View of the skyline of Metro Manila in the Philippines showing phishing scams and SIM card registration

Wide-Ranging Philippines Phishing Scams Are Sending Out Millions of Messages, SIM Card Registration Bill Proposed as a Solution

Faced with seemingly out of control phishing scams that are pushing millions of malicious messages to residents of the Philippines, the national government is considering reviving a previously-vetoed bill that would mandate SIM card registration.

The previous version of the bill not only required SIM card registration, but also called for social media accounts to be registered to a legal name and phone number. That bill was vetoed by former president Rodrigo Duterte in April due to a lack of detailed guidelines and free speech concerns.

Government investigation pursues phishing scams, but little information available at present

Phishing scams are bombarding millions in the Philippines with attempts on their login credentials; most of these malicious messages pose as legitimate online services and attempt to get the recipient to visit a phishing page.

There is not yet much information available to the public on the parties behind these large and organized phishing scams, and the government has yet to release information on how many citizens and residents have been harmed by them. But the problem is clear to just about anyone using a phone in the country, and some in the government are returning to SIM card registration as a solution.

The country’s two biggest carriers, PLDT and Globe, have attempted to reassure their customers that they are blocking over a billion scam messages and hacking attempts each year and that threat actors have not breached their systems. But some legislators, such as senate public services committee head Grace Poe, believe that SIM card registration is necessary due to disproportionate impact of these phishing scams on low-income job seekers and those in need of financial assistance.

The phishing scams went into overdrive during the Covid-19 pandemic, as demand for online services of all types surged. Most of this new traffic came from mobile devices, which are more difficult for users to detect attacks on for a variety of reasons: inability to see full URLs before clicking a link, the relative ease of making malicious SMS messages look authentic, and a tendency to not secure personal phones in the same way as computers all being major contributors.

The senate investigation only just got underway in the second week of September, but prior investigations of customer complaints indicate that the scammers are likely feeding their databases by scraping information from apps that have security oversights. The country’s National Privacy Commission has named popular messaging app Viber and financial app GCash as two that criminals target to gather personal information that tailored phishing scams can be built off of. Prior investigations have also found that the phishing scams appear to be coming from inside the country and making use of prepaid services that offer unlimited text promotions.

Contentious SIM Card registration plan revived as frustration with scam messages grows

Senate Bill No. 99, or the “Subscriber Identity Module Card Registration Act,” would require the nation’s telephone companies to collect SIM card registration prior to activation and use. Customers that refuse to provide their real names and contact information could have their SIM card canceled. If the bill passes the Philippines would join about 155 other countries that have some form of mandatory SIM card registration laws, but it remains to be seen how far documentation requirements would go. Several countries go as far as to require some sort of biometrics (such as a facial scan) along with presenting a photo ID when a card is purchased; others use an online documentation verification service at time of registration. The vast majority of SIM card registration countries have a “capture and store” policy that requires telcos to obtain accurate information but does not make it available to the government except in the event of an investigation that specifically requests it.

The previous proposed bill in the Philippines called for a harsh maximum sentence of 12 years in jail for SIM card registration with false information (with a minimum sentence of half a year). The bill passed the House and Senate with a great deal of support but did not make it past the desk of Duterte, whose veto seemed to be centered more on the attached measure ending anonymity on social media.

While technology experts and civil rights advocates were not generally allies of Duterte, they also widely criticized the SIM card registration idea both on its worrying impacts on privacy and free speech and the fact that it has proven unworkable in many other countries. Several countries, such as Mexico, had a law of this type for a short period but repealed it due to inability to enforce it. Black markets inevitably pop up, and are often primarily driven by identity fraud as criminals simply steal identities to register new SIMs or clone existing SIMs belonging to other people. Well-funded criminals can also easily step around the system by getting a phone in another country that allows international roaming.

Nick Ascoli, VP of Threat Research at PIXM, sees this as movement in a positive direction even if it does not actually curb the phishing scams: “There is a need for regulations that represent a sincere and holistic attempt at taking steps towards curbing cybercrime operations affecting the region. Unfortunately, scammers use many techniques to send luring text messages to victims, few of which involve the actual purchase of a physical phone and SIM card. Most involve the use of internet based SMS Gateways. While the specific proposal would likely not address the issue, it represents a hopeful sentiment that Southeast Asian governments will increase their use of federal resources in stopping cybercrime.”