As technology has become more ubiquitous, people have been exposed to more scams that attempt to part them from their money and, in some cases, identity.
But while most people know not to open strange attachments, provide private information to a stranger over the phone or transfer money to a mysterious person who purports to be an old friend or a long-lost relative, not everyone realizes that you can do almost everything right and still fall victim to a horrifically stressful and traumatic scam.
One that is very difficult to untangle and undo.
Earlier this month, Alison (who has requested her name be withheld) was about to drive home from an appointment in Mississauga when she noticed her phone was no longer connected to her carrier service.
She turned her phone off and on, but it still wouldn’t connect to Rogers. She had no service at all, and she wasn’t sure why. Thinking it might be a Rogers outage, she drove to a friend’s house and hopped on his Wi-Fi to investigate, only to be blitzed with multiple emails informing her that her PayPal password had been changed and her account had been connected to her phone.
She also received an email saying that someone had purchased close to $2,000 worth of merchandise on her credit card via PayPal.
Unable to call Rogers or PayPal to figure out what was going on, she drove to the nearest Rogers store and told the employees that she had lost service and was helplessly watching someone drain her PayPal account. The incidents had to be related, but she wasn’t sure what was going on.
The employees, almost as puzzled as her, told her that her problem was indeed serious and that they would check her account immediately. One employee asked her if she cancelled her phone plan earlier that day and moved her number to a new carrier. She said no. He told her that her number–the number she had for over 20 years–was no longer associated with her account and had been ported to another service provider.
She insisted that she made no such request, and Rogers began the lengthy process of flagging her account for fraudulent activity and setting her up with a new number and SIM.
Alison, it turns out, was the victim of a relatively new and extremely sophisticated scam called SIM swapping.
How does it work?
According to Wired, a SIM swap occurs when a bad actor convinces your carrier to switch your phone number and SIM info over to a SIM card in their possession. They might do this by contacting your carrier over the phone or through an online help chat, and they might get your provider to make the switch by providing them with personal details, such as your date of birth or account number.
While you would think a huge telecommunications company would do a thorough check before porting a customer’s number, SecurityIntelligence says scammers exploit workers–often by appealing to their compassionate side–to convince them to hand over SIMs and numbers.
It’s something commonly referred to as social engineering.
According to the article, IBM’s 2014 Cyber Security Intelligence Index found that 95 per cent of all security incidents involve human error.
“Many of these are successful security attacks from external attackers who prey on human weakness in order to lure insiders within organizations to unwittingly provide them with access to sensitive information.”
So by playing dumb or pretending to forget key details, a scammer might be able to convince a telecom employee to grant them access to your number and associated information. If a scammer attempts to obtain your SIM over days or weeks, there’s a good chance someone will eventually give them what they want.
Scammers can also collect your personal information through malware or phishing scams (which occur when a scammer prompts you to cough up personal information by tricking you into filling out an online form you think is legitimate).
Some experts also say that a person can simply find out information about you through social media.
Unfortunately for victims, people who take control of your phone are probably planning to do more than make long-distance calls and stick you with the bill–they’re likely hoping to take advantage of weaknesses in text-based two-factor authentication checks to gain access to your bank or other sensitive accounts.
In Alison’s case, the fraudsters quickly gained access to her PayPal account by having the password (or password reset code) sent to them via text. Since they had her number and SIM, they were receiving all text and phone calls intended for her and had almost an hour of unfettered access to her phone before she reported the incident to Rogers.
Once a fraudster has your phone number and SIM, he or she can lock you out of your online banking, email and social media accounts and have new passwords sent to them via text. If you’ve set up text-based two-factor authentication (which means you’ve asked a service to text you when someone tries to log in to your account from a new or unfamiliar device), your two-step security feature could be used to a fraudster’s advantage should someone swap your SIM.
They can have full control of your phone without physically possessing the device, which is extraordinarily unsettling.
“Once I got a new SIM and had my phone back, I immediately called PayPal and asked them to shut down the account,” Alison said.
