Fake SMS scams: How they work and what can be done

The ease at which a fake SMS can be sent has also been documented by Mr ZP Lee, who goes by “Captain Sinkie” on his blog.

Mr Lee, founder of coding school Upcode Academy, said he became concerned after reading about recent phishing scams and decided to find out for himself how an SMS could be spoofed.

By using a third-party tool he found online, he managed to send a message to himself under the name of “DBS Bank”.

These third-party services are easily found online with the code written up “in mere minutes”, said Mr Lee, who is also a data science instructor. 

“I’m astounded and extremely worried by how easy it is for anyone to use them to spoof the sender’s name in an SMS,” he told CNA.


Experts said making users pre-register their SMS Sender IDs, or the names that appear on their messages, with authorities is one way to thwart illegal attempts by swindlers.

In Singapore, a pilot programme allowing organisations to do so was launched by the Infocomm Media Development Authority (IMDA) in August last year. After registering, messages will be blocked when there is unauthorised use of the registered Sender IDs.

The programme, however, is not mandatory.

Mr Lee the entrepreneur has started an online petition calling for authorities to enforce such pre-registration and adopt “a whitelist approach”.

“Restrict and block all sender names from being changed by a third party. Instead, require companies to register for certain sender names before they can be used to send SMS. This means that hackers will effectively be unable to spoof the sender names of SMS,” he explained.

As of Thursday (Jan 20) afternoon, nearly 2,200 people had signed the petition on Change.org.

Such pre-registration is already required in many countries, experts said.

“Pre-registration would prevent attackers from being able to spoof organisations’ SMS Sender IDs. I would definitely be supportive of this being made mandatory by the Government,” Mr Hall said, adding that he does not see other regulations “that could help without being overbearing”.

The Government can also develop a platform that complements the existing ScamShield app,…