An Update on the SMS Phishing Sender Id Spoof Vulnerability

IMDA reply to Captain Sinkie
On the 15th Jan, the ease of SMS phishing scam was raised on this blog.
Thankfully, it was picked up and reported by main stream media:

IMDA Reached Out

IMDA reached out on Twitter on the 21st Jan regarding the issues raised.
IMDA reply to Captain Sinkie
We had a Zoom meeting on the 28th Jan. IMDA is extremely receptive to the suggestions from the public with regards to securing sender ids for SMS messages.

What Was Proposed

The suggestion from the ground is to regulate third Party SMS Aggregators such that registration is required for companies to send SMS with certain sender names.
By default, all other unauthorised sender names are blocked. Effectively, this is a whitelist approach.
Indeed 51 other countries have adopted solutions such as this. Many more countries outright block sender name changes. Source

What’s next

IMDA has acknowledged that the registry is a pilot and will be looking to improve it.
It’s definitely not a simple or quick change that will fix this. And while it is an important problem, we should also have patience and give the gov time and space to fix it.
I will check it in a month’s time on the 28th Feb 2022 to see if SMS can be sent with custom sender names. Hopefully, the issue will be fixed by then.
I’m sure the public will be unhappy if this vulnerability is still around then. It feels like a ticking time bomb in our backyard, just waiting to blow up.

Do share this with your loved ones to add more support for this issue.


If there’re any vulnerabilities that can be used by scammers, we have to quickly fix it.
Which is why I’m glad the information here has been handed to and acknowledged by the authorities. I won’t be writing about the SMS phishing issue for a while unless there are updates on this.
Subscribe to my telegram channel (anonymously) to get updates when I post.
OCBC Scam: Exposing the Roles of Third Party SMS Aggregators in SMS Phishing