NTC says ‘smishing’ likely text blasts, not data aggregator-generated

“Data aggregators” and contact-tracing apps are not the culprit in the ongoing “massive” spam phone messages that have targeted individuals through personalized “smishing” (SMS phishing) operations that include the recipients’ actual names, the National Privacy Commission (NPC) said on Wednesday.

Though it may appear organized, the recent wave of smishing is likely “text blasts” transferred phone-to-phone, Privacy Commissioner John Henry Naga said in the privacy webinar Privacy, Safety, Security and Trust Online (PSST!).

“As confirmed with the telecommunications companies, smishing messages which are sent using mobile numbers are possible through a phone-to-phone (P2P) transmission,” Naga said.

“Such transmission is usually coursed through a telecommunication company’s regular network and does not pass through data aggregators,” he said.

This developed as the Philippine National Police renewed its call to enact a law that would mandate the registration of all SIM (Subscriber Identity Module) cards, amid the explosion of personalized text scams in the past weeks.

Police Brig. Gen. Jose Chiquito Malayo, PNP Deputy Chief for Administration, said such a law would add more teeth to the PNP’s Anti-Cybercrime Group (ACG) to run after scammers, who appear to have “leveled up” as the text messages they send now contain the names of actual phone users.

“This is expected to assist law enforcers in identifying culprits or scammers who use their communication devices to victimize unsuspecting individuals,” said Malayo.

Police Brig. Gen. Joel Doria, director of the PNP ACG, said their initial investigation disclosed that the senders’ numbers are not linked to any social media accounts, messaging apps, and digital wallets.

“This is apparently to avoid identification by law enforcers. We have already conducted social media exploitations and there are numerous possibilities on how scammers get hold of the personal information of the recipients of spam text messages,” said Doria.

He said the data may have been sold and bought in bulk on the “dark web,” where hackers and techies use special software to buy and sell information, which makes the users anonymous and untraceable.

The information may also have been obtained through social media platforms, websites, and phone directories around the internet.

According to Doria, raffle tickets and other standard application forms that people would fill out in markets and other establishments could also be a source.

“It can also be acquired thru random typing of numbers in social media messaging apps like Viber, which when added, the messaging app will automatically supply the person’s name,” he said.

Social media has been abuzz about SMS (short messaging service) that contain the names of phone users, raising concerns about data privacy.

In discounting that possibility, the NPC’s complaints and investigation division observed from the smishing report it received that the smashing messages appear to have been sent using specific mobile numbers registered to certain texting services, Naga said.

Unlike a P2P transmission, data aggregators use an application-to-phone (A2P) transmission. The messages received using this transmission use SMS ID like bank names and organization names that identifies data aggregators, or the brand or business name using the data aggregator’s services.

Nonetheless, NPC said it has continuously probed potential sources and the root cause of targeted smishing messages, such as patterns in the use of name formats that prospectively match the names of data subjects registered with popular payment applications, mobile wallets, and messaging applications.

The NPC is also working closely with telecommunications companies in creating countermeasures against the recent wave of targeted smishing messages, Naga said.

As a concrete course of action, local telcos have blocked identified mobile numbers that sent smishing messages and are continuously blocking messages with malicious URLs (Uniform Resource Locators or Internet links) associated with smashing.

“The NPC shall pursue its investigation to its full extent and within the bounds of its mandate to protect the fundamental human right to privacy,” Naga said.

Through relevant issuances, the Commission “will be compelling entities involved to take firm action in addressing the possible privacy risk brought about by targeted smishing messages.”

The NPC reminds the public to remain vigilant and report incidents of targeted smishing through the NPC email, reportsmishing@privacy.gov.ph, or through its social media pages.

The PNP has been pushing for a law that would mandate the registration of prepaid phone cards, which are sold widely across the country at cheap prices.

The police’s lobbying for the law began at the height of the series of bombings, especially in Mindanao, where terror groups would use cellphone-detonated improvised explosive devices. Investigators had complained of the difficulty in identifying the culprits over unregistered prepaid cards.

Former President Rodrigo Duterte vetoed the SIM Card Registration Act early this year after a provision that included social media was allegedly inserted into the bill. Duterte saw it as an intrusion on privacy.

Malayo said the PNP fully supports the proposed investigation of the Senate Committee on Public Services on the continued proliferation of text scam messages victimizing millions of Filipinos.

However, he said security measures should be in place to safeguard the prepaid subscriber’s data like security features of postpaid SIM card subscribers.