NPC: Data brokers unlikely source of personalized text scams

The National Privacy Commission (NPC) said Wednesday its initial investigation showed that “data aggregators are unlikely” to be the source of the personalized text scams or unsolicited text messages containing the names of intended recipients.

The NPC, in a statement, said it observed, through its Complaints and Investigation Division, from the smishing reports it received “that the smishing messages appear to have been sent using specific mobile numbers registered to certain texting services.”

“As confirmed with the telecommunications companies, smishing messages which are sent using mobile numbers are possible through a phone-to-phone (P2P) transmission,” the NPC said.

It explained that such transmission is usually coursed through a telecommunication company’s regular network and does not pass through data aggregators.

Data aggregators are brokers or “middlemen” contracted by telecommunications firms or other companies to collect or buy data (phone numbers, names, addresses, etc.) to package it for analysis and other business purposes.

“Contrary to a P2P transmission, data aggregators use an application-to-phone (A2P) transmission,” NPC said.

“The messages received through this transmission will not appear to have come from specific mobile numbers, instead, it will come from a sender that has SMS ID (i.e., bank names, organization names, etc.) which identifies the data aggregator, or the brand or business name using the data aggregator’s services,” it added.

Last week, the NPC announced it launched an investigation into the incidence of spam text messages that contain the names of subscribers.

During the House information and communications technology panel hearing on Monday, the National Privacy Commission (NPC) was asked where scammers might have obtained the names and some personal details of people they are targeting.

NPC deputy commissioner Leandro Aguirre said that while it would be difficult to trace the sender of spam messages since there could be numerous possible sources, the privacy body was coordinating with Viber and GCash to see if there was unusual activity that resulted in some scraping of data.

“Nonetheless, NPC has been continuously investigating potential sources and root cause of targeted smishing messages such as patterns in the use of name formats that prospectively match the names of data subjects registered with popular payment applications, mobile wallets, and messaging applications,” the Privacy body said.

“Further, the NPC is working closely with telecommunications companies in formulating countermeasures against the recent wave of targeted smishing messages,” it added.

The NPC said telecommunications companies have blocked identified mobile numbers that sent smishing messages and are continuously blocking messages with malicious URL links associated with smishing.

Globe and PLDT-Smart earlier said they are intensifying their efforts to combat text scams amid the spread of spam or unsolicited text messages.

Specifically, Globe said it was able to block 784 million scam and spam messages, deactivate 14,058 scam-linked SIMs, blacklist 8,973 others, and block 610 domains or URLs from January to July.

PLDT-Smart, for its part, said its SMS Firewall Blocking has prevented more than 300 million malicious messages from reaching its customers in the first eight months of the year, blacklisted around 167,000 listed accounts that have been found to be sources of these fraudulent messages, and blocked more than 11 billion attempts to open links associated with spam messages from January to August of this year.

“The NPC shall pursue its investigation to its full extent and within the bounds of its mandate to protect the fundamental human right to privacy,” the Privacy body said.

“Through relevant issuances, the Commission will be compelling entities involved to take firm action in addressing the possible privacy risk brought about by targeted smishing messages,” it added.

The NPC reminded the public to remain vigilant and are encouraged to report incidents of targeted smishing through the NPC email, reportsmishing@privacy.gov.ph, or through its social media pages.—AOL, GMA News