Singapore has taken strong action against a rising wave of impersonation scams by issuing a formal directive to Apple and Google. Under the Online Criminal Harms Act (OCHA), the Singapore Police Force (SPF) has ordered both tech giants to implement urgent safeguards in iMessage and Google Messages (RCS) to combat the growing misuse of government identities, especially the spoofing of “gov.sg”.
Government Impersonation Scams Hit Record High
The directive comes amid a sharp rise in impersonation scams. In the first half of 2025 alone, officials recorded 1,762 government impersonation scam cases, nearly triple the 589 cases seen in the same period the previous year. Financial losses also surged to an alarming S$126.5 million, highlighting the need for immediate intervention.
One of the biggest loopholes exploited by scammers lies in the difference between SMS and OTT (over-the-top) messaging apps. While genuine government SMSes use the protected “gov.sg” Sender ID under the SMS Sender ID Registry (SSIR), this safeguard does not extend to platforms like iMessage, Google Messages, or RCS.
Scammers took advantage of this gap by using spoofed display names such as “gov.sg” or “SingPost” to trick users into believing the messages were legitimate government alerts.
Key Security Measures Ordered for Apple and Google
Under the directive issued on November 24, 2025, Apple and Google must implement strong anti-spoofing safeguards by November 30, 2025. The core requirements include:
1. Blocking or Filtering Spoofed Names
Both platforms must:
- Prevent accounts or group chats from displaying names that imitate “gov.sg” or any Singapore government agency
- Filter out messages originating from accounts using spoofed names.
This directly targets scammers who rely on misleading display names to appear credible.
2. Obscuring Unknown Sender Names
Apple and Google must also ensure:
- Profile names of unknown senders are hidden or displayed less prominently than phone numbers.
This helps users more easily identify suspicious or unfamiliar contacts.
Non-Compliance Could Cost Up to S$1 Million
Both companies have confirmed they will comply, with Google adding that it is working with authorities on pre-emptive RCS safeguards to prevent future spoofing attempts. Under OCHA, companies that fail to comply without reasonable excuse face a penalty of up to S$1 million, plus S$100,000 per day for continuing violations. Singapore’s Ministry of Home Affairs (MHA) urges all users to update iMessage and Google Messages regularly so the latest security protections remain active.
