The National Privacy Commission (NPC) said the result of its initial investigation showed that the recent wave of targeted smishing messages that contain the recipient’s name most likely came from smartphones and not from an app used by data aggregators.
The NPC, through its Complaints and Investigation Division, has observed from the smishing reports it received, that the smishing messages appear to have been sent using specific mobile numbers registered to certain texting services.
The privacy body said local telcos have confirmed that smishing messages sent using mobile numbers are possible through a phone-to-phone (P2P) transmission.
“Such transmission is usually coursed through a telecommunication company’s regular network and does not pass through data aggregators,” the NPC said in a statement on Wednesday, Sept. 7.
The agency explained that contrary to a P2P transmission, data aggregators use an application-to-phone (A2P) transmission.
“The messages received through this transmission will not appear to have come from specific mobile numbers, instead, it will come from a sender that has SMS ID (i.e., bank names, organization names, etc.) which identifies the data aggregator, or the brand or business name using the data aggregator’s services,” it noted.
The NPC said it will continue to investigate potential sources and root cause of targeted smishing messages such as patterns in the use of name formats that prospectively match the names of data subjects registered with payment applications, mobile wallets, and messaging applications.
“Further, the NPC is working closely with telecommunications companies in formulating countermeasures against the recent wave of targeted smishing messages,” the agency said.
As a concrete course of action, telcos have blocked identified mobile numbers that sent smishing messages and is continuously blocking messages with malicious URL links associated with smishing, according to the NPC.