Mobile Porting/Sim Swap

<  Back to Fact Sheets
Unauthorised Mobile Porting and SIM Swaps 

Criminals attempt to gain ownership of mobile numbers in order to access online accounts such as banking, email, superannuation, and government portals such as MyGov. By taking taking control of a mobile number, criminals can also gain access to SMS codes (two-factor authentication) that we often have sent to our mobiles. 

This may happen one of two ways: 
  1. Unauthorised Mobile Porting – porting is a legitimate service that allows customers to transfer a mobile number from one telecommunication provider to another. An Unauthorised Port occurs when a criminal contacts a different telephone provider, sets up an account with them and requests to have your number brought over from your current provider. 
  2. SIM Swap – the criminal contacts your existing provider and requests to activation of a new SIM card with your number. 

Once a mobile number has been successfully taken over, criminals will receive your text messages, including those containing password resets and verification codes (often referred to two-factor authentication or multi-factor authentication codes). This then gives them access to your existing online accounts, with banking and email accounts being major targets. 

Detection 

A typical indicator of an Unauthorised Port or SIM Swap is an SOS message on your mobile phone, indicating a loss of phone coverage or reception. SOS in this instance means that your network provider is no longer providing service to your device. Other common indicators include being locked out of accounts such as Internet banking, emails, social media, or other services that rely on password reset or verification codes. 

You may also begin to receive emails welcoming you to your new telecommunications provider, or from financial institutions notifying you of updates to your contact details or other account details. Or you may find that you are no longer able to access your email, banking or other online accounts as the passwords have been changed.

Please Note: If you receive a text from your mobile provider (or another telecommunications provider) that your number is about to be ported, respond immediately to the company who have sent the text as you may be able to stop the port. 

Prevention 
  • Use multi-factor authentication wherever possible, including using authenticator apps, touch ID, Face ID or biometrics as part of account access requirements.
  • Consider downloading your banking App onto your mobile device. Most banking Apps provide the ability to temporarily freeze your accounts and cards.
  • Check if your financial institution has multi-factor authentication options that do not rely on using your mobile number for security codes. 
  • Make a list of accounts that send text messages to your mobile for security purposes.
  • Do not treat your email account as data storage – periodically clean out your emails (inbox/outbox/sent and other folders). A common precursor to an Unauthorised Port or SIM swap is the criminal gaining access to the individual's email account.
  • Never provide personal details over the phone to unsolicited callers. 
  • Do not click on links in emails or text messages until you verify validity. 
Responding to the scam 
  • Freeze access to your bank accounts via your banking App and call your financial institution(s) immediately to alert them to the risk.
  • Disable SMS as a password reset or verification code recovery method (or change the contact number) for online accounts. Start with email account. 
  • Contact your telecommunication provider and find out if your number has been ported to another provider or if there has been a fraudulent SIM Swap. 
  • If the number was ported, request your telecommunication provider submit a ‘reversal of an unauthorised port’. 
  • If you experienced a SIM Swap tell your provider to shut down the active SIM and provide you with a replacement SIM, then tighten security as a prevention. 
  • Request from the telecommunication provider what credentials were used by the criminal to allow the port or SIM swap to occur.
  • Report any fraud that has occurred as a result of the port or SIM swap to the police.
print
Disclaimer

Identity Care Australia & New Zealand Ltd (IDCARE) provides identity and cyber security incident response services (the Services) in accordance with the following disclaimer of service:

IDCARE is Australia and New Zealand’s national identity and cyber incident community support service. We are a not-for-profit charity.

  • The Services provided do not constitute legal advice. IDCARE recommends that you consult a solicitor in relation to your legal rights and obligations, including but not limited to your legal rights or obligations under Australian and international privacy and data protection laws.
  • While every effort has been made to ensure the accuracy of the information in this product or service, to the maximum extent permitted by law all conditions, terms, representations, and warranties (in each case, whether express or implied) in connection with the provision of the Services which might otherwise be binding upon IDCARE are excluded.
  • IDCARE’S liability for any loss or damage suffered by any person or organisation (including, without limitation, any direct, indirect or consequential loss or damage) arising out of or in connection with the Services (including without limitation liability for any negligent act or omission, or statement, representation or misrepresentation of any officers, employees, agents, contractors or consultants of IDCARE) shall be limited to the fees paid by you to IDCARE in respect of the Services. For the avoidance of doubt, this limitation of liability extends to any liability arising from any actions performed or not performed as a result of any recommendations made in course of providing the Services.
  • The Services provided by IDCARE are intended to be provided solely to the initial recipient of this document or service and IDCARE will not be liable to any other person who may receive this document.

While every effort has been made to ensure the accuracy of the information in this alert, IDCARE disclaims any liability to any person in respect to any actions performed or not performed as a result of the contents of the the Services or any accompanying data provided. Wider dissemination may be permitted by authority in writing from IDCARE’s Managing Director. If you would like to provide feedback please use our Feedback Form.

CONTACT US

IDCARE is here to provide you with specialist support and guidance when faced with a cyber and identity related issue. Contact one of our Identity & Cyber Security Case Managers to learn more about our Support Services and how we can help you.   

Get help
ONLINE FORM

Submit a web request

Call Centre Icon

Call our AUSTRALIAn
NATIONAL CASE MANAGEMENT CENTRE

1800 595 160

Mon - Fri: 8am - 5pm AEST

QLD: 07 3555 5900
ACT & NSW: 02 8999 3356
VIC: 03 7018 2366
NT, SA & WA08 7078 7741

Call Centre Icon

call our NEW ZEALAND
NATIONAL CASE MANAGEMENT CENTRE

0800 121 068

Mon - Fri: 10am - 7pm NZST

AKL: 09 884 4440