NPC PHE Bulletin No. 21 Preventive Data Privacy Practices Against Smishing
The National Privacy Commission (NPC) has received reports of smishing where mobile users received unsolicited SMS messages allegedly due to the contact information they provided in COVID-19 contact tracing and health declaration forms.
The contents of these unsolicited messages reportedly include links that redirect to legitimate looking but fraudulent sites when clicked. These sites may steal users’ personal data, introduce mobile malware, and even commit fraud.
Smishing is a type of phishing attack that targets victims through mobile text messaging or SMS. Smishing attacks occur when threat actors send text messages to trick subscribers into clicking malicious websites.
One smishing scenario involves the activation of a dummy Facebook account. The text message sent to a user contains a code and a shortened link that, when clicked, binds the recipient’s mobile number to the dummy account.
Smishing can also be used in online shopping/delivery to trick unsuspecting victims who expect a product they purchased online. Clicking the shortened link will redirect the recipient to a website that prompts them to fill out their personal and banking information to complete the delivery.
The Commission highlights the importance of being vigilant and aware of cybersecurity attacks. “One of the best ways users can arm themselves against smishing attacks is to be aware of this kind of manipulation. Scrutinize the text messages you receive, especially if they come from an unknown number and request information about you. Be skeptical and don’t assume that every message you receive is genuine,” Privacy Commissioner Raymund E. Liboro said.
Recent data privacy and security advisory from the Commission’s Data Security and Technology Standards Division recommends steps on how users can protect themselves against smishing. This bulletin also reminds organizations to safeguard the personal data they process.
a. For data subjects
- Do not click links of services you did not sign up for. Be cautious with shortened links. A URL shortening service is an online tool that allows users to create a short and unique website link. These URL shortening services may be used by threat actors to conceal their malicious links.
- Malicious links require an action from you, such as filling out online forms with your personal or financial information.
- Do not open in-app links. Change to the default browser of your mobile phone that opens links.
- Android OS and iOS smartphone users are advised to immediately block and report the unsolicited text messages they receive using the built-in spam feature in their SMS apps.
- Spam or junk messages generally refer to unsolicited messages in email, instant messaging, or SMS. Messages recognized by your mobile operating system or SMS app as “spam” or “junk” go to a separate folder.
- Disable “link previews” in the SMS app.
i. Block, filter, and report messages on iPhone (iOS: iMessage)
The Messages app blocks unwanted messages, filters messages from unknown senders, and reports spam or junk messages.
Block messages from a specific phone or number
1. In a conversation on Messages, tap the name or number at the top, then tap at the top right portion.
2. Tap info.
3. Scroll down and then tap Block, this Caller.
To view and manage your list of blocked contacts and phone numbers, go to Settings > Messages > Blocked Contacts.
Filter messages from unknown senders
Filtering messages from unknown senders turns off iMessage notifications from senders not in your contact list and moves the messages to the Unknown Senders tab in the Messages app.
1. Go to Settings > Messages.
2. Turn on Filter Unknown Senders.
Note: You cannot open any link in a message from an unknown sender until you add the sender to your contacts or reply to the message.
Report spam or junk messages
With iMessage, a message you receive from someone not in your contact list may be identified as possible spam or junk. You can report this type of message to Apple.
In the message, tap Report Junk, then tap Delete and Report Junk.
The sender’s information and the message are sent to Apple, and the message is permanently deleted from your device.
Note: Reporting the message as junk or spam does not prevent the sender from sending other messages, but you can block the number to stop receiving messages from the sender.
To report spam or junk messages you receive with SMS or MMS, contact your carrier.
ii. Report Spam and Blocking (Android OS: Google Messages)
When you report a chat as spam, you can block the sender and move it to your “Spam & blocked” folder.
1. On your Android phone or tablet, open the Messages app .
2. Touch and hold the chat you want to report.
3. Tap Block Report spam OK.
You can also open the chat to report it as spam. From the chat, tap More Details Block & report spam Report spam OK.
Note: The contact will be reported as spam, and the chat will be moved to your “Spam & blocked” folder. You can report spam without blocking the contact.
Report spam in a group message
When you report spam in a group message, the spammer is reported, and the message is moved to your “Spam & blocked” folder.
1. On your Android phone or tablet, open the Messages app.
2. Open the chat you want to report.
3. Tap More Group details Report spam.
4. Tap Report spam.
Remove a spam report
You can remove spam reports after submitting them.
1. On your Android phone or tablet, open the Messages app .
2. Tap More Spam & blocked.
3. Select a chat.
4. Tap Not spam. If you want to unblock a contact or number which you blocked, tap Unblock. If you tap Unblock, the chat will be removed from the "Spam & blocked" folder.
b. For personal information controllers and personal information processors
Efforts to control the spread of COVID-19 prompted an increase in the collection of personal data through contact tracing and/or health declaration forms in establishments and workplaces.
Consequently, these establishments must ensure the protection of the personal data that they are collecting.
Recommended measures are as follows:
- Apply access controls to the database of data collected physically and electronically.
- Implement appropriate security measures in the contact tracing applications (both web and mobile).
- Process personal information, especially mobile numbers contained in the contact tracing and health declaration forms, only to alleviate the risk of COVID-19 infection and not for any other purpose.
- Ensure that health declaration forms or log sheets are not in a matrix form where visitors can see one another’s personal information. For further guidance, refer to