‘Smishing’ epidemic
Editorial cartoon
The job offer sounds tempting enough, with earnings of up to P8,000 a day, well above current industry rates. All you have to do is click a link to know more.
The 8.9 percent rise in unemployment—which translates to some 4.25 million Filipinos left jobless by the pandemic as of September 2021—also makes the invitation irresistible. But beware! The more tech-savvy would immediately spot several red flags in the offer: The number is unfamiliar, the sender unknown, and the firm or company unidentified as well. The job isn’t specified either, and one is directed to a site through a link—the suspicious route employed by dubious click-bait operators.
The unsolicited text messages may have different spiels, but the ultimate aim is the same: to get the text recipient to click the link.
The messages are blasted out to the mass of mobile phone subscribers out there, creating what Sen. Joel Villanueva has described as an “epidemic of text scams” that offers anything from no-collateral loans to well-paying jobs and astronomical raffle prizes.
How did the senders get the phone numbers of their recipients? Villanueva, chair of the Senate labor committee, suspects that such “illegal and unscrupulous” robo texts are the “forbidden fruit of a data breach or data sale somewhere,” and even a variant of “fake news” that prey on the millions of Filipinos desperate to find alternative means of earning amid the global health crisis.
“In a nation where unemployment and digital disinformation are high, these kinds of messages can mislead,” warned Villanueva. “Many of our people, especially those looking for jobs, will be swindled.” Other than being an “irritating” intrusion into one’s privacy, such text offers on overseas jobs “violate laws in labor placement, an activity that is tightly regulated by the government to shield job seekers from being victimized by illegal recruiters.”
The text messages are a form of “smishing,”—a combination of SMS (short message service) and phishing—through which criminals trick phone users into sharing sensitive personal data, including passwords, bank accounts, or credit card numbers. Some sites may even introduce malware to gain access and harvest information from one’s phone and computer. In fact, one publication clicked on the link and engaged the text sender to find out how the scam works. In the end, there was no job being offered, and it was nothing but a wily scheme to steal and profit from the unwary recipient’s financial information.
Malacañang has described the fake job offers sent through text as a “cause for concern,” and said that the National Telecommunications Commission is already investigating the matter.
Again: How did scammers get hold of this slew of contact information in the first place? How did a trove of mobile phone numbers become suddenly accessible to a shadowy group of operators?
An obvious answer is the contact-tracing and health declaration forms, those ubiquitous pieces of paper that people have had to fill out with personal details before they could set foot in any establishment last year and early this year. Signing up every time for contract-tracing purposes was among the government measures meant to limit exposure to identified infected individuals. While considered crucial to the pandemic response, these forms were also vulnerable to privacy breach as they were collected willy-nilly and stuffed into generic boxes, with no corresponding public scrutiny or government monitoring on where and how they should be stored.
Although the National Privacy Commission (NPC) has denied that contact-tracing forms might be the source of the stolen data, saying that the scam was orchestrated by a “global crime ring,” who can blame ordinary citizens for raising pertinent questions: Which government agency is responsible for safekeeping the data collected from these forms? Was there ever a solid effort to secure the data, and how? Where are the forms now, and who has had access to them?
NPC chair Raymund Liboro said the government will urge telcos to adopt a US-style caller identity verification system for enhanced consumer protection. Pending in Congress, meanwhile, are bills such as the proposed No Call, No Text, and No E-mail Registration System Act, which seeks to prohibit non-registered numbers from using an automatic dialer or any electronic device that can blast messages to phone numbers.
While the government once again scrambles to get its act together to protect the public, mobile phone subscribers will have to look out for themselves to prevent scammers from accessing their private data. One has to be alert to messages that lead to spurious websites that one might click inadvertently. As the NPC noted, these links “require an action from you, such as filling out online forms with your personal or financial information.” The best recourse is to ignore, block, or delete such messages.
