News and resources on cyber and physical threats to banks and fintechs worldwide.
Hong Kong banks take on SMS scammers

Hong Kong banks take on SMS scammers

Hong Kong banks are joining an SMS sender registration scheme designed to help customers avoid falling for scam texts.

The scheme will see participating banks use registered SMS sender IDs with the prefix "#" to send messages to local subscribers of mobile services. Texts with sender IDs containing "#" but not sent by registered senders will be screened out by telcos.

The scheme, backed by regulators and the police, was launched in December with telcos. Now 28 retail and virtual banks - including Ant Bank, DBS and Standard Chartered - are signing on.

Luanne Lim, chairman, Hong Kong Association of Banks, says: "The HKAB welcomes the SMS Sender Registration Scheme, which will help combat malicious spoof messages. By utilising the registered SMS sender IDs, participating banks can strengthen client protection against fraudulent SMS messages.

"In the face of ever-evolving scam tactics, the banking industry will continue to collaborate closely with relevant parties to combat frauds through technological advancements and customer education."

Comments: (1)

Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 24 January, 2024, 10:08Be the first to give this comment the thumbs up 0 likes

Great initiative. Hope they also create an open directory so recipients of SMS know the full name of the company behind cryptic SMS Headers.

In the blog post titled Variants Are Making Phishing Attacks More Lethal Than Ever in my company blog, I gave two examples of scams that worked by using misleading SMS Headers:


... when you get a text, you need to look at the SMS Header and use your general knowledge / common sense to decipher who the sender of the message is e.g. “TM-HSBCIM? Ah it must be HSBC Bank”; “VK-GODDY must be Go Daddy”; and so on.

This works well – until it doesn’t.

BP-RTODPT is not RTO Department (DMV of India). This SMS Header belongs to a motor insurance company that uses the bait-and-switch dark pattern to sell you a policy that you don’t need.

Then there’s QP-ITDEPL, the header used by a scamster to send out texts about income tax refund. A poor sucker who got this SMS thought it was from the Income Tax Department, took the offer for refund to be genuine, clicked through the link, and lost INR 2.94 Lakhs ($3900) in the bargain.


If only there was a directory, diligent users could have avoided falling victim to the scam by looking up the directory and realizing that the above two SMS Senders were not who they claimed to be.

I get the introduction of # symbol but, as far as I can make out, this feature would merely change the SMS Header from e.g. BP-RTODPT to #BP-RTODPT, which can still succeed at scamming the recipient of the SMS.