“They were sympathetic and agreed, but eventually they came back and said the purchase and password changes were all authorized by the account holder and that they didn’t believe the activity to be suspicious. I absolutely lost my mind. I didn’t know if the person with my phone number was calling them and demanding they keep the account open and if they were listening to them because that was the number associated with the account. I just kept saying my number was stolen and the purchase wasn’t mine. They eventually agreed to put a hold on the account, but I was so frantic by then.”
Alison said she kept constantly refreshing her email, dreading the arrival of other messages indicating that other accounts had been compromised. Fortunately, the only suspicious emails came from PayPal.
After getting off the phone with PayPal, she called her financial institution and cancelled all of her associated credit cards.
“I just cancelled everything. I had no idea if they had my banking information or if they had accessed my account. After I cancelled everything, I was terrified the person with my number would try to call the companies and have the cancellations reversed. I never knew someone could steal your number, so I started thinking that if people are this smart, there’s a lot more damage they can probably do once they have your information.”
While SIM swap scams are relatively rare, they do appear to be on the rise.
Earlier this year, police in Edmonton, Alta. warned residents to be vigilant after three SIM swap attacks were reported.
Recently, Lifehacker shared some SIM swapping horror stories that involved people who lost massive amounts of both regular and cryptocurrency in attacks. In June, Matthew Miller, who writes for ZDnet.com, said that he knew something was wrong when his daughter woke him up to tell him that something unusual was happening to his Twitter account. Miller said the hacker deleted his tweets, blocked followers and locked him out of his Google account. He said that T-Mobile told him that a representative agreed to swap his SIM because the caller had the right information and there was no way to tell it wasn’t him authorizing the change.
Miller said the scammer eventually used his bank account to purchase $25,000 in Bitcoin. It took him a considerable amount of time and effort to reclaim his accounts, and his number was illegally ported again after he reported the fraud and reclaimed his stolen number.
Alison said she disputed the substantial PayPal charge with her credit company and was informed that the charge wasn’t likely to go through. She had no issues closing her accounts, but says she still feels violated and worried that something else will go wrong.
“I went home and spent hours upon hours changing every single password and trying to detach my phone number from every service that might be associated with it. I was happy to do it for the peace of mind, but I couldn’t help but wonder if it was too late and if this person already has information from being in my phone for as long as they were,” she said.
“It might sound silly, but I honestly feel violated. I’ve had trouble sleeping and just generally feel a little unsafe, or like something else is going to be stolen or my personal information is going to end up in the wrong hands again.”
Alison said Rogers acted quickly to help her.
“The people in the store were extremely helpful and sympathetic and the agents I’ve spoken to since have been really great,” she said. “I’m currently working with the fraud department and plan on filing a police report, just so they know this happened and that it could happen to someone else anytime,” she says.
“A lot of the agents I’ve spoken to said that this kind of scam appears to be on the rise, with some telling me that they’ve noticed an uptick over the last three months.”
While this type of scam is difficult to prevent because it’s hard to pinpoint how someone could get enough information to impersonate you and steal your phone number, the Canadian Bankers Association (CBA) website has some tips on preventing SIM swap scams.
The organization says customers should set up a passcode or PIN with their service provider so that anyone who calls the company purporting to be them will have to know it in order to make any changes to the service.
This pin should be unique and not obvious (so avoid, for example, your birth year or wedding date or anything else that can be easily gleaned from your social media accounts).
You also shouldn’t use the same PIN for multiple services.
CBA also says that people should never publish their phone number on any of their social media profiles and limit the amount of personal information they post online, such as their birthday, elementary school names, or pet’s name.
“Fraudsters can use these clues to answer common identification questions and impersonate you,” the website reads.
CBA also says people should refrain from using the same passwords or usernames across multiple accounts.
“Always create a strong, unique password for your sensitive accounts.”
And most importantly, people are reminded not to click on links or attachments in suspicious emails or text messages.
“Remember that your bank will never send you an email, or call you on the phone, asking you to disclose personal information such as your password, credit or debit card number, or your mother’s maiden name,” the website reads.
If you believe you have been a victim of fraud, contact your local police service and the Canadian Anti-Fraud Centre.