[ UPDATE 2/09/2024 16:00 ] MCMC enforces ban on all SMS containing prohibited content including URL links.
===
It’s 2024 and SMS scams are still a thing. Last year, the Malaysian Communications and Multimedia Commission (MCMC) issued a directive to all telcos to block SMS containing URLs. Fast forward a year later, it appears that scammers could circumvent the measures and are now sending SMS pretending to be “Maxis”.
As shown below, there are scam SMS that use “Maxis” as the Sender ID and it reminds “users” to redeem rewards before their reward points expire. The messages contain URLs that pretend to be Maxis with different variations which contain the brand.
SMS from “Maxis” reminding users to redeem points
Firstly, Maxis doesn’t run a rewards points system and there’s no rewards portal for users to claim. What’s more interesting is that the same message was also sent to non-Maxis users including users on CelcomDigi postpaid.
At the time of writing, the purported URLs don’t seem to work as they are probably blocked or have been taken down after reports were made. Such tactics are an attempt to phish users into providing sensitive information which includes usernames and passwords.
Never click on random URLs from SMS
As usual, never click on random links that you receive from SMS or instant messaging. With SMS Spoofing, it can be a challenge for users to verify if the message is genuine as the scam message appears on the same thread as other legit messages from Maxis or a trusted source. The best practice is to check on the URL before clicking on it. If it claims to be from Maxis, it has to be maxis.com.my and not any other variations.
For greater protection, avoid proceeding with any links that require you to login or provide credentials. It is recommended to login only via the official app or visit the official website from the web browser by entering the URL manually. If you’re unsure, you can call the provider for further verification. Even banks and eWallets have stopped sending OTPs and URLs through SMS as part of the security measures introduced by Bank Negara Malaysia.
SMS with URLs are supposed to be blocked, why did this get through?
The biggest question is why such messages are still being received by local Malaysian telco users in 2024? All telcos in Malaysia have been ordered to stop allowing individual mobile users to send and receive SMS with URL links since 2nd May 2024. The directive was announced on 14th February 2023 and was aimed at preventing users from becoming victims of online scams.
According to an FAQ by Maxis, SMS blocking was implemented in stages to give ample time for enterprise and business users to move away from sending clickable links. For now, the blocking only covers SMS sent between individuals (2 May 2023) and applications such as Enterprise SMS services (2 July 2023).
Exemption was given by the MCMC to relevant essential services businesses to include URL and personal information but this exemption is currently set to end on 31st August 2024.
Calls to extend the exemption of blocking SMS with URL
The Malaysia Mobile Technology Association (MMTA) has recently called upon the MCMC to extend the exemption beyond 31st August 2024 for certain entities as it raised concerns that the blockade would severely disrupt legitimate business communications and indirectly lead to economic uncertainty. According to MMTA, credible entities such as government agencies, financial institutions and other corporations, were exempted from the ban and are subject to their individual brand name and short code approved by the MCMC.
They added that these individual brand names and shortcodes, typically five to six digits, enable users to ensure that an SMS from the entity is legitimate.
With the current directive, the exemption will be revoked on 1st September and all telcos will be required to block prohibited content in all enterprise SMS applications to peer messages entirely. MMTA says the move to block URLs, call-back numbers and requests for information will disrupt legitimate business communications to the public.
It argued that while consumer protection is crucial, the sweeping restrictions could severely disrupt legitimate business communications to the public. The association added that such entities have relied heavily on URLs in SMS to inform users of delivery of eInvoices, appointment confirmations, password resets and even logistics training.
They hope MCMC will collaborate with industry stakeholders to find a balanced approach that protects consumers while allowing businesses to continue delivering essential services.
What can enterprises do?
SMS is a very insecure communications medium which is prone to spoofing like the “Maxis” example above. With the exemption given to specific short codes and names, it appears that scammers are now smart enough to spoof these whitelisted Sender IDs to send scam SMS containing URLs.
One option is for enterprises to adopt newer and secure channels to issue notifications such as WhatsApp which offers a verified business account. Alternatively, they could integrate notifications and verifications through their own official apps similar to banks, eWallets and digital banks.