Phishing SMS/Emails/Calls

The Cyber Security Agency (CSA) posted an advisory about tech support scammers impersonating CSA officers 7 months ago. A few cybersecurity professional, me included, saw the post and immediately commented either directly on the post or on a copy shared by one of the deputy directors that the impersonation was possible because CSA did not properly set up their DMARC policy. Since then, they have set up a DMARC policy and it is now impossible to impersonate emails from

I was reminded of this incident when I observed the response in the aftermath of the OCBC phishing SMS fiasco. As per this Straits Times article on 17 January, IMDA urged all businesses to sign up on the anti-SMS spoofing registry. As per this Straits Times article on 31 January, some members of public managed to show that it is possible to bypass the registry and spoof as businesses that had already signed up. It seems like our regulators, IMDA and CSA, do not have senior engineers who are intimately familiar with the technical aspects of the technologies they are regulating.

CSA is rather fortunate because emails are a widely understood technology. Every major company runs their own email servers so there are plenty of IT engineers out there who are very familiar with all the inner workings of email. They understand details of all the protocols (IMAP/POP3/SMTP) to do with sending and receiving emails as well as all the security mechanisms (SPF/DKIM/DMARC) to safeguard email from spoofing. They can explain everything that happens from the moment you push the send button all the way until the email arrives in the recipient's inbox. This group of professionals can call CSA out when they observe insecure practices.

Unfortunately, SMS and phone calls are poorly understood technologies. In the past, companies used GSM modems or SMS gateways to send SMS. Nowadays, they may a service like Twilio. Regardless of the method, once the SMS leaves the endpoint, it enters a black box and re-emerges on the other side to reach the recipient. Very few people understand what happens inside that black box and can explain step by step how it works. ISPs are doing source IP spoofing and dropping packets, can something similar be done for calls/SMS? Are international calls/SMS from foreign Telcos routed the same way as local calls/SMSes? Do they come through the same pipe? How about local subscribers that are currently roaming and connected to foreign Telcos? Can those calls/SMSes be differentiated from the spoof calls/SMSes?

Perhaps only senior engineers who have worked in Telcos have the answer to those questions. Given the age of SMS/telephony technology, many of those senior engineers may already be retired. Maintenance may have been outsourced and there may be very few people left with that technical expertise. Without an in-depth understanding of the technology, we will not be able to fully block phishing calls/SMSes and our regulators will have to continue what they do best, sending advisory after advisory telling people not to click on links and not to answer calls starting with +65.