Statement of the National Privacy Commission on Targeted Smishing Messages

September 8, 2022 | 8:26 AM GMT+0800 Last Edit: September 8, 2022

The result of the initial investigation of the National Privacy Commission (NPC) shows that data aggregators are unlikely to be the source of the recent wave of targeted smishing messages that specify the recipient’s name.

The NPC, through its Complaints and Investigation Division, has observed from the smishing reports it received, that the smishing messages appear to have been sent using specific mobile numbers registered to certain texting services. As confirmed with the telecommunications companies, smishing messages which are sent using mobile numbers are possible through a phone-to-phone (P2P) transmission. Such transmission is usually coursed through a telecommunication company’s regular network and does not pass through data aggregators.

Contrary to a P2P transmission, data aggregators use an application-to-phone (A2P) transmission. The messages received through this transmission will not appear to have come from specific mobile numbers, instead, it will come from a sender that has SMS ID (i.e., bank names, organization names, etc.) which identifies the data aggregator, or the brand or business name using the data aggregator’s services.

Nonetheless, NPC has been continuously investigating potential sources and root cause of targeted smishing messages such as, patterns in the use of name formats that prospectively match the names of data subjects registered with popular payment applications, mobile wallets, and messaging applications. Further, the NPC is working closely with telecommunications companies in formulating countermeasures against the recent wave of targeted smishing messages.

As a concrete course of action, telecommunication companies have blocked identified mobile numbers that sent smishing messages and is continuously blocking messages with malicious URL links associated with smishing.

The NPC shall pursue its investigation to its full extent and within the bounds of its mandate to protect the fundamental human right to privacy. Through relevant issuances, the Commission will be compelling entities involved to take firm action in addressing the possible privacy risk brought about by targeted smishing messages.

The NPC further reminds the public to remain vigilant. They are encouraged to report incidents of targeted smishing through the NPC email, [email protected], or through its social media pages.