Are you, too, sick and tired of all the SPAM we receive via SMS daily? Recently, these spammers (scammers, actually) have leveled up their game by sending personalized SMS to us – they are now mentioning our names (full names to some) in the SPAM that they are sending to our mobile phones – something that the National Privacy Commission (NPC) refers to as targeted smishing messages.
The big question now is who to blame for the avalanche of SPAM SMS that we are receiving? Personally, I believe that there is a breach of sorts with Viber, the messaging platform/app, that is being exploited by these spammers/scammers. Why do I say so?
I use three (03) telcos for communication: DITO, Globe, and Smart – all at the same time. My DITO Telecommunity SIM card acts as my backup communication, while my Globe and Smart SIM cards are my daily drivers. Friends, business contacts, and colleagues in the press/media know my Globe number – something like my public-facing mobile number. I also use my Globe number for all the Fintech apps (including GCash and Maya) that I use.
On the other hand, only a handful of family members, friends, and colleagues know my Smart number, and this is the same mobile number that I use for Viber to subscribe to and communicate with government agencies for news-gathering purposes.
I, myself, recently received a personalized SPAM SMS on my Smart number that is not used with any Fintech app nor is being utilized to receive OTP (one-time password) for any online account that I may have. However, this is the mobile number that I use to communicate with my Viber contacts. I also noticed that the spammer/scammer called me “Bob” which is just my nickname. Oddly enough, my display name on Viber is Bob Reyes.
While some technical personalities were quick in saying that GCash may be the culprit for the proliferation of personalized SPAM SMS lately, I will have to disagree. The fact that the number where I received the SPAM SMS is not enrolled in GCash (nor Maya), but is used in Viber will give us a clue on who the culprit is. I also made an informal survey among friends and colleagues who recently received a personalized SPAM SMS, and it seems that our common denominator is Viber.
I reached out to Rakuten Viber for them to comment on this issue, and they only sent me the following statement:
“Data privacy and overall safety of users are part and parcel of everything Viber does. The app uses end-to-end encryption by default on private communication, which means that Viber has no access to private chats -- nothing users share privately can be used and be sold by Viber or 3rd parties. There is a privacy setting that allows users to show photos and usernames and only if it is enabled then a username will be visible. Users have complete control of this privacy setting.
For users who are part of Viber Communities and Channels, Viber can assure them that their numbers are completely hidden from other members. To further protect the community or channel members, admins can also disable direct messages to prevent others who are not on their contact lists to start private chats with them. Meanwhile, users are reminded to practice customary care in joining regular group chats to ensure that they fully trust the other members with the information that is shared.
Viber will always prioritize the privacy and safety of its users and assures everyone that it is doing everything it can to ensure that the information that it has been entrusted with will not be compromised.”
According to the initial investigation conducted by the NPC, data aggregators are unlikely to be the source of the recent wave of targeted smishing messages that specify the recipient’s name. The NPC added that based on the reports they received, the smishing messages appear to have been sent using specific mobile numbers registered to certain texting services. They also said that telecommunications companies confirmed that the smishing messages which are sent using mobile numbers are possible through a phone-to-phone (P2P) transmission – something that is usually coursed through the telco’s regular network and does not pass through data aggregators.
I do hope that the NPC, perhaps with the help and cooperation of the DICT / NTC / NBI et al, will finish their investigation on these (personalized) SPAM SMS. This time, we, the Filipino taxpayers and mobile phone users want concrete actions and see someone getting punished for violating our privacy. Enough of the press releases, will you?