Inside SMS Spoofing: Evolving Scams Outpace Policy, Enforcement

(First of Two Parts)

Marie (not her real name) was on vacation with her family in Manila last month when she received a text message reminding her that her credit card reward points were about to expire.

Because the message appeared within her bank’s legitimate SMS thread, she initially thought that there was nothing unusual about it. She clicked the link.

“I was redirected to a page displaying various items that could supposedly be redeemed using my expiring points,” Marie told The Philippine STAR. “I selected a low-cost mobile phone. The page then required a payment of P55 for shipping, prompting me to enter my card details.” 

After two failed transactions, she was finally able to complete the “redemption” for her expiring reward points.

But instead of the mobile phone she had selected, she received a bill for an unauthorized overseas transaction amounting to over P19,000.

“I was already shaking because I was terrified by the amount of money that was lost,” Marie, a mother of two, recalled.

Because she provided her OTP or one-time password, her bank tagged the transaction as valid and required her to pay the amount.

What happened to Marie was a form of scam called “smishing,” in which scammers use deceptive text messages to trick victims into clicking malicious links that lead them to fake websites designed to steal sensitive personal and financial information.

But the scheme that targeted her was more sophisticated than the scam messages sent using regular SIM cards or through messaging applications like Messenger or Viber, as it required the use of illegal devices to “hijack” or spoof legitimate message threads.

Called International Mobile Subscriber Identity or IMSI catchers, these portable devices can serve as a fake cell tower and allow to hijack legitimate message threads and send “spoofed” messages to potential victims.

“They hijack the threads of your legitimate conversations with your banks, with your telcos, with your utilities, and even government institutions,” explained Undersecretary Renato Paraiso, executive director of the Cybercrime Investigation and Coordinating Center (CICC).

“This technology does not require a SIM card,” added Roy Ibay, vice president at the Philippine Chamber of Telecommunicators Operators and head of the regulatory affairs department at Smart. 

“It can assimilate the function of a cellsite … let’s say, for a given radius of around 500 meters, depending on how powerful the transmitter of that fake cellsite propagates,” he said.

Garrett Silao, chief information security officer at Globe, said the emergence of this particular scam was a result of previous measures to improve consumer protection, such as the blocking of messages containing links.

“The attacks evolved… This is the next evolution for the attackers. They went to IMSI catchers or ‘stingrays’ as we call them,” he said.

“The problem with IMSI catchers is that it is off-net, so we cannot see it. Everything that we put up to protect our subscribers, it’s still there. But the IMSI catchers, that’s another story,” he added.

Law enforcement agencies are aware of the problem, but the complex and evolving nature of the scheme makes it difficult for them to establish its scale. 

Still, available evidence points to small criminal networks using equipment from shuttered Philippine Offshore Gaming Operators (POGO), as well as of scammers operating overseas.

Targeting the vulnerable

Jocel de Guzman, co-founder of consumer protection group Scam Watch PH, said they first monitored cases of “hijacked” threads and “spoofed” messages in 2024.

Because Filipinos were already warned against clicking links from random numbers, he said fraudsters transitioned to spoofing legitimate message threads of financial institutions, government agencies and other service providers to deceive potential victims.

“They found a workaround … You can send a message and everyone will receive it,” De Guzman said. “You can set it to a particular telco or, even worse, spoof numbers.”

One of the early victims of this scam is Phil (not his real name), who received a message from his network provider in March 2024 asking him to redeem his unexpired points.

After trying to redeem an item on a fake website, his credit card was charged P36,000 for a transaction at a hotel in Africa. 

“Of course, I was irritated,” Phil told The Philippine STAR. “I was sad. It’s my fault. I felt stupid. Lesson learned.”

Like Marie, Phil said he was preoccupied when he received the scam message, as he was busy at the gym. 

Maj. Gen. Wilson Asueta, director of the Philippine National Police Anti-Cybercrime Group (PNP-ACG), said scam messages often contain elements of urgency to pressure potential victims into clicking links without much caution.

Aside from offers of rewards, other scam messages contain warnings of supposed unauthorized transactions involving large sums of money.

“You become vulnerable because [the message] instills fear that your account might be affected or that something is wrong with it,” Asueta said in Filipino. “For others, it’s the desire to earn money. If they see bonus points or rewards, they react.”

The challenge lies in determining the exact number of victims, with officials noting that many choose not to file complaints before law enforcement agencies.

