This may happen one of two ways:
- Unauthorised Mobile Porting – porting is a legitimate service that allows customers to transfer a mobile number from one telecommunication provider (telco) to another without changing or losing the original number. An Unauthorised Port occurs when a criminal contacts a different telephone provider, sets up an account with them and requests to have your number bought over from your provider.
- SIM Swap – the criminal will contact your existing provider and request to activate a new SIM card with your number.
Either way, once a mobile number has been successfully taken over, criminals will receive text messages containing password reset/verification codes (often referred to as 2SA or 2FA). This gives them access to your existing online accounts - banking and email accounts are major targets for such attacks.
A typical indicator of an Unauthorised Port/SIM Swap is the loss of phone coverage or reception of the affected mobile phone. SOS in this instance means that your network provider is no longer providing service to your device. Other common indicators in addition to your phone SOS display includes being locked out of accounts such as Internet banking, emails, or other services that rely on password reset/verification codes.
If you are connected to wifi at the time of the porting/SIM swap, emails from your financial institution referencing updates to your list of payees or funds transfers may indicate your number has been ported.
Please Note: If you receive a text from your mobile provider (or another telco) that your number is about to be ported, respond ASAP to the company who have sent the text as you may be able to stop the port.
- Consider downloading you banking App onto your mobile device. Most bank Apps provide the ability to temporarily freeze your debit/credit cards.
- See if your financial institution will provide you with a ‘token’ (a two-step authentication device) replacing the need to use your mobile number for security codes.
- Make a list of accounts that send text messages to your mobile for security purposes. In the event of a port you will know which accounts to temporarily deactivate the affected number.
- Do not treat your email account as data storage – periodically clean out your emails (inbox/ outbox/sent and other folders).
- Never provide personal details over the phone to unsolicited callers.
- Do not click on links in emails or text messages until you verify validity.
Responding to the scam
- Freeze your online banking App or call your financial institution(s) immediately and alert them of the risk
- Temporarily disable SMS as a password reset/verification code recovery method (or temporarily change the number) for online accounts. Start with email account.
- Contact your telecommunication provider and find out if your number has been ported to another provider or if there has been a fraudulent SIM Swap.
- If the number was ported, request your telco submit a ‘reversal of an unauthorised port’
- If you experienced a SIM Swap tell your provider to shut down the active SIM and provide you with a replacement SIM, then tighten security as a prevention.
- Repeated attempts - Use a separate prepaid SIM card to set up all of your online accounts with that is not attached to your main phone number.
Identity Care Australia & New Zealand Ltd (IDCARE) provides identity and cyber security incident response services (the Services) in accordance with the following disclaimer of service:
IDCARE is Australia and New Zealand’s national identity and cyber incident community support service. We are a not-for-profit charity.
- The Services provide do not constitute legal advice. IDCARE recommends that you consult a solicitor in relation to your legal rights and obligations, including but not limited to your legal rights or obligations under Australian and international privacy and data protection laws.
- While every effort has been made to ensure the accuracy of the information in this product or service, to the maximum extent permitted by law all conditions, terms, representations, and warranties (in each case, whether express or implied) in connection with the provision of the Services which might otherwise be binding upon IDCARE are excluded.
- IDCARE’S liability for any loss or damage suffered by any person or organisation (including, without limitation, any direct, indirect or consequential loss or damage) arising out of or in connection with the Services (including without limitation liability for any negligent act or omission, or statement, representation or misrepresentation of any officers, employees, agents, contractors or consultants of IDCARE) shall be limited to the fees paid by you to IDCARE in respect of the Services. For the avoidance of doubt, this limitation of liability extends to any liability arising from any actions performed or not performed as a result of any recommendations made in course of providing the Services.
- The Services provided by IDCARE are intended to be provided solely to the initial recipient of this document or service and IDCARE will not be liable to any other person who may receive this document.
While every effort has been made to ensure the accuracy of the information in this alert, IDCARE disclaims any liability to any person in respect to any actions performed or not performed as a result of the contents of the alert or any accompanying data provided. Wider dissemination may be permitted by authority in writing from IDCARE’s Managing Director. If you would like to provide feedback please use our Feedback Form.