar levels of compassion as the WP leaders to Raeesah?
To be clear, I’m not blaming then leaders for his suicide. Neither am I implying that Teh and Raeesah are the same. Teh contributed to Singapore’s nation building efforts. Raeesah made twitter posts accusing the police of racism. The accusations against them are also very different.
The point I’m trying to make, is that any situation has the potential to end very poorly, such as in Teh’s story. Compassion cannot be undervalued. And while condemning WP, we should also commend them for protecting the well-being of its members.

Did Raeesah abuse WP’s compassion?

Raeesah Parliament Speech
Raeesah cannot avoid the spotlight while we discuss this. While much of this is self sabotage by the WP, one should also ask if Raeesah wilfully misunderstood the instructions to try and turn things in her favour.
For example, Raeesah has shown in the evidence that she has a tenuous relationship with the truth. She invented words such as “take the truth to the grave” in messages to her aides. She took the unclear instructions to her advantage, and twisted it to fit her own narrative.
Communication goes both ways. If someone wilfully and intentionally wants to misunderstand the instructions, then is it the superiors’ fault for not communicating better?

In the end, leadership is not for the faint hearted

Again I sympathise with the plight that WP is in now. With social media, every single action is mercilessly analysed and very mistake memed. I’m sure more information will also come to light in the future.
But WP needs to confront what its identity is going to be, and what exactly does it stand for. We don’t just vote in leaders because of their ability to show compassion and protect party members.
Parliamentary responsibilities, integrity, decisiveness are some of the things that voters are looking for, but will not find in the way WP handled the Raeesah incident.