Why You’re Getting Spam Texts, According to a Cybersecurity Expert

“I am a project manager, we are hiring a team, working on the home, daily salary around: 3000-8000 Peso, Accept Jobs on Whatsapp,” reads a text that many Filipinos received some version of over the past few weeks. 

Other iterations offer part-time and full-time positions in industries like e-commerce and solar energy, or entice people with the opportunity to “make money with your mobile phone.” Almost always, these texts end with a mysterious link. According to one curious and brave citizen, clicking on it leads you to a chat where an unknown sender gives more information about the supposed job opportunity, and eventually tries to collect your bank details. Experts and regular citizens alike have called it an elaborate phishing scam. 

Of course, these scams are nothing new. 

“Filipino citizens have suffered from a lot of data breaches for the past six or seven years,” Mara Miano, a Filipino cybersecurity expert from online trust and safety firm ActiveFence, told VICE.

Miano recalled how hackers compromised the backend of the Philippine Commission on Elections (COMELEC) database in 2016, defaced the COMELEC website, and left a message questioning the security of the country’s voting machines. Then, another group reportedly posted mirror links online for anyone to download what it claimed was the COMELEC database. The government body apologized for the incident and instructed citizens to change their email passwords and inform their credit card companies that their data may have been breached, but experts believe the information—like voters’ email addresses, passport numbers, and, possibly, mobile numbers—could still be available online. 

“If you still use your same cell phone number or email address from [the time of] the 2016 elections, if you registered, I suggest you change it, because it’s out there,” Miano said. 

Some have called the incident one of the biggest government-related data breaches in history. But there are many other ways scammers can get ahold of people’s contact details. 

Another way for mobile numbers to end up in spam texters’ databases is through data brokers, who collect information from forms people fill out, like seemingly harmless ones you submit to get free stuff in malls, for example. That this information is traded and sold is a “known practice,” Miano said. It’s also possible, the cybersecurity expert added, that some contact tracing apps during the pandemic do not secure the data they collect, leaving them open for hackers to acquire. 

Miano explained that the Philippines is a valuable target for hackers because it’s a huge internet user market that uses both the Filipino and English languages, without much awareness of internet security.

“We are avid internet users, but not very educated internet users, especially in terms of security or how our data is being used.”

Text spamming is common in other countries, too, Miano said, so those behind the recent incident in the Philippines “could be anyone.”

The hackers, however, seem to be financially motivated.

“It’s a common modus during COVID, because a lot of people lost jobs. We’re in a very economically tumultuous time, so hackers are getting more and more creative,” Miano said, adding that hackers may be exploiting those who are financially troubled because they are more likely to fall for scams like this.

“If you open a link on your phone, sometimes you can expose yourself to malware that is able to scrape other data on your phone. For example, saved passwords on your browser, or your SMS messages.”

For those who might have fallen for the scam, Miano offered advice, partly in jest: “I would burn the whole phone.”

More seriously, and practically, Miano said the first thing people should do is tell their banks that there was a possible compromise. Second is to change all their passwords, especially the ones for their emails, because hackers usually go into emails to get even more information.

She also recommended enforcing two-factor authentication, downloading anti-malware software, using a VPN, and resetting phone network settings.

For those who haven’t fallen for the scams but are growing tired of getting spam texts, Miano said: “The best thing you can do as an individual is to really ignore these messages. If you want to stop receiving them, then change your number.”

For small things like receiving one-time passwords or signing up for free stuff at the mall, people can start using burner “dumbphones” (as opposed to smartphones) with prepaid sims, so the numbers aren’t linked to any personal information or online data. They can also use burner email addresses, which of course should not have people’s real names.

These may seem like extreme measures, but Miano said it’s hard to gauge just how far hackers can go. 

“I don’t know how sophisticated these hackers are, but it seems like they are because they were able to scale the operation,” Miano said.

Follow Romano Santos on Instagram.