THE National Privacy Commission said it has received reports of leaked contact-tracing data resulting in “phishing attacks” via mobile phone texts, in which recipients are tricked into revealing sensitive personal data.

A commission bulletin issued Tuesday said the unsolicited texts, sent by Short Message Service (SMS), sought to trick recipients into visiting malicious websites. The practice of using SMS to carry out phishing attacks is known as “smishing.”  

The commission said the complaints it has received linked the incidents to personal information given in contact tracing and health declaration forms.

“The contents of these unsolicited messages reportedly include links that redirect to legitimate looking but fraudulent sites when clicked. These sites may steal users’ personal data, introduce mobile malware, and even commit fraud,” the commission said.

According to the commission, smishing can be used to trick recipients into opening a dummy Facebook account. The text message contains a code and a short link that, when clicked, associates the recipient’s mobile number with the dummy account.  

The commission said smishing has been connected to fake online shopping or delivery transactions, which victims fall for because they are expecting an actual delivery.

“Clicking the shortened link will redirect the recipient to a website that prompts them to fill out their personal and banking information to complete the delivery,” the commission said.

Privacy Commissioner Raymund E. Liboro recommended that recipients “scrutinize text messages, especially if they come from an unknown number and request information about you. Be skeptical and do not assume that every message you receive is genuine.”  

The commission warned against messages with shortened links, and recommended avoiding in-app links and disabling link previews in the mobile message application.

It also noted that individuals may block messages from a specific phone number, filter messages from unknown senders, and redirect spam or junk mail.

The commission also urged parties who have custody of and process personal information to adequately protect contact-tracing data. — Revin Mikhael D. Ochave