After receiving reports of massive SMS spamming offering jobs to recipients, the Philippines’ data privacy watchdog National Privacy Commission (NPC) announced that launched an investigation that will probe telecommunications firms, banks, and payment platforms.

In a media advisory, NPC said it “sent Globe Telecom Inc., Smart Communications Inc. and Dito Telecommunity Corp. orders to submit within five days documents and information that will provide the Commission specifics on their data flows and transactions involving data aggregators.”

In recent weeks, many Filipinos complained about the onslaught of text messages containing links that supposedly will direct them to job application sites. The pandemic has displaced many workers and these kinds of messages can easily attract job seekers.

NPC says global syndicate behind scam text surge
NPC to lead COVID-19 global privacy task force

The NPC is also pushing for call and text attestation to prevent what Privacy Commissioner Raymund Liboro calls a national “privacy disaster.’’ Attestation can trace the owner of a number used in calling or sending texts, as these are listed in a registry. Involved in the proliferation of smishing and text spams are data aggregators, which could be legal entities tapped by companies such as global brands to act on their behalf and deal with telcos in blasting promotions and other company messages to their customers.

“At the meeting with the NPC on Nov. 24, the data protection officers of Globe Telecom and Smart Communications revealed a complex chain of data aggregation and handling, involving data brokers, that is bringing new challenges to compliance and enforcement,” Liboro said.

China and India

The telcos said they traced the smishing and text spams to China and India-web- hosted companies.

In a series of media releases, telecommunications firm Smart Communications said that it has been actively investigating smishing. It reported that, together with parent company PLDT, it has uncovered and blocked new domains in the past days” aiming to protect customers from fraud and scammers.

NPC also sent orders to Union Bank of the Philippines Inc. and GCash (Mynt – Globe Fintech Innovations, Inc.), “the main payment channels where victims are directed to deposit their investments.” The investment accounts invariably become inaccessible to the victims after they had been enticed to deposit larger sums in exchange for a bigger commission.

The PLDT Group has its own Cybersecurity Security Operations Group (CSOG), which its reported had already blocked at least 15,000 mobile numbers, as well as at least 60 domains directly related and involved in the ongoing SMS spam offering fake jobs to users from Oct. 21 to Nov. 20 this year.

In its report to the NPC, Globe in particular identified a data broker, Macrokiosk, that was tapped by a firm named China Skyline Telecom, as the primary source of messages that “share the theme of job hiring and contain a Whatsapp contact link.”

Globe said 1.55 million of such messages were sent through its network from Nov. 11 to 21 alone.

The Philippine government formed an interagency group that will look into ICT-enabled scams and fraud. The group consists of NPC, Cybercrime Investigation and Coordinating Center (CICC), Department of Information and Communications Technology (DICT), National Telecommunications Commission, Department of Justice (DOJ), Department of Trade and Industry (DTI).