Companies, apps and service providers increasingly use your mobile phone number as a means of authentication. The evolution of the smartphone has made it a part of our everyday personal and work lives and therefore, a convenient and relatively quick channel for authentication when completing transactions or account changes.
Fraudsters have realized the opportunity to benefit financially from SIM card fraud or fraudulent mobile number porting.
What are SIM swaps and cell number porting?
A SIM card is a chip inserted into a mobile phone that allows access to the cellular network. An activated SIM card enables the mobile number associated with the SIM to be used.
A SIM swap can occur legitimately when customers advise their mobile service provider that they lost their phone and will be getting a new phone with the same number. The mobile service provider will “attach” the existing phone number to a new SIM which can be used with the customer’s new phone. Sometimes the term ‘cell number porting’ is used interchangeably; however, this is slightly different.
Cell number porting legitimately occurs when a customer wishes to change providers and keep the existing cell number. The number can be transferred across carriers to a different SIM card which the customer can now use with their current device.
What is SIM swap fraud?
A fraudulent SIM swap occurs when a cell phone number is assigned to a new SIM card without the authorization of the legitimate owner.
The fraudster will steal personal information about the legitimate owner which can be used to impersonate the owner when calling a mobile service provider. Personal information is often obtained through phishing e-mails, tricking someone to share their personal information or directly from social media platforms where information is often openly available. There are also cases where personal information has been sold within fraud rings which was initially obtained from large-scale data breaches.
With personal information in hand, the fraudster is able to convince the mobile phone provider that the legitimate owner is calling in to report a lost or stolen phone, and request that the mobile number be transferred to a new SIM which will be associated with the fraudster’s device. The fraudster will now be able to receive phone calls and text messages intended for the legitimate owner. The same applies to fraudulent mobile phone number porting where the fraudster is able to convince a new mobile provider to “port” your mobile number to a new SIM on their network.
Many apps and platforms use a two-factor authentication process to validate when a customer is changing a password, contact information or logging in from a different device. An SMS text is sent to your phone number to validate that you are indeed the person making the change. Unfortunately, a fraudster who is able to commit SIM swap fraud will now receive these authentication texts or e-mails and may be able to “approve” fraudulent charges to your accounts and app services.
Keep in mind these apps often store your credit card information to facilitate purchases for goods, services and travel. A fraudster can easily change delivery addresses on your profile and use the stored credit card for fraudulent purchases.
Possible signs of SIM card swap fraud
- Sudden or unexpected loss of mobile phone service, including the inability to make or receive phone calls, as well as text messages. This is common as there is a “downtime” period where a phone number will be switched to a new SIM.
- Unexpected notifications or texts from your current cellular service provider advising of a pending switch to a new service provider. If you have any concerns with messages that may be possible spam, always refer to the provider directly for validation of the message.
- Unknown charges to your credit card or charges to a merchant that is outside your normal transaction behaviour. This may be an indication that your mobile apps may have been accessed and used for fraudulent purchases. If you notice unfamiliar charges on your credit or debit card, ensure you alert your bank.
6 tips to prevent SIM swap and phone porting fraud:
- Many mobile phone providers require a personal code for identification when you call in — make sure you have one is in place if this security feature is available.
- Advise your cell phone provider you do not want your number to be ported without in-person authentication at one of their outlets.
- Add a second level of notification for two-factor authentication where possible. Instead of only receiving a text message for authentication, add an e-mail address to receive notifications to confirm account changes Do not ignore messages from your cell carrier advising of changes to your account — instead of responding to a text or email, call your provider directly to validate the authenticity.
- Ensure your old phone is wiped or returned to the manufacturer’s settings if you are donating or returning your phone.
- Make it a regular habit to have different passwords for your online accounts and apps.
- Report any instances of unusual activity promptly to your mobile provider.
Also, be careful of SMS texts or emails requesting personal information or account details — do not respond to SMS texts or emails that feel suspicious or originate from an unknown source. Fraudsters use phishing emails and smishing text messages to mimic correspondence from your personal and business contacts as a means of obtaining your personal information. Take two minutes to validate requests for information with your contact directly.
Today, your mobile number is more than just a contact phone number. Just as you would protect other sensitive information, such as PINs, you should treat your cell number in a similar manner. Ask yourself: Who am I giving my number to, and why is it necessary? You can never be too careful in protecting your personal information!
This article offers general information only and is not intended as legal, financial or other professional advice. A professional advisor should be consulted regarding your specific situation. While the information presented is believed to be factual and current, its accuracy is not guaranteed and it should not be regarded as a complete analysis of the subjects discussed. All expressions of opinion reflect the judgment of the authors as of the date of publication and are subject to change. No endorsement of any third parties or their advice, opinions, information, products or services is expressly given or implied by Royal Bank of Canada or its affiliates.
Shane Lee Wo is a Senior Manager of Fraud Initiatives at RBC.
This article is intended as general information only and is not to be relied upon as constituting legal, financial or other professional advice. A professional advisor should be consulted regarding your specific situation. Information presented is believed to be factual and up-to-date but we do not guarantee its accuracy and it should not be regarded as a complete analysis of the subjects discussed. All expressions of opinion reflect the judgment of the authors as of the date of publication and are subject to change. No endorsement of any third parties or their advice, opinions, information, products or services is expressly given or implied by Royal Bank of Canada or any of its affiliates.