Allison Waedt had to cope with a lot more than jet lag when she returned to Winnipeg from a trip to Australia last fall.
When I got back, I tried to use my phone and my phone wasn’t working,” she told CTV News. When Waedt called her wireless carrier to find out why, she learned her account had been closed. After a shocked Waedt explained she hadn’t made any such request, the carrier informed her she was a victim of SIM card fraud.
It’s a scam that can lead to identity theft and huge financial losses, as reported by other Canadians who were also targeted by scammers.
Vancouver’s Erynn Tomlinson had $30,000 in crytopcurrency stolen from her accounts due to SIM fraud. Saskatchewan farmers Laurie and Andrew Johnson had hundreds of thousands of dollars drained from their business bank account after a similar SIM swap scam.
Here’s what you need to know about SIM card fraud, how to prevent it and what to do if it happens to you.
What’s the purpose of SIM cards?
SIM stands for subscriber identity mobile card, and you can’t use a carrier’s mobile network without one. The mobile phone number assigned to your SIM card essentially becomes your mobile identity. When you transfer your SIM card to a new handset, your phone number and all the data on the device are transferred over to that new cellphone.
SIM scammers fake your identity
In a typical SIM scam, a hacker contacts your mobile provider and pretends to be you. They likely tell the carrier one of two things:
- They need a new SIM card because either the card or their phone was lost or stolen.
- They need to transfer the mobile phone number to a new handset or a new carrier.
In both cases, the fraudster must convince the carrier they are you. They can do that by providing the carrier with information such as your birthdate, address and mobile phone account password.
How do hackers get your info?
Perhaps you clicked on a phishing email or fake text message claiming your cellphone account had been compromised. This message may have asked you to reset your passwords or verify your address, phone number and birthdate for security purposes.
If you did that, hackers now have enough info to successfully fool your wireless carrier into believing they’re you.
Getting control of your phone
Remember scenarios A and B above? Here’s what they do next…
If the carrier believes scenario A, a new SIM card is issued to the hacker, who then has control of your mobile phone number. If the carrier believes scenario B, they close your existing cellphone account and transfer control of your mobile phone number to a new carrier. (This is called number porting.)
In both cases, it means your phone no longer has service. It also means the hacker can contact your bank to request a password reset on your bank accounts.
Reminder: The hacker now has control of your mobile phone number. So when a bank password reset code is texted to your mobile phone number, it actually gets sent to the hacker’s phone. They can use the texted code to change your banking password and gain full access to your bank account.
They can also do the same with your other online accounts (credit card, email, social media, etc.) and receive texted codes to reset your passwords to all those accounts — on their phone, not yours.
How to prepare & prevent SIM swaps
There are some key things you can do to prevent SIM swap fraud:
Be aware before clicking: Never open, click on, or reply to emails and texts that seem suspicious or come from sources you don’t recognize. They could infect your device or accounts with malware that steals your data. These messages could also be phishing attempts to dupe you into resetting your passwords or providing information that could be used to steal your identity and hack into your online accounts.
Make sure they’re legit: If someone claiming to be your bank or wireless carrier calls, emails or asks you to confirm your password or security authentication details, don’t do it. Instead, contact the company directly via its official channels to verify whether they did, in fact, send you a legitimate request.
Stick to the basics: Limit the amount of personal details you post online, such as your address, maiden name, spouse’s name, nickname, birth date, children’s names, anniversary dates, place of employment, pet’s name, etc. Hackers can use these to: 1) impersonate you to your phone carrier, bank or other institutions, and 2) answer multifactor authentication questions you may have set up for security on your various online accounts.
Don’t give up more information: For similar reasons, supply as little identifying information as possible when filling in online forms.
Set up a PIN: Ask your wireless carrier if they can set up a PIN or password that would be required specifically to make changes to your phone number or account. Some of Canada’s providers may offer this option.
Get notified: Change the notification setting on your online accounts to receive alerts by email and/or text message when any changes are made to your account. Even if your phone number is stolen, you’ll still get an email alert on your laptop and other devices.
Password protection: Don’t use one password for all your accounts or login to all of them through Facebook or Google. Create a strong, separate password for each online account or use an encrypted password management app to do it for you.
Verification: Use an app like Google Authenticator or Authy to securely verify your identity through your device handset rather than your phone number.
Secure your hardware: Get a hardware token for secure authentication through your phone handset.
Can wireless carriers prevent SIM swaps?
Under Canadian law, a carrier must obtain proof that a customer has authorized a change to their SIM card or phone whenever such a request is made – but each carrier sets its own rules for what constitutes authorization.
According to one major Canadian carrier’s website, this is what it requires when customers want their cell number ported to a new carrier or device:
- If the request is made by telephone, they ask you “a range of details to confirm that you are the account holder.”
- If you make the request in-store, you must bring “a recent bill which should have your correct name, address and account information just as they appear in the former carrier’s database.”
In response to several media reports of SIM swap fraud, in January 2020, the Canadian Wireless Telecommunication Association told CTV News it was working on plans to make undisclosed changes to the number porting process.
Checklist: What to do if SIM fraud happens to you
Here’s what to do if you suddenly can’t use your phone, can’t log in to any of your online accounts, notice posts on your social media accounts you never made, or receive notifications that any kind of change has to been made to your wireless or other accounts:
- Notify your wireless provider immediately.
- If an unauthorized request was made to port your number, contact the ‘new’ carrier and get them to cancel it.
- Find official paper documents showing when your wireless account was created, recent bills with transaction details, etc. to verify your identity with your carrier and reverse the SIM swap.
- Change the passwords to all your online accounts — but DON’T have reset codes texted to your cellphone, since the hacker may still be able to see them.
- Ask your bank to put a hold on your accounts and look out for questionable transactions.
- Ask credit monitoring agencies to red flag any suspicious activity on your financial accounts.
- Report the incident to local police and the Canadian Anti-Fraud Centre, who can alert and educate the public.
In many SIM fraud cases, victims suffer a loss of trust and peace of mind. In the most unfortunate cases, there can be financial damage and further distress.
Luckily for Winnipegger Allison Waedt, she suffered no financial losses before her carrier reversed her fraudulent SIM card swap.
March is Fraud Prevention Month in Canada. Learn more about how to protect yourself from 5 different types of fraud here, and if you’re concerned about any financial fraud, please reach out to your ACU financial advisor.