The National Privacy Commission (NPC) said on Tuesday, Oct. 5, it has received reports of “smishing” where mobile users received unsolicited SMS messages allegedly due to the contact information they provided in Covid-19 contact tracing and health declaration forms.
The contents of the unsolicited messages reportedly include links that redirect to legitimate looking but fraudulent sites when clicked. These sites may steal users’ personal data, introduce mobile malware, and even commit fraud.
Smishing is a type of phishing attack that targets victims through mobile text messaging or SMS. Smishing attacks occur when threat actors send text messages to trick subscribers into clicking malicious websites.
One smishing scenario involves the activation of a dummy Facebook account. The text message sent to a user contains a code and a shortened link that, when clicked, binds the recipient’s mobile number to the dummy account.
Smishing can also be used in online shopping/delivery to trick unsuspecting victims who expect a product they purchased online. Clicking the shortened link will redirect the recipient to a website that prompts them to fill out their personal and banking information to complete the delivery.
“One of the best ways users can arm themselves against smishing attacks is to be aware of this kind of manipulation. Scrutinize the text messages you receive, especially if they come from an unknown number and request information about you. Be skeptical and don’t assume that every message you receive is genuine,” NPC chair Raymund E. Liboro said.