MANILA, Philippines – The National Privacy Commission (NPC) on Wednesday, September 7, at a public online webinar confirmed the most likely sources of how a recent spate of scam text messages have been including people’s names. 

The chief of the NPC’s complaints and investigation division, Michael Santos, said that a messaging and money app may have been used to harvest the name associated with a person’s number. Santos called the case a form of data scraping, noting that the apps would show a person’s name once you type in a number. Santos illustrated his point by showing the scam text messages he had personally received with specific versions of his name that are the same as the ones he used in the money and messaging apps. 

Santos did not specifically name the apps in his statements, but some of these apps widely believed to have been scraped by scammers are GCash and Viber. 

Santos clarified that while they are not closing their doors to the possibility of a breach, as far as the current investigation goes, their leads point to a case of the harvesting or scraping of publicly available data. 

The links that are often included in the text messages have also led the NPC to believe that the scammers only currently know people’s numbers and names. Often, the links lead to a supposed gambling or bitcoin investment site that asks for people to sign up, and provide more information. Perpetrators will then use the information to attempt to scam the victim for money, Santos explained. “They use the names in the messages, so they will look more realistic,” Santos said. 

Santos also said that while they can’t completely discount the possibility of data being harvested from contact tracing measures, he said that it isn’t currently a top lead. He explained that contact tracing often contains a lot of personal information, and not merely a name and a number as the current cases suggest. 

Deputy commissioner of the NPC, Leandro Aguirre, also stated that data aggregators are also unlikely to be the source of this batch of scam messages unlike the ones back in late 2021. In November 2021, telcos Globe and Smart told the NPC that the smishing and text spams can be traced to China and India-web-hosted data brokers or data aggregators. Data aggregators are defined by the NPC as “legal entities tapped by companies such as global brands to act on their behalf and deal with telcos in blasting promotions and other company messages to their customers.”

Aguirre explained that the current batch of scam messages were sent through a phone-to-phone transmission, as confirmed by the telcos. He explained that such a transmission is often coursed through the regular network of the telco and not through data aggregators. 

Aggregators use an application-to-phone (A2P) transmission, Aguirre said, which will show an SMS ID such as an organization name instead of a phone number when received. 

For now, the telcos will continue to block the numbers that send the scam messages, and the phishing domains included as a link. Angel Redoble, the chief information security officer of the PLDT group said they have blocked 400 million messages, and hundreds of thousands of numbers. Globe’s Irish Almeida, chief privacy officer, said they have blocked around 600,000 domains. Almeida said that blocking and customer education will “stem the tide” and are the first line of defense. 

Redoble said that without these blocking efforts, many more would have been victimized, but also stated that we need to get to the bottom of the problem, through joint investigations, identification of the perpetrators, and it has to be a whole-of-community approach. 

Dito’s Roberto Miguel Raneses, data protection officer, said that cases are minimal on their end, with less than 50 numbers blocked, likely as the result of Dito still being a new player in the industry. 

The NPC encouraged the public to report incidents of targeted smishing through the NPC email, reportsmishing@privacy.gov.ph, or through its social media pages. Reports can be coursed through the telcos’ social media pages as well. – Rappler.com