In our age of two-factor authentication, your cellphone number may be your most important and sensitive number to protect.
Text messages are often used by financial institutions, payment services, businesses to verify yourself. Text messages are also used as ways to verify identity when recovering passwords for shopping sites, social media and more.
The problem? It is surprisingly simple for scammers to hijack your cellphone number through a porting-out scam.
A phone port scam scenario:
You receive a text message from your cellphone company saying your phone number is going to be ported in 10-minutes unless you call to cease it. If you are fortunate to be looking at your phone at this point, you may call confused but you are more likely to delete the text thinking THAT is the scam.
You go back to your normal routine and two hours later your phone loses cellular connectivity.
You call to learn your phone number has been transferred (ported) to another phone. To remedy the issue, you are asked to visit a local cellphone provider store to prove it is you. This process could take hours to complete and get your number back.
By this point it is already too late. The scammers were able to access your phone and use it to verify you on sites like Amazon and others. They were also likely able to use the two-factor authentication to reset the password on your email account and more.
Before you can patch up the holes, the scammers have successfully made significant online purchases and scrapped all email data they could find. They could also aim to drain your bank account or hold your sensitive and personal information (like photos, email account access, social media page access) hostage.
How does the phone porting scam happen?
For the most part, scammers need to discover your cellphone company pin number to port your number. To do this, scammers will go after your personal information (name, address, birth date, etc.), the last digits of your social security number, answers to common security questions (mom’s maiden name, pet name, school name, favourite sport) and more to uncover information that may lead to discovering your pin or being able to reset it. They may start collecting this information by searching social media, calling you and pretending to be a trusted professional business (like your bank) with the goal of having you slowly leak more information. They also search the dark web to find out what information about you may already be for sale.
These scammers then call your phone company and pretend to be you. If successful, the number is ported. Sadly, it is this easy. Canadian phone carriers are required to follow this legislation. It was initiated to help consumers move to a different carrier but now scammers are exposing the vulnerability.
Ways to mitigate risk and protect yourself from phone porting:
- Have a pin: Make sure you have a phone pin with your cellphone provider. Call and confirm you have one set up.
- Be unique: Make your cellphone company pin code unique from other pin or common numbers (like your debit card pin, year of birth, year of child’s birth).
- Stay aware: if you see suspicious text and/or email verification requests, contact the company associated immediately to confirm it is not you making that request.
- Don’t communicate: if a company calls or texts you requesting personal information, do NOT give it to them. If you are not sure if the call is legitimate, search online for the company number, hang up the call and call back the company directly.
- Keep private: Do not share answers to common security questions on your social media, write out any part of your social security number or provide any information publicly that allows someone to gather more necessary information to con the phone companies.
Victim of a phone port scam?
The first sign you have fallen victim to the phone porting scam is that your phone is now only allowing 911 emergency calls. If this happens to you take these three steps immediately.
- Contact your phone provider.
- Call your financial institutions and credit cards to put them on watch for fraudulent activity.
- File a police report.