Anatomy of the SMS scam offering high-paying part-time jobs

Published November 24, 2021, 3:35 PM

by Art Samaniego

If you get a text message offering you a job with a link, beware. It’s a scam. The domain is owned by WhatsApp and used for the app’s “click to chat” feature. It allows users to begin a chat session with anybody without having their phone number saved in the user’s phone’s address book.” Using plus a phone number, anybody could just send this link via email, messenger, or SMS. When the recipient clicks it, WhatsApp will open and automatically initiate a chat with the number from the link.

Scammers find this feature very useful because they can chat with their target instantly when someone clicks the link.

Today, I got five messages offering me high-paying jobs. All the messages have links using the domain. Using another device, I went to the link in the message and stalked the senders. Here’s what happened.

1)The scam starts when you get a message with link. I clicked the message, and a chat box opened that appeared as if I had initiated the conversation. This is possible because of the “click to chat” feature where the scammer could pre-fill a chat box with a message from the one who would click the link. The five messages that I got all had the same outcome when I clicked the link.

The SMS from scammers

2) The cybercriminal then informed me that I could get a job using my phone to complete virtual orders. I could then get a commission for every completed virtual order. The scammer then asked me to register.

3) I clicked the link and found out that the scam is not exclusive to the Philippines as it also targets other countries. The drop-down menu contains five country codes — +63 for the Philippines, +91 for India, +52 for Mexico, +55 for Brazil, and +66 for Thailand. I then registered using the number of my newly bought SIM card. Here, nothing happens as you just need to register as a new account.

Country targets

4) After the registration, I logged in to the scammer’s platform and “got” my bonus of 68 pesos. Checking the page source, I found out that the language used is zh-CN. This means that the Chinese language being used is “simplified and using mainland Chinese terms.” Coding notes are also written in what looks like Chinese characters. Also, the only reply we get is “speak English” every time we try sending a message in Tagalog.

Coding notes that looks like Chinese characters

5) All the five scam messages that I got are using different UnionBank accounts to accept money and GCash for victims to send payments. The scammer then asked me to “recharge” my account using GCash, send the payment to the bank and show him the screen capture of the transaction. I sent P200 as an initial recharge amount.

One of the UnionBank accounts used by scammers.

6) I was then assigned to do tasks. The scammers claimed that the company is helping eCommerce sites to increase their ranking online, hence the need to order products.

Here’s the promise that would entice victims to give money to the scammers:

For 100 pesos, you could withdraw 188 pesos, deposit 300 pesos, and you could get 460 pesos, give them 500, and you would get 722 pesos, 1000 and get 1880. The scammer gave me assurance that I could get the funds via my GCash in just 10 minutes. That’s how easy to earn money from their platform, he added. This is, of course, called the advance fee scam. Scammers would promise to give you money in exchange for your money sent via GCash to a UnionBank account. They could have compromised or willingly given it by the account holders for a commission, a digital money mule fraud. Scammers would provide you the P188 pesos first but believe me, the subsequent transactions would be all for them.

7) When I tried to withdraw my P68 pesos, the bonus for signing up, the scammer told me that I needed to deposit 200 pesos again so that I could get the 68 pesos. I told him that I would be happy to invest ten thousand pesos, but I wanted to see how it works. I told him to let me withdraw all the money I got, now at 324 pesos after the 56 pesos commission I got for clicking a link labeled “task.” The scammer agreed and said he would send the 324 pesos to me. After a few minutes, I got the 324 pesos in my GCash, again from the UnionBank account. Because of greed, the scammer allowed me to get my money back, plus a little of his that came from scamming other users.

I got my money back plus more

Things that I learned
The scam is not exclusive to the Philippines. The same fraudulent SMS activity also happened in India in December 2020 and Singapore in May 2021. I agree with NPC Commissioner Mon Liboro that “an organized global syndicate” is behind this SMiShing attacks against Filipino users. The scammers were not Filipinos. When I tried sending a message in Tagalog, not one of the five could understand me. I am, however, expecting that this scam will evolve and will have a local counterpart soon. I also agree with the NPC commissioner when he said that there is no evidence that the scammers got the numbers from contact tracing apps or forms.

Also, I found out that the scammers are using UnionBank and GCash for this scamming campaign. I still have to see other modes of payment in this SMiShing attack. I have sent a message to UnionBank about this incident. I’m still waiting for their reply. Globe was also informed about my findings.

I am working with the National Privacy Commission (NPC) to monitor this incident. As I am one of the first journalists to talk about this, the NPC requested additional information about my story. I forwarded to the commission all the conversations, screen captures, transactions, and information I believe relevant to their investigation.

Cybercriminals are becoming more sophisticated. Let us all be vigilant and help educate our families and friends on the dangers lurking on the internet.