SINGAPORE – The tactics used by fraudsters in the recent spate of SMS phishing scams have been called sophisticated, but many of the tools used are easily available.
Checks by The Straits Times found that free or cheap tools available online can be used to send SMS messages that carry the same sender identification address as those used by legitimate banks and government agencies, which causes the fake messages to appear in the same thread as the real ones.
Here is a look at the known tools used in the recent scams.
Third-party SMS clients
While an SMS message sent from a mobile phone typically identifies itself as being from the user’s mobile number, there are programs that send SMS messages over the Internet and mask the sender’s number.
Paid SMS aggregator services such as Twilio are used by legitimate businesses to communicate with customers. Most allow the sender ID field to be customised with the name of the business instead of the default unfamiliar number.
Some countries require businesses to pre-register for sender IDs, meaning users have to provide information and supporting documents to an authority for approval. Singapore does not currently enforce pre-registration.
Using a service based in Europe, ST was able to send and receive SMS messages that appeared to be from banks such as UOB and Standard Chartered, as well as government agencies like the Ministry of Health and the Central Provident Fund Board.These messages appeared in the same thread as…
