Short Message Service (SMS) phishing—commonly referred to as “smishing”—remains a persistent threat to the Philippine digital ecosystem. Malicious actors continuously evolve their tactics, leveraging social engineering schemes to deceive the public into divulging sensitive credentials, revealing financial data, or downloading malicious software.

In the Philippine legal and regulatory context, a text scam is not merely a modern nuisance; it is a statutory offense cutting across cybercrime, data privacy, consumer protection, and banking laws. For legal professionals, compliance officers, and citizens, knowing how to properly preserve evidence and navigate the state's reporting mechanisms is critical to suppressing these illicit operations.

I. The Philippine Statutory Framework

Combating SMS phishing involves a matrix of special penal laws and administrative regulations designed to lift the veil of digital anonymity and penalize fraudulent actors:

• The Anti-Financial Account Scamming Act (AFASA) (Republic Act No. 12010): Enacted to reinforce the integrity of the financial architecture, AFASA explicitly penalizes Social Engineering Schemes, including smishing, vishing, and phishing, when executed to gain unauthorized access to financial accounts. It also criminalizes "money muling." Notably, if financial account scamming is carried out by a syndicate (three or more persons) or on a large scale, it is classified as Economic Sabotage, which carries a penalty of life imprisonment.
• The Cybercrime Prevention Act of 2012 (Republic Act No. 10175): Smishing activities directly violate provisions against Computer-related Fraud (Section 4(b)(2)) and Computer-related Identity Theft (Section 4(b)(3)). Furthermore, Section 6 of this Act mandates that if any crime punishable under the Revised Penal Code (RPC)—such as Swindling/Estafa under Article 315—is committed by, through, or with the use of Information and Communications Technology (ICT), the penalty shall be imposed one degree higher than that prescribed by the RPC.
• The SIM Card Registration Act (Republic Act No. 11934): This law mandates the registration of all SIM cards against valid government-issued identifications. It strips bad actors of traditional anonymity and establishes a legal pathway for law enforcement agencies to subpoena user identity data from telecommunications firms during criminal investigations.
• The Data Privacy Act of 2012 (Republic Act No. 10173): Smishing often relies on illicitly sourced directories. The unauthorized processing, malicious disclosure, and improper disposal of personal data that enable these targeted texts are punishable with severe fines and imprisonment under this statute.

II. The Protocol for Electronic Evidence Preservation

Under the Supreme Court’s Rules on Electronic Evidence (A.M. No. 01-7-01-SC), digital evidence is highly volatile and must be captured properly to retain its probative value in court or administrative proceedings. If you receive a phishing SMS, observe the following protocol:

1. Do Not Click or Reply: Interacting with links can execute malicious scripts or signal to the sender that the mobile number is active.
2. Capture Unaltered Screenshots: Take high-resolution screenshots of the message. Ensure the screenshot clearly displays:

• The sender’s raw 11-digit mobile number or alphanumeric Sender ID (e.g., spoofed names claiming to be legitimate banks or government entities).
• The complete, uncropped body of the message, including any embedded Uniform Resource Locators (URLs) or hyperlinks.
• The metadata, specifically the exact date and time the message was received.

3. Preserve Financial Records: If the phishing link led to an unauthorized transaction, immediately secure digital copies of bank statements, e-wallet transaction receipts, and official transaction reference numbers. Do not modify or obscure any names or account numbers.

III. Step-by-Step Reporting Mechanisms

Depending on whether the incident is an attempted scam or has already resulted in actual financial fraud or data breach, reports must be directed to specific regulatory, administrative, or law enforcement bodies.

1. Administrative Intervention: National Telecommunications Commission (NTC)

The NTC is tasked with regulating Public Telecommunications Entities (PTEs) and enforces the systemic blocking of fraudulent numbers and malicious spoofed Sender IDs.

• When to Report: For routine text scams, spam messages, or threatening/illegal texts, even if no financial loss has occurred.
• Procedure:
• Access the official NTC Text Spam/Spam Report Portal ([https://ntc.gov.ph/text-spam-spam-report/](https://ntc.gov.ph/text-spam-spam-report/)).
• Upload a copy of a valid government-issued identification card (or birth certificate/NBI clearance if an ID is unavailable).
• Upload the unaltered screenshot of the phishing SMS showing the sender's details.
• Alternatively, formal complaints can be emailed directly to consumer@ntc.gov.ph or escalated through the NTC Consumer Hotline at 1682.

2. Emergency Escalation: Cybercrime Investigation and Coordinating Center (CICC)

An attached agency of the Department of Information and Communications Technology (DICT), the CICC serves as the centralized hub for real-time cybercrime monitoring and inter-agency coordination.

• When to Report: For urgent, active, or large-scale smishing campaigns that threaten critical infrastructure, government agencies, or extensive consumer populations.
• Procedure: File an incident report online through the CICC Report Portal ([https://cicc.gov.ph/report](https://cicc.gov.ph/report)) or contact the unified inter-agency scam hotline at 1326.

3. Criminal Prosecution: Law Enforcement Agencies (LEAs)

If a phishing text successfully deceives a victim into parting with money, property, or credentials, the matter crosses from an administrative complaint into a criminal investigation.

• Agencies Involved:

• Philippine National Police Anti-Cybercrime Group (PNP-ACG)

• National Bureau of Investigation Cybercrime Division (NBI-CCD)

• Procedure: Victims must personally visit or formally contact the Complaint Action Center of the PNP-ACG or NBI-CCD. Initiating criminal prosecution requires the execution of a formal Complaint-Affidavit. This sworn statement must outline a detailed, chronological narration of facts, supported by the preserved electronic evidence, bank certifications, and proof of identity.

4. Data Privacy Breaches: National Privacy Commission (NPC)

If the phishing text reveals that an individual's sensitive personal information (such as full names, health records, or financial account details) has been leaked from a corporate, institutional, or government database, the NPC assumes jurisdiction.

• When to Report: When the smishing incident indicates unauthorized data processing or a wider data breach by a personal information controller.
• Procedure: Formal complaints must be filed with the NPC Legal and Enforcement Office via complaints@privacy.gov.ph or through their official online complaints portal, utilizing their prescribed complaint-assisted forms.

5. Private Actions: Institutional Notifications

Parallel to state reporting, immediate institutional notification is legally required to mitigate damages and trigger contractual defenses:

• Impersonated Institutions (Banks/E-Wallets): Under Bangko Sentral ng Pilipinas (BSP) regulations and AFASA, if a phishing text impersonates a financial institution (e.g., GCash, Maya, BDO, BPI), the victim must immediately report the link to that institution’s verified fraud hotline. This initiates temporary account freezing, credential resets, and transaction tracing.
• Telecommunications Providers (PTEs): Forward the scam details to the dedicated anti-spam channels of the respective carrier (e.g., Globe’s Stop Spam portal or Smart’s fraud reporting portals) to fast-track network-level number termination.

IV. Comprehensive Evidentiary Checklist for Legal Action

When preparing a report or a complaint-affidavit for law enforcement or regulatory review, ensure the following documentation is compiled: