The Philippines’ privacy watchdog—the National Privacy Commission (NPC)—announced on December 1 the formation of an interagency organization to combat the rampant spread of spam texts in the country. It also launched an investigation into telecom firms’ transactions with data aggregators linked to scams that are propagated through messages sent to customers.
The announcement comes after major telcos blocked a massive number of spam texts pointing to promising “job offers” with a link that leads to a WhatsApp conversation hosted by the fake employer. The targets are then asked to provide their personal and credit card information, per Esquiremagazine.
Major telecom firm Globe Telecom has blocked over 1 billion text messages of this type since January, while Smart Communications has blocked at least 60 web domains, according to the NPC’s announcement.
How do spammers design their phishing schemes?
“SMS spam being rampant is complex. We can look at a couple things—the ease of how the spammers can carry out their actions, whether the mobile networks have effective systems to identify spam, and how well-versed the spammers are in taking advantage of automation and technologies available to them to carry out spamming,” Dianne Kristine L. Gali, a manager at cybersecurity firm Trend Micro, explained to KrASIA.
Shortly after the NPC commissioner Raymund E. Liboro said on November 23 that the spam text waves are run by “a global crime syndicate,” rather than groups that gained unauthorized access to contact tracing forms, Globe Telecom said during a meeting with the NPC the following day that the incident involved companies in China and India that offer website hosting services.
Globe in particular highlighted a data broker named Macrokiosk that was commissioned by China Skyline Telecom to “share the theme of job hiring and contain a WhatsApp contact link,” adding that 1.55 million messages went sent via its network between November 11 and 21, according to the announcement by the NPC.
KrASIAreached out to China Skyline Telecom, a Hong Kong-registered company that is based in Shenzhen. It offers SMS gateway services, enabling enterprises to send and receive text messages in bulk. The company spokesperson said that they did not receive any notifications from the NPC and did not “ buy and steal any citizens’ personal information,” adding that there is no concrete evidence being presented by Globe or the NPC that the firm is directly responsible for the content of the text messages.
“We just help our clients to send out the messages. If there is something problematic within the text messages—for example, that it might involve content that we did not review—it has no relations to our company,” China Skyline Telecom’s spokesperson said.
Despite efforts by the NPC and telcos, Gali added that it is crucial to look at how cybercriminals break into different systems to steal user information.
“What we have seen are fraudulent apps, old-fashioned social engineering, taking advantage of the information that we put on social media, or software vulnerabilities. The number of spam messages can increase significantly as long as all available avenues to breach are open and accessible to the cybercriminals,” Gali explained.
What can consumers do?
NPC commissioner Liboro said that consumers should always scrutinize the messages they receive and should not fall prey to the perpetrators. Lofty promises of easy, passive income and high-paying jobs are likely to be fraudulent. “If it is from an unknown number, and has an offer that is too good to be true, it is most probably not true and is a scam,” he said.
Gali said that consumers can report the spam texts directly to their carriers, which will enrich the telcos’ data for identifying and stopping spam. “Customers may also choose to invest in mobile security for their devices. Some mobile security solutions are equipped with fraud identification capabilities that identify SMS spam,” she said.
“What needs to be in focus here is correct and reliable information that users can use to protect themselves from falling victim to cybercriminals. Having a data privacy law is just one of the many steps that individuals and organizations can take,” Gali added.