The National Privacy Commission (NPC) is looking into complaints of smishing incidents where mobile users received unsolicited text messages allegedly due to the contact information they provided in contact tracing and health declaration forms NPC in a statement said reports received by the agency alleged contents of these unsolicited messages reportedly include links that redirect to legitimate looking but fraudulent sites when clicked. These sites may steal users’ personal data, introduce mobile malware, and even commit fraud.
Smishing is a type of phishing attack that targets victims through mobile text messaging or SMS. Smishing attacks occur when threat actors send text messages to trick subscribers into clicking malicious websites.
Efforts to control the spread of the new coronavirus disease 2019 prompted an increase in the collection of personal data through contact tracing and/or health declaration forms in establishments and workplaces.
NPC reminded establishments to ensure the protection of the personal data that they are collecting.
The agency said establishments can apply access controls to the database of data collected physically and electronically and implement appropriate security measures in the contact tracing applications (both web and mobile).
One smishing scenario involves the activation of a dummy Facebook account. The text message sent to a user contains a code and a shortened link that, when clicked, binds the recipient’s mobile number to the dummy account.
Smishing can also be used in online shopping/delivery to trick unsuspecting victims who expect a product they purchased online. Clicking the shortened link will redirect the recipient to a website that prompts them to fill out their personal and banking information to complete the delivery.
