Beware of fraudulent SMS sent by “Maxis”. Why are Malaysians still receiving SMS with URLs?

It’s 2024 and SMS scams are still going strong. Last year, the Malaysian Communications and Multimedia Commission (MCMC) issued a directive to all telcos to block SMS messages containing URLs. A year later, it seems that scammers have been able to circumvent the measures and are now sending SMS messages pretending to be “Maxis.”

As shown below, some fraudulent SMS messages use “Maxis” as the sender ID and remind “users” to redeem their rewards before their reward points expire. The messages contain URLs that pretend to be Maxis with different variations containing the brand.

SMS from “Maxis” reminding users to redeem points

First of all, Maxis does not offer a rewards points system and there is no rewards portal that users can claim. What is more interesting is that the same message was also sent to non-Maxis users, including CelcomDigi postpaid users.

At the time of writing, the supposed URLs do not appear to be working, as they are likely blocked or have been removed after reports were made. Such tactics are intended to trick users into providing sensitive information, including usernames and passwords.

Never click on random URLs from SMS

As usual, never click on random links that you receive via SMS or instant messaging. With SMS spoofing, it can be difficult for users to verify if the message is genuine, as the fraudulent message appears in the same thread as other legitimate messages from Maxis or a trusted source. The best practice is to verify the URL before clicking on it. If it claims to be from Maxis, it should be maxis.com.my and no other variant.

For better protection, avoid accessing links that require you to log in or provide credentials. It is recommended to log in only through the official app or visit the official website from the web browser by entering the URL manually. If in doubt, you can call the provider for further verification. Even banks and e-wallets have stopped sending OTPs and URLs via SMS as part of the security measures introduced by Bank Negara Malaysia.

SMS containing URLs are supposed to be blocked, why did this happen?

The biggest question is why such messages are still being received by local users of Malaysian telecom operators in 2024? All telecom operators in Malaysia have been ordered to no longer allow individual mobile users to send and receive SMS with URL links Since May 2, 2024The directive was announced on February 14, 2023 and aimed to prevent users from becoming victims of online scams.

According to a Maxis FAQ, the SMS blocking has been implemented in stages to give businesses and business users enough time to stop sending clickable links. For now, the blocking only affects SMS sent between individuals (May 2, 2023) and applications such as business SMS services (July 2, 2023).

The MCMC has granted an exemption to affected essential service businesses to include the URL and personal information, but this exemption is currently set to expire on August 31, 2024.

Calls to extend exemption from blocking SMS with URLs

The Malaysia Mobile Technology Association (MMTA) recently requested the MCMC to extend the exemption beyond 31 August 2024 for certain entities as it fears that the blockade will severely disrupt legitimate business communications and indirectly cause economic uncertainty. According to the MMTA, credible entities such as government agencies, financial institutions and other companies have been exempted from the ban and are subject to their individual brand name and short code approved by the MCMC.

They added that these individual brand names and short codes, usually five to six digits, allow users to ensure that an SMS from the entity is legitimate.

Under the current directive, the exemption will be revoked on September 1 and all telecom operators will be required to fully block prohibited content in all enterprise SMS applications for peer-to-peer messages. The MMTA says the decision to block URLs, callback numbers and requests for information will disrupt legitimate business communications with the public.

The association argued that while consumer protection is crucial, sweeping restrictions could seriously disrupt legitimate business communications with the public. The association added that these entities rely heavily on SMS URLs to notify users of the delivery of electronic invoices, appointment confirmations, password resets and even logistics training.

They hope the MCMC will work with industry stakeholders to find a balanced approach that protects consumers while allowing businesses to continue providing essential services.

What can businesses do?

SMS is a very insecure means of communication, prone to spoofing, as in the “Maxis” example above. With the exception of certain shortcodes and names, it seems that scammers are now smart enough to spoof these whitelisted sender IDs to send fraudulent SMS messages containing URLs.

For example, businesses can adopt secure channels to issue notifications, such as WhatsApp, which offers a verified business account. They can also integrate notification and verification through their own official apps, similar to those of banks, e-wallets and digital banks.