Last year, the CICC said it only received 208 complaints from victims of different phishing scams, including 76 from smishing. Data from previous years has yet to be released.

The PNP-ACG, meanwhile, received 122 complaints involving smishing scams last year, from 224 in 2023 and 119 in 2024. The figure includes scam messages sent through random mobile numbers, which officials said had since dropped due to intensive awareness campaigns and the passage of the SIM registration law.

Still, Asueta said victims seem reluctant to file formal complaints, as it would require extra effort to go through the process and because they fear being blamed if they report or publicize what happened to them. 

Paraiso added: “If you’re sure it’s a scam, you’ll not report it anymore because you know it’s your fault that you fell for it.”

Illegal devices

The use of IMSI catchers and other portable cellular mobile repeaters and cellsite equipment is regulated by the National Telecommunications Commission (NTC).

A 2013 NTC memorandum states that only duly licensed cellular mobile telephone system operators, the National Disaster Risk Reduction and Management Council and other government agencies performing functions vital to national security or safety are authorized to purchase, import, possess and use these devices.

But this did not stop these devices from entering the country.

Since last year, the PNP-ACG has already conducted 19 operations that led to the seizure of dozens of illegal equipment, including at least five IMSI catchers and 53 text blasters.

At least 22 individuals had been arrested for selling or using these devices.

The National Bureau of Investigation (NBI) said this equipment is openly sold abroad and being smuggled via backdoor channels—the same routes where contraband passes through.

In November 2025, the Bureau of Customs issued a memorandum ordering the seizure of illegally imported IMSI catchers. But no information has been made public on how many such devices have been intercepted.

Another problem, according to Paraiso, is the proliferation of “homemade” devices built using parts imported through e-commerce sites. 

Asueta said the PNP-ACG has intensified its “cyberpatrolling” activities to monitor online sellers of illegal devices.

In March, Globe also donated IMSI catcher detectors to the NTC, CICC and the PNP Criminal Investigation and Detection Group to help detect those using illegal networks.

Remnants of POGO?

The use of IMSI catchers became more appealing to fraudsters in 2022 after the NTC directed telecommunications companies to block texts with clickable links, De Guzman of Scam Watch PH said.

But officials also note possible links to POGOs, which the government officially shut down in 2024.

In May, PNP chief Gen. Jose Melencio Nartatez Jr. warned against the sale of devices such as text blasters “salvaged” from abandoned POGO hubs.

“While we have seen a decline in centralized scam hubs since the 2024 POGO ban, we are now facing a guerrilla-style distribution. These devices are being pulled out from closed firms and sold individually to smaller criminal elements,” he said.

Among those recently arrested were two men in Parañaque, identified as “former POGO workers,” who were nabbed for selling three units of text blasters.

Last year, a former security guard of a POGO hub was also arrested for the illegal sale of SMS blasters and signal jammers.

“They are former employees who, when POGOs left, knew which equipment could be profited from,” Asueta said.

Jay Salanguste, special investigator of the National Bureau of Investigation Cybercrime Division, said there’s a possibility that different groups who are working within the scamming ecosystem are formerly involved in POGO hubs.

“The spoofing operation is one part of a larger operation,” he said in an interview. “Basically, the spoofing team would gather possible targets that they endorse to another group located in a different place that usually engages with the victim.”

Borderless problem

But the use of IMSI catchers is just one aspect of the scam operations.

While there have been arrests of those who sell or use the illegal devices, law enforcement agencies have yet to track down those behind the development of the fake websites that facilitate the fraudulent transactions.

Salanguste said the phishing websites, domains and hosting infrastructure are often located in another country, making it difficult to track down and prosecute perpetrators.

Stolen financial information are also often used to carry out transactions overseas, allowing the alleged foreign actors to quickly access the funds.

“Part of our problem is borderless victimization and borderless perpetrators,” added Asueta. “This is a global problem … This is a borderless issue.”

Locally, arrests are only made among those at the bottom of the chain, particularly those selling and operating IMSI catchers. 

But tracking the masterminds? “Very difficult in terms of police operations. You need to have a focus for this and, of course, we need informants who can really help us,” the PNP-ACG chief said.

Victims like Marie and Phil see the importance of dismantling these sophisticated financial fraud operations to protect others from these kinds of scams. 

But this often takes a backseat to a more pressing concern: recovering money that, while a small amount to some, can be vital to their daily lives.

(To be continued)

Reporting for this story was supported by the Journalists Against Corruption and the Philippine Center for Investigative Journalism.