Where did SMS scammers get our numbers?

Published November 24, 2021, 8:01 AM

by Robert D. Reyes

WhatsApp SMS Spam

Checking on my Android device, the oldest SMS spam I received telling me that they are hiring people was on Tuesday, 09 November 2021. I normally ignore messages like that – for one, my Android-powered smartphone is “smart-enough” to tag it as spam and send it directly to my Spam & Blocked folder (I know there is a similar function for iOS device users).

From that day on, I had been receiving an average of three (03) spam SMS daily – all telling me that they are hiring with outrageous daily salaries ranging from P3,000 to P8,000. At the end of each SMS is a link leading to the messaging program WhatsApp.

A friend forwarded me a link to a now-deleted (or was now kept private) Facebook post detailing a victim’s ordeal with the scammers. She (the victim) fell prey to a spam SMS sent to her and clicked (opened) the link therein. Using WhatsApp as the communications platform, she was offered an “online job” to process online orders (from eCommerce websites) and earn commissions. The victim was lured into paying first the amount (around PHP44,000 in total) she needed to “process” for her to receive the commissions faster. After receiving the money from the victim, the scammers blocked her online account (in the fraud website/app). She was not reimbursed nor did she receive the commissions due her.

In light of these incidents, many were quick to point the blame with various contact tracing apps and paper forms we fill up when we go to the malls, supermarkets, etc. Some even are pointing the finger to eCommerce platforms and food delivery apps as the culprits.

But I, personally, am not (yet) convinced that there is a massive data breach with any of these local systems. Why? Aside from it was previously discussed in this article [https://bit.ly/contacttracingappsleak] written by our Tech News Editor Art Samaniego, the simple fact that I use a different mobile number for contact tracing purposes, food deliveries, and eCommerce platforms; and it remains clean of spam as of this writing is enough proof for me.

I asked around and made a quick survey with friends and colleagues on social media. I noticed a common denominator among those receiving these spam SMS: WhatsApp. The mobile numbers receiving spam SMS are the ones used to sign-up with WhatsApp (some even forgot that they did years ago).

Possible WhatsApp Data Breach?

In an article posted last January 2021 by edexlive.com, it noted that “WhatsApp faces intense scrutiny over its upcoming data and privacy policy in India and elsewhere”, and cited that the WhatsApp on Desktop (Web) application allegedly exposed personal mobile numbers to an extent it was indexed by Google Search.

I tend to believe that this is the cause of all these spam SMS that quite many Filipinos, both here and abroad, are receiving these past few days. Could it be a massive WhatsApp data breach months ago that was not publicly disclosed? Did someone actually buy a database of Philippine-based WhatsApp numbers on the dark web? I don’t know.

Mandatory SIM Card Registration is the Solution?

With more than 74% of the Philippines’ 110 million population having at least one (01) smartphone, and with privacy issues such as the current smishing cases, many are clamoring for the ratification of the mandatory SIM card registration law.

Will this legislature curb the spamming and scamming? We’re not totally sure.

My take on this: there is already some sort of SIM Card Registration in effect in the Philippines in the form of eWallets like PayMaya, GCash, and the like, all with a combined user base of 84 million (according to recent estimates).

Account-holders of these eWallets underwent a KYC (Know Your Customer) process, effectively recording basic customer information to include the mobile numbers attached to one’s account, as well as valid proof of identification. Did this help eliminate or lessen the scamming incidents? I don’t think so.

Just this Tuesday evening, the National Privacy Commission (NPC) said that a global crime syndicate is the culprits of the recent surge in smishing (SMS phishing) cases. The commission also summoned the Data Privacy Officers (DPOs) of telcos, banks, and eCommerce platforms to report on their spam prevention measures.