Recent cases of smishing messages were sent via phone-to-phone (P2P) transmissions and not data aggregators.
This was the result of the National Privacy Commission’s initial investigation into the new type of text scams that contained the receivers’ names.
“The result of the initial investigation of the National Privacy Commission shows that data aggregators are unlikely to be the source of the recent wave of targeted smishing messages that specify the recipient’s name,” the NPC said.
“The NPC, through its Complaints and Investigation Division, has observed from the smishing reports it received, that the smishing messages appear to have been sent using specific mobile numbers registered to certain texting devices,” it added
These messages, therefore, do not pass through data aggregators.
“As confirmed with the telecommunications companies, smishing messages which are sent using mobile numbers are possible through a phone-to-phone (P2P) transmission. Such transmission is usually coursed through a telecommunication company’s regular network and does not pass through data aggregators,” NPC said.
The commission further explained that data aggregators use application-to-phone (A2P) transmissions.
Through this process, a recipient can see the SMS ID of the sender of an unsolicited text message such as bank names or brands.
“The messages received through this transmission will not appear to have come from specific mobile numbers, instead, it will come from a sender that has SMS ID (i.e. bank names, organization names, etc.) which identifies the data aggregator, or the brand or business name using the data aggregator’s services,” NPC said.
Following these developments, telecommunication companies have been blocking identified mobile numbers that have sent smishing messages to their subscribers.
NPC said that it will continue its probe into the potential root causes and sources of these suspicious SMS texts.
While not citing any names of entities, the commission noted that it is also looking into the patterns of name formats that match that of “payment applications, mobile wallets, and messaging applications.”
Some social media users previously noticed that the format of their names in the spam messages is the same as that of their GCash usernames.
The NPC, meanwhile, assured the public that it will also compel entities involved to take appropriate actions in addressing the matter.
The commission also urged the public to remain vigilant and report incidents of smishing via its email address and social media pages.
Associate Justice Marvic Leonen and several lawmakers have previously raised the alarm over the data leak of recipients’ names in such a scheme involving mobile phones.
Prior to this, in November and December 2021, Filipinos also reported receiving spam messages about sketchy job offerings, free cash deals and other suspicious content.