What’s your most important financial number? Is it your Social Security number? The number on your bank account?
How about your mobile phone number?
Text messages are often used by banks, businesses and payment services to verify your identity when you request updates to your account. Savvy scammers know that by hijacking your mobile phone number they can assume your identity, intercept security protocols sent to your phone, and gain access to your financial and social media accounts.
The Porting-Out Scam: How It’s Done
One way to hijack your phone number is through a porting-out scam. Mobile phone numbers can legally be ported from one provider to the next when you switch your phone service. Phone companies have established safeguards to protect this process, such as having account holders set up a PIN or a password they must provide when calling about their account. But scammers with enough of your personal information can interfere, hijacking your phone number and with it your identity.
Scammers go after their target’s personal information, such as their name, address, birth date, PINs or passwords, and the last four digits of their Social Security number. Scammers may try to get this information by calling their target and impersonating a trusted business or institution, then asking a series of questions to gather as much data as possible. In some cases, the information may already be stolen and available on the dark web.
When scammers initiate a porting request, they con the victim’s phone company into believing the request is from the authorized account holder. If the scam is successful, the phone number will be ported to a different mobile device or service account set up by the scammer. This typically begins a race where the scammer, by receiving the victim’s private texts and calls, tries to reset the access credentials for as many of the victim’s financial and social media accounts as possible before the victim realizes they have lost service on their device. Once the scammer has access, they attempt to drain the victim’s bank accounts. In another variation, they attempt to sell or ransom back to the victim access to their social media accounts.
How to Protect Yourself
- Be Proactive: If you don’t already have a PIN or a password to verify your identity when calling about your account, contact your phone company and ask about adding one.
- Stay Vigilant: Enable both email and text notifications for financial and other important accounts. If you receive notice that changes to your account have been made without your knowledge, contact the business holding that account immediately to let them know that you didn’t authorize a change.
- Don’t Respond: If someone calls or texts you and asks for personal information, do not provide it. If the caller claims to be from a business you are familiar with, hang up and call that business using a number you trust, such as the number on your bill, in a phone book or on the company’s website.
- Don’t overshare: Guard personal details that can be used to verify your identity – such as the last four digits of your Social Security number, your phone number, your date of birth, the make and model of your car, your pet’s name, or your mother’s maiden name. And keep that information off social media.
Typically, loss of service on your device – your phone going dark or only allowing 911 calls – is the first sign this has happened. If you suspect you have been a victim of a porting-out scam, take immediate action:
- Contact your phone company
- Contact your bank and other financial institutions
- File a police report
- Place a fraud alert on your credit reports and get copies of your report
The following consumer resources offer more information about porting-out scams:
File a complaint
If you feel you’re the victim of a porting-out scam, file a complaint with the FCC for free. The FCC Complaint Center FAQ has more information about the agency’s informal complaint process. You can also file complaints about identity theft and consumer fraud with the FTC.