Art By Danni Lim
Art By Danni Lim.

FAST FACTS: Recent spike of SMS scams allegedly linked to COVID-19 contact tracing

With the recent wave of text message scams, many Filipino netizens expressed frustration towards the Philippine government’s failed COVID-19 contact tracing efforts, calling it a data privacy breach.

By Hannah Lauren Cadiz | Monday, 21 November 2022

Despite Department of Health (DOH) secretary officer-in-charge Ma. Rosario Vergeire’s constant denial regarding the allegations of SMS scams being associated with COVID-19 contact tracing systems, Filipinos are still skeptical to fill out such forms after receiving countless spam messages bearing the receiver’s full name.


As SMS scams started to surge in early 2021, contact tracing is eyed as the main source of such major data privacy breaches. Smishing, a term coined from the word “phishing,”, is defined as the fraudulent practice used to steal personal information via text messaging. Attackers mask themselves as reputable entities that deceive victims into revealing their confidential data. 


“There was never any meaningful contact tracing done in the Philippines. After making Filipinos fill out countless contact tracing forms and download useless contact tracing apps, the only achievement of the government's contact tracing program is to give us spam text messages,” physician and medical anthropologist Gideon Lasco tweeted on Jan. 11, 2022.

Albay representative Joey Sarte Salceda called out the Inter-Agency Task Force for the Management of Emerging Infectious Diseases (IATF) for their negligence, saying that instead of using multiple contact tracing applications, they should have enforced the use of only one application with a single database and a single protecting data controller. Salceda adds that this data privacy breach could have been from contact tracing databases of different establishments and is possibly caused by being limited to only one single controller. 


However, the National Privacy Commission (NPC) claims that such scams are less likely to come from contact tracing. Ex-NPC Commissioner Raymund Liboro considered that it could be from unscrupulous data brokers, which are companies that collect and analyze personal information such as names, contact numbers, credit card numbers, addresses, and birthdays, and will be then licensed to other companies later on. In an interview with The Philippine Star, Liboro further noted that the data broker industry is worth $200 billion (11.4 trillion) with over 4,000 registered brokers in the United States alone.


Section VI of the joint memorandum of the Department of Trade and Industry and Department of Labor and Employment on COVID-19 workplace control and prevention claims that contact tracing information is handled with great privacy. It states, “Contactless forms shall be handled with the utmost confidentiality and securely disposed of after thirty (30) days.” The same also applies to printed forms through the use of paper shredders to “ensure that personal data are not viewed and shared by others.” In addition, Michael Santos, NPC Complaints and Investigation Division Chief, speculates that it would be hard for perpetrators to text people manually based on contact tracing forms, particularly the ones that are handwritten.

Have you received a text like this?

With the rising popularity of SMS smishing, it is important to recognize these scams when you see one. 

Here are examples of spam messages:
Sample Message   1
Sample Message  2

When in doubt, click out. Do not reply to messages or click on links because link manipulation is one technique scammers use in creating malicious URLs. This can also be in the form of link shortening through using services like and TinyURL.


On the other hand, you can protect yourself from smishing before it even reaches you by filtering your messages or blocking suspicious numbers. Call-blocking apps such as Calls Blacklist lets you both block unknown callers and unwanted text messages.


In September 2022, telecommunications company Globe Telecom Inc. temporarily blocked all text messages containing website links in both prepaid and postpaid numbers. The company also announced that it was working with NTC and NPC on investigating this data breach.