Cyber criminals have developed a new scam targeting your cell phone. Known as the ‘port-out scam’ criminals are are using stolen information to trick cell phone carriers into transferring legitimate phone numbers to new devices. The result is leaving consumers with dead cell phones and vulnerable to even more crimes.
Your cell phone is probably your single most important technology device. It contains information about nearly every facet of your life. African-Americans are the leading consumer of mobile technology making this scam extremely dangerous to our community.
Porting is a standard practice in the cellphone industry. A consumer can port their number to a new service provider or new device usually in minutes. With this scam, also known as the “SIM-swap scam” a criminal tricks a cellphone service provider into transferring your legitimate phone number to a phone under the scammer’s control. Once the number is ported, all calls and text messages sent to that number go instead to the scammer’s phone. This allows the scammer to bypass security features, like two-factor authentication, used to protect your sensitive email, banking, and social media account information.
Scammers use stolen data like your the last four digits of a Social Security number, a phone number, name on the account and the victim’s address. All of this information is easily obtainable on the dark web thanks to repeated data breaches of consumer information.
Using the stolen data the scammer contacts the wireless provider pretending to be the legitimate owner. After the scammer contacts the cell phone company they can easily change the PIN if one is not already set up. If you do have a PIN set up the scammer claims not to remember it then uses the last four of the victim’s social security number and mailing address. The scammer’s next move is to request the wireless company port “their” number to a different phone. Once the provider switches the victims’ phone number to the criminal’s phone the victim’s phone will go dead. The scammer then uses the phone to reset passwords or gain entry to accounts that use two-factor text authentication. Criminals frequently target bank accounts. Once a bank account is accessed the scammer can quickly and easily transfer funds to an account that the scammer controls.
This scam is the latest and fastest growing cyber scam and can be financially devastating to victims. Cellphone service providers have begun taking steps to protect their customer’s accounts. T-Mobile, sent a text to notify customers to set up a port validation feature. This ensures that fraudsters could not port out your phone number without providing a passcode.
Fraud.org advises consumer to use the following steps to keep from being victimized by this scam.
- Contact your carrier and ask them to add a unique personal identification number (PIN) to your account. This PIN will need to be provided any time you wish to make a change to your account, including upgrading your cell phone. This extra layer of security will help block any would-be scammer from running the port-out scam on your phone. The process for adding a PIN depends on your provider.
- AT&T – Log into your ATT.com account, go to your profile by clicking your name, and under the wireless passcode drop down menu, click on “manage extra security.”
- T-Mobile – Call 611 or (800) 937-8997 from your cell phone to speak with a customer service agent.
- Sprint – Sprint automatically requires their customers to set up a PIN when an account is opened.
- Verizon – Visit vzw.com/PIN or call (800) 922-0204.
- Always use good password hygiene. Regardless of account, choose a password that is unique, complex, and contains upper- and lower-case letters, numbers, and symbols. It is critical not to reuse passwords across multiple accounts. That way, if one account becomes compromised, then every account with that password can become compromised as well. For the best password security, use a password manager that creates and remembers random passwords.
- Consider alternatives to text two-factor authentication. For your most important accounts, like your online bank account, see if they allow other versions of two factor authentication such as a security key or or a third-party authenticator app like Authy.
- Be suspicious of emails or phone calls from people purporting to be from your bank. Remember, your bank will never ask you to enter confidential information in an email.
If, despite these steps, you become a victim you should:
- Act quickly! Notify your cellphone provider and report any fraud to your bank. Quick action can minimize the damage the scammer could inflict. Your cellphone provider can turn off your phone number and prevent scammers from using that number to bypass two-factor text authentication.
- Notifying your bank the moment you notice unauthorized charges or that you are at risk for fraudulent two-factor authentication can also minimize your liability.
- File a report at Fraud.org using their secure online complaint form. They will share your complaint with their network of law enforcement and consumer protection agencies who can investigate and help put fraudsters behind bars. Then make sure you file a police report at your local police.