MANILA, Philippines — The National Privacy Commission (NPC) is looking into reports of smishing or phishing carried out through unsolicited text messages allegedly based on information drawn from COVID-19 contact tracing forms.
Roren Chin, chief of the public information and assistance division of the National Privacy Commission (NPC), said the commission “will investigate if these came from contact info in COVID-19 contact tracing and health declaration forms.”
“Possibly, it may be a result of a breach or unauthorized disclosure,” she said.
NPC said based on the reports it received, the unsolicited text messages have links that redirect to sites that look legitimate but are fraudulent.
When the link is clicked, the site may steal the users’ personal data, bring malware and even commit fraud.
Smishing occurs when mobile users receive text messages that trick them to click on links to malicious websites and give sensitive information.
NPC said smishing can involve the activation of a dummy Facebook account through sending a text message containing a code and a shortened link that, when clicked, would bind the recipient’s mobile number to the dummy account.
Smishing can also be used in online shopping where unsuspecting individuals waiting for the arrival of a purchased product would receive a shortened link that will redirect them to a website asking for their personal and banking information to complete the delivery.
Given the reports received on smishing, the NPC is reminding the public to be vigilant against cybersecurity attacks.
“One of the best ways users can arm themselves against smishing attacks is to be aware of this kind of manipulation. Scrutinize the text messages you receive, especially if they come from an unknown number and request information about you. Be skeptical and don’t assume that every message you receive is genuine,” Privacy Commissioner Raymund Liboro said.
As safeguard against smishing, the NPC said mobile users are reminded not to click links for services they did not sign up for.
NPC also recommends that mobile phone users not open in-app links and instead change to the default browser of the mobile phone that opens links.
In addition, mobile phone users are advised to disable link previews in SMS apps and to immediately block and report unsolicited text messages by using the built-in spam feature.
NPC is likewise calling on organizations to ensure protection of the personal data they collect and process.
To safeguard personal data collected through contact tracing or health declaration forms, NPC recommends that personal information controllers (PICs) and personal information processors (PIPs) put in place access controls to the database.
For the use of contact tracing apps, NPC recommends that PICs and PIPs implement appropriate security measures.
As for mobile numbers in contact tracing and health declaration forms, NPC said PICs and PIPs need to ensure these are only used for the purpose of helping reduce the spread of COVID-19.
It added health declaration forms or log sheets should not be in a matrix form where visitors can see others’ personal information.