It began with a couple of unusual, but not obviously sinister, text messages from a telco which I dismissed as simply a case of mistaken identity.
It culminated in several thousand dollars being removed from my bank account, which I then knew to be a case of identity theft.
At the heart of this scam is the illegal porting (or transferring) of mobile phone numbers. Essentially, the fraudsters gather enough personal information about you to enable them to convince a telco that they are you, and then request your number to be ported to them.
The mobile phone number allows them to obtain crucial second-stage verifications, that is, the netcodes and PINs often required as additional security for internet banking or online music marketplaces, for example.
My saga began in late February when I received two text messages from telco amaysim advising me that my number was to be ported to them, which I dismissed as an error, perhaps the result of a transposed or wrongly entered number.
When I received similar messages from Telstra this week, though, I grew suspicious, as these came a day after a call from my bank to follow up on my supposed online application for a personal loan account.
Not only had I never applied for a personal loan, but had not even logged on to internet banking account that day, I told them.
Soon after I received the porting advice text messages from Telstra, I smelled a rat and so logged on to my bank account to find someone had transferred $3000 from my savings account into another account bearing my name.
I immediately called the bank which – to its credit – took the matter seriously and blocked both my and my namesake recipient’s account. The bank assures me I should get my money back.
Having resolved the issue of the stolen money, I thought the matter was largely over. After calls to cyber security experts the following day, however, I learned that this was just the beginning of a long and frustrating journey.
The tip of an iceberg
Professor Dave Lacey, of non-for-profit cyber support service IDCare, says most fraud begins with the compromising of a victim’s email account, with driver licence or passport information being the most common, and lucrative, nuggets of information for scammers.
“The common point of truth in these scams is the email,” Prof Lacey says. “And in most cases it’s the driver licence number people are after.”
But detecting the scam and resolving financial losses associated with it are just the beginning of a long journey for victims.
“According to our ‘aftermath report’, victims will spend an average of 27.5 [non-consecutive] hours responding to the problem, engaging with 8.2 different organisations and have to make 19.2 contacts as a result,” Professor Lacey says.
Not only must victims contact their financial institutions to block accounts and telcos to stop the porting, but should also demand from those institutions all the personal information the fraudster has used.
As a breach can also seriously tarnish a victim’s credit rating, Prof Lacey suggests reporting the matter to police and the Australian Cybercrime Online Reporting Network (ACORN) to provide proof of the crime.
This then allows victims to ask credit rating agencies to freeze access to their credit files, giving them 21 days to try to mop up any damage.
Detective Inspector Matt Craft, of the NSW Police Financial Crimes Squad, says he first encountered phone porting in 2015, but has “seen exponential growth in 2016 and 2017”.
“Within the next 12 months, we are expecting a two, to three-fold increase,” Detective Inspector Craft says.
The cost of phone porting is difficult to estimate, as it is an under-reported crime, but he estimates in the last six months alone it has cost consumers about $10 million in “actual fraud”. That is, excluding money either recovered or not reported.
Detective Inspector Craft says phone porting is closely linked to organised crime and, while it’s a national problem, NSW has emerged as the epicentre.
The worst case he has witnessed was a consumer stripped of “hundreds of thousands of dollars” as they were targeted on the day of a major property settlement.
While most banks have instituted technology to identify illegal porting and are quite “agile” in detecting it, the telcos have much work to do to stem the problem.
“The key to this is greater vigilance and security [by the telcos] … to properly identify people who are porting their numbers,” he says.
Detective Inspector Craft says consumers who detect any suspicious activity should report it immediately to the telco, and he recommends having “multiple passwords using upper and lower case letters and all different”.
If you think you’ve been a victim of identity theft, contact IDCare on 1300 432 273 or visit www.idcare.org/learning-centre