Friday, June 16, 2023

'Invisible robbers' stealing millions in phone porting scam labelled as 'terrifying

'Invisible robbers' stealing millions in phone porting scam labelled as 'terrifying

 In regional Victoria, it's not uncommon to lose phone reception. 

Amid the chaos of school pick-up in Bridgewater in Central Victoria, this is what Claire Harrison thought was happening when her phone showed "SOS" instead of a signal on a Friday afternoon in May.  

She didn't realise it was the first sign she'd been hacked. 

"We did nothing wrong. We didn't click on a link, we didn't give our information to anyone, we just got everything stolen from us," she said. 

"It's like someone just walked into your house and took everything you own, like an invisible robber." 

Mobile porting fraud is where scammers — often criminal syndicates — gain control of a person's identity by having their mobile number ported to another device.

This gives criminals access to the person's personal information and finances. 

a photo of a phone that shows 'SOS"
Hackers can take over your mobile phone number and access your bank accounts.()

When Ms Harrison found herself suddenly without a phone, without cash and with a sick child who needed medication, her life turned upside down. 

"You actually struggle to breathe, you go into this state of shock," she said.

"When you don't have access to your banking, it's every degree of your life you can't control. 

"We're still dealing with the impact of it now."

'Horrific' privacy violation 

For 38-year-old Prue Milgate, losing control of her mobile phone and her life was a "horrific" experience. 

"I can't explain the level of trauma. You feel very violated," she said.

"They've taken over my iPhone, including photos of our daughter who passed away."

With a business degree majoring in finance, Ms Milgate considered herself technologically savvy. 

She acted quickly, recognising the unfamiliar "SOS" signal as a red flag, but only because she had recently heard about her friend's experience. 

"Because it happened to my friend I thought, 'This doesn't feel right'," she said.

Female hands holding a mobile phone with a dark background.
Ms Milgate says others in her community were victims to fraud before she was targeted.()

In less then an hour, the scammers took $70,000. 

But she said temporarily losing the money wasn't the worst part of the experience. 

"They're forever going to have photos of my daughter ... photos no-one else should have," she said.

Hackers target regional businesses

The victims the ABC has spoken to have all been both Telstra and Bendigo Bank customers who are also small business owners. 

Authorities said the scam was widespread and did not favour one telecommunications company or bank. 

John Nalder runs a painting business in Bridgewater with his sons. 

He said four people in his family had their sims ported and bank accounts drained. 

"My son got done the night before, I was the next morning, then my other son," he said.

a painter on the phone
Mr Nalder has spent countless hours on the phone trying to protect his accounts from hackers.()

Scammers took $3,500 in the first hit, then another $5,000 the next morning, despite Mr Nalder thinking the bank had locked the account. 

They swiped tens of thousands of dollars in total from the family. 

"The time that I've spent on the phone, trying to sort this out ... you can't put a cost to it," he said.

"More needs to be done. If they don't do it, sooner or later no-one will trust the banks or the telecommunications companies." 

Thousands of similar incidents 

Sim porting is a crime also classified as identity theft, which is ranked by Scamwatch as the third-most common scam this year. 

Almost 7,000 cases of identity theft were reported to Scamwatch in the first four months of this year when Australians lost more than $5 million.

According to Scamwatch data, Australians lost $2.6 million to identity theft in April, an 87 per cent increase from March. 

The Australian Communications and Media Authority (ACMA) said these types of scams cost Australian victims an average of $28,000. 

A woman holds a mobile phone in her hand while looking at a laptop.
Australians lose billions of dollars a year to scams.()

IDCARE said in some cases, the black-market sale of identity documents enabled criminals to purchase enough personal details about an individual to port their sim to a new provider. 

Most people rely on two-factor authentication for password resets or identity verification. 

But the common practice of having a one-time code sent to your mobile phone number has enabled hackers to access thousands of people's personal information.

Once criminals receive SMS authentication codes sent by banks and other service providers, they can authorise online banking transfers or change account details without the victims' knowledge.   

Tougher legislation fails to prevent scam 

ACMA introduced mandatory rules for telcos in April 2020, aimed at preventing sim porting.

It required the companies to use robust multi-factor ID checks prior to transferring a number to a new service.

"Since introducing these rules, mobile porting fraud has significantly decreased by around 95 per cent," a spokesperson said.

"Unfortunately, ACMA is aware that in some limited cases scammers may circumvent telco ID processes."

Cybersecurity expert Ronnie Lowe said the measures did not go far enough and there was little people could do to avoid a sim porting attack.

"This is something we hear about every day of the week, from office staff to managing directors of nationwide corporations," he said.

"The crime syndicates are buying data leaks with a million users to attack as many people as they can.

"Even if you're only getting a 1 per cent success rate, if you've got a million users, that's 10,000 people's details you have.

"It's terrifying. There's no good news in this space." 

Limiting your exposure to risk

UNSW Canberra Cyber's Nigel Phair said tougher legislation and safeguards were needed to prevent the brazen fraud, but there was no easy fix. 

"I think cybercrime is a society-wide problem," he said.

"Individually we're responsible for the information we put out online. Organisations are responsible for the information they collect and governments at all tiers are responsible." 

Mr Lowe said there were some precautionary measures people could take, like taking their birthday off Facebook and limiting sharing of their personal mobile phone number. 

"Don't put your physical address on things when you're buying things online, get a PO box," Mr Lowe recommended. 

"When you're going to a website and entering your information, stop and think, 'What happens when this information gets leaked?'

"Not if — but when it happens."