The enactment of Republic Act No. 11934, otherwise known as the SIM Card Registration Act, was intended to curb mobile phone-aided crimes in the Philippines. However, malicious actors have adapted by deploying sophisticated phishing campaigns. These fraudulent schemes often masquerade as official communications from telecommunications companies (telcos) or government agencies, falsely warning users of imminent SIM deactivation to steal sensitive personal data.

For legal professionals, compliance officers, and subscribers, navigating the reporting mechanisms for these cybercrimes is vital to mitigating risks under data privacy and cybercrime laws.

1. The Legal Framework: Understanding the Offenses

SIM registration phishing messages are not merely nuisances; they constitute distinct criminal violations under Philippine law.

• RA 10175 (Cybercrime Prevention Act of 2012): Phishing primarily falls under Computer-related Identity Theft (Section 4(b)(3)), which penalizes the unauthorized acquisition and use of identifying documents or data. It may also constitute Computer-related Fraud (Section 4(b)(2)) if the transmission alters data to cause economic damage with fraudulent intent.
• RA 10173 (Data Privacy Act of 2012): Malicious forms sent via phishing links designed to harvest names, birthdays, and IDs violate provisions against the Unauthorized Processing of Personal Information (Section 25) and Processing for Unauthorized Purposes (Section 28).
• RA 11934 (SIM Card Registration Act): Section 11 of the law explicitly penalizes the registration of a SIM using spoiled, spoofed, or fictitious identities, as well as the sale or transfer of a registered SIM without complying with registration requirements. Phishing often serves as the initial phase to acquire legitimate identities for fraudulent registrations.

2. Evidence Collection: Preserving the Digital Trail

Before initiating any formal report, the law requires the preservation of clear, unedited digital evidence. Under the Rules on Electronic Evidence (REE), electronic documents are functional equivalents of written documents if their integrity is maintained.

• Do Not Delete or Alter: Keep the original SMS intact within your device's inbox.

• Capture Metadata via Screenshots: Take screenshots of the message ensuring the following are visible:

• The sender's alphanumeric label or mobile number (e.g., "+639XX..." or a spoofed sender ID like "SIM_REG").

• The exact date and time the message was received.

• The complete, unedited text and the precise URL/hyperlink contained in the message.

• Document the Destination: If the link was clicked, take screenshots of the landing page, noting the deceptive URL bar, but immediately close the page without inputting data.

3. Institutional Reporting Channels

A comprehensive response involves reporting the incident across three distinct sectors: the state regulator, law enforcement, and the affected telecommunications provider.

A. The National Telecommunications Commission (NTC)

As the primary regulatory body overseeing the implementation of the SIM Card Registration Act, the NTC maintains a dedicated clearinghouse for text scams and phishing.

• Mechanism: Reports can be filed through the NTC's online scam reporting portal or via email (consumer@ntc.gov.ph).
• Required Data: The subscriber must provide their own contact details, the fraudulent sender's number/header, the screenshot of the SMS, and a brief description of the incident.

B. Law Enforcement Agencies (Cybercrime Units)

For incidents where financial data was compromised or identity theft has already occurred, formal law enforcement complaints are necessary to initiate criminal investigations.

• PNP Anti-Cybercrime Group (PNP-ACG): Complaints can be lodged at their main office in Camp Crame or through their official online complaint desks and hotlines.
• NBI Cybercrime Division (NBI-CCD): Victims can file formal complaints at the NBI Cybercrime Division office or submit actionable intelligence via the NBI’s official website.

C. Telecommunications Service Providers (PTEs)

Public Telecommunications Entities (PTEs) such as Globe, Smart, and DITO are legally mandated to maintain secure systems and assist in fraud prevention.

• Action: Submit the fraudulent number or spoofed header directly to the respective telco’s internal fraud reporting tools (e.g., Globe's "Stop Spam" portal or Smart's reporting links).
• Remedy: Upon verification, PTEs have the technical capacity to isolate, block, or permanently deactivate the offending SIM network access, preventing further propagation of the campaign.

4. Remediation in Cases of Data Breach

If a subscriber inadvertently fills out a phishing form and discloses their SIM registration details (such as full names, photographs, or government-issued IDs), the incident escalates into a personal data breach.

Legal Recourse under the National Privacy Commission (NPC): The affected individual should document the scope of the exposed data and may file a formal complaint with the NPC for a violation of the Data Privacy Act. While the NPC does not handle the criminal prosecution of the phisher, it can investigate systemic vulnerabilities and order institutions to secure compromised accounts.

Furthermore, if government-issued IDs were compromised, the subscriber must proactively notify the issuing government agency (e.g., PSA for PhilSys, LTO for Driver’s Licenses, DFA for Passports) to mitigate identity theft risks.

5. Summary of Institutional Contacts