The National Privacy Commission (NPC) has warned the public against smishing where mobile users received unsolicited SMS allegedly due to the contact information they provided in COVID-19 contact tracing and health declaration forms.

Privacy Commissioner Raymund E. Liboro has urged the public to be vigilant and be aware of cybersecurity attacks.

In the NPC Bulletin No. 21, NPC said that it has received reports of smishing incidents. The contents are unsolicited messages reportedly include links that redirect to legitimate looking but fraudulent sites when clicked. These sites may steal users’ personal data, introduce mobile malware, and even commit fraud. Smishing is a type of phishing attack that targets victims through mobile text messaging or SMS.

Smishing attacks occur when threat actors send text messages to trick subscribers into clicking malicious websites. One smishing scenario involves the activation of a dummy Facebook account. The text message sent to a user contains a code and a shortened link that, when clicked, binds the recipient’s mobile number to the dummy account.

Smishing can also be used in online shopping/delivery to trick unsuspecting victims who expect a product they purchased online. Clicking the shortened link will redirect the recipient to a website that prompts them to fill out their personal and banking information to complete the delivery.

“One of the best ways users can arm themselves against smishing attacks is to be aware of this kind of manipulation. Scrutinize the text messages you receive, especially if they come from an unknown number and request information about you. Be skeptical and don’t assume that every message you receive is genuine,” said Liboro.

Recent data privacy and security advisory from the Commission’s Data Security and Technology Standards Division recommends steps on how users can protect themselves against smishing.

“This bulletin also reminds organizations to safeguard the personal data they process,” NPC said.

For data subjects, NPC said some of the good practices include not to click links of services you did not sign up for. Be cautious with shortened links.

NPC also reminded that a URL shortening service is an online tool that allows users to create a short and unique website link. These URL shortening services may be used by threat actors to conceal their malicious links. Malicious links require an action from you, such as filling out online forms with your personal or financial information.

NPC also cautioned against opening in-app links. Change to the default browser of your mobile phone that opens links. Android OS and iOS smartphone users are advised to immediately block and report the unsolicited text messages they receive using the built-in spam feature in their SMS apps. Spam or junk messages generally refer to unsolicited messages in email, instant messaging, or SMS. Messages recognized by your mobile operating system or SMS app as “spam” or “junk” go to a separate folder.

NPC noted that efforts to control the spread of COVID-19 prompted an increase in the collection of personal data through contact tracing and/or health declaration forms in establishments and workplaces. Consequently, these establishments must ensure the protection of the personal data that they are collecting.

NPC recommended that establishments apply measures such as access controls to the database of data collected physically and electronically, implementation of appropriate security measures in the contact tracing applications (both web and mobile), and to process personal information, especially mobile numbers contained in the contact tracing and health declaration forms, only to alleviate the risk of COVID-19 infection and not for any other purpose.

Source: Manila Bulletin (