“Be good to your project manager. Apparently buong Pilipinas naghahanap,” a social media strategist recently posted on her Facebook wall. She meant it in jest of course, having been one of the numerous recipients of unsolicited job offers—looking for project managers and the like—via SMS from senders unknown.
But it’s not fun for people who unfortunately had fallen prey to these scams. Those desperate to augment their meager earnings. People who had to borrow money for the startup capital needed for the supposed job opening.
Single mom Davy Jean Osias is one of them. She recently shared her story to TV Patrol. She accepted a “job offer” sent to her via SMS hoping she can earn extra money for the birth of her child. The job entailed paying off certain shopping transactions of a consumer—from which she would earn commission.
The sender of the SMS, who turned out to be a scammer, served as the middle man between Jean and the supposed customer. The scammer sent Jean photos of items ordered by the imaginary customer. Jean then had to pay for the items in advance—which really meant sending the money to the scammer—so Jean could get a commission.
Since she received commission for an initial transaction, Jean was enticed to take on six more “tasks” or transactions. After fulfilling the series of transactions, she transferred a total of P99,700 to the scammer. But when Jean asked for the money she had invested and the corresponding commission, the scammer asked Jean to pay for another product, a dining table worth P172,001.00, so she can withdraw her money.
Jean decided not to send the amount to the middleman—she had nowhere to get it. “Sinasabi nya manghiram ka sa mga friends mo,” she told TV Patrol. This was when Jean realized she had been scammed. She tried getting in touch with the scammer again but her number has already been blocked.
The National Privacy Commission (NPC) has recently warned people not to entertain text messages from unscrupulous individuals, and to not click the links included in such messages. When clicked, the links would redirect the recipient to legitimate-looking but fraudulent sites. These sites may steal personal data, introduce mobile malware, and even commit fraud. This is called smishing, which is a type of phishing attack that targets victims through mobile text messaging or SMS.
One smishing scenario, according to the NPC, involves the activation of a dummy Facebook account. “The text message sent to a user contains a code and a shortened link that, when clicked, binds the recipient’s mobile number to the dummy account,” the commission wrote in a bulletin.
“Smishing can also be used in online shopping/delivery to trick unsuspecting victims who expect a product they purchased online. Clicking the shortened link will redirect the recipient to a website that prompts them to fill out their personal and banking information to complete the delivery,” the NPC explained.
In an interview with Teleradyo’s On The Spot, NPC commissioner Raymund Liboro said a globally organized syndicate could be behind the recent surge in SMS-based phishing scams.
“Kasi hindi ito unique sa Pilipinas, according na din sa eksperto na ating nakausap. Nakikita itong scam na ito sa India, Malaysia, Singapore and Taiwan,” Liboro said. The way people’s contact information were obtained could be part of “a very elaborate scam.”
Liboro adds that there are so many ways now for syndicates to get people’s mobile numbers. “Mayroong mga teorya na kami kung saan nakukuha ang numbers. Maaring sa ilang database na na-breach. May tinitingnan din kami ngayon sa dark web na posibleng na-dump na mga numero. Marami na talang pwedeng paggalingan ang numero,” said the NPC Commissioner. He is, however, discounting the probability that the numbers may have come from COVID-19 contact tracing and health declaration forms. The commission has not seen any evidence to prove this.
The NPC is likewise looking into why and how the scammers were able to use Whatsapp links in their operations. “Mayroong lumalabas na impormasyon na maaring may isang insidente ang Whatsapp na kung saan na-expose ang data ng mga users, na siyang ginagamit ngayon ng mga sindikatong ito,” Liboro added. Whatsapp is a sister company of Facebook. ANCX tried to get a statement from WhatsApp but it has yet to respond to our questions.
The day after the Teleradyo interview, Liboro was supposed to have met with the data protection officers of telcos, some banks, and online retail stores like Lazada and Shopee. The meeting aimed to find out what the said companies are currently doing to prevent these smishing incidents, and how they could strengthen their data protection strategies.
The commissioner stressed the importance of being vigilant and aware of cybersecurity attacks. “One of the best ways users can arm themselves against smishing attacks is to be aware of this kind of manipulation,” he said.
“Scrutinize the text messages you receive, especially if they come from an unknown number and request information about you,” said Liboro. “Be skeptical and don’t assume that every message you receive is genuine.”
Do not click on links of services you did not sign up for. “Be cautious with shortened links. A URL shortening service is an online tool that allows users to create a short and unique website link. These URL shortening services may be used by threat actors to conceal their malicious links,” the NPC said in its bulletin. Malicious links require an action from you, such as filling out online forms with your personal or financial information.
Immediately block and report the unsolicited text messages you receive using the built-in spam feature in your SMS apps—this advise is for Android OS and iOS smartphone users. Spam or junk messages generally refer to unsolicited messages in email, instant messaging, or SMS. Messages recognized by your mobile operating system or SMS app as “spam” or “junk” go to a separate folder.
Disable “link previews” in the SMS app.
Report incidents to the NTC via https://ntc.gov.ph/complaint.