When many citizens in Singapore got a suspicious-looking SMS yesterday telling them their Eldershield government insurance policy was being terminated, they were rightly worried that they were targeted by yet another online scam.
It didn’t help that the message, apparently a real one from the Central Provident Fund (CPF), told recipients they had to log in to a website via a clickable link with their Singpass national digital ID.
Sounds somewhat like those scam messages that helped criminals steal S$13.7 million from OCBC bank customers earlier this year? You bet.
The CPF came out today to clarify that it had indeed sent the messages yesterday. What’s astounding was a spokesman saying there was “no particular reason” it had sent them yesterday. Presumably, it hadn’t considered the heightened worry amid the scams of late.
A person quoted by The Straits Times said he had clicked on the link, entered his Singpass details and got worried he might have been scammed. After all, it took just minutes for scammers to siphon out hundreds of thousands of dollars from some OCBC victims.
The CPF’s comedy of errors extended to one of its websites as well. After some users clicked on the link, they found that it was down, due to the traffic that it had to handle. You can’t blame people for being worried.
Could the CPF been more savvy, given the recent concern and the advice given to users to avoid clicking on links that come in through SMS? Yes, certainly.
The link it sent ended with gov.sg, which offered an indication that it was a Singapore government website. That said, this is not a surefire way to make sure you’re going to a real site, instead of a spoof or phishing site set up to steal your login credentials.
The best way is to type in the website link yourself, either on the phone or on a separate computer, so you can be sure you are not led to a fake website.
The government is rethinking the use of clickable links in its SMSes to citizens. The banks, after all, have decided to stop that practice after the OCBC debacle, mindful of the risks involved.
To be sure, many people – especially the less tech-savvy – may find it hard to log on to e-services if these convenient links are not available. However, that has to be balanced against the kind of threats facing users.
If they lose their Singpass credentials to scammers, citizens face a whole host of problems. Someone could steal valuable personal data and impersonate them to apply for permits or licences, for starters. They would have to go through a lot more hassle to recover their access.
So, it’s critical to keep educating users of the best practices, one which is not to click on links that come in via suspicious looking messages. The heightened risks mean you have to trade-off some convenience for security.
For CPF and other government agencies, it is also important to consider when and why they send their messages. Is it necessary, even, to send a message over SMS?
Yesterday, the message was meant for CPF members whose Eldershield plan was indeed expiring and to tell them they would be enrolled on a newer one, called CareShield.
Does it need users to click on a link to find out more? In a message sent out of the blue? Context matters and it’s missing here.
And for goodness’ sakes, CPF, please craft better messages that don’t look like a typical scam SMS. Wasting citizens’ time also negates the convenience that these digital services promise.
Time for GovTech to come up with a national Dns server. Filter all phishing and malicious links.
Better still, collaborate with all ISPs to push out the dns server.