Advertisement

Police warning of new slate of phone scams

WATCH: Police across North America are warning phone users of a dangerous new scam called "SIM card swapping." Mike Drolet explains what it is, and the dangerous mistakes both carriers and customers make that can make things easier for criminals.

Denise Hole thinks of her cellphone as the lifeline to her family.

She has two boys with autism that she needs to stay connected to. If there’s an emergency or they need to reach out to calm their anxiety, Hole has always been able to pick up the phone.

“It’s probably more important than my home phone,” she tells Global News.

But last week she checked her phone only to discover it would no longer connect. Thinking the worst, she panicked. She called Rogers to find out what had happened, only to be told that she had ported, or moved, her phone number over to Bell Canada.

Except she’d done no such thing. After hours of investigating, she was told she was the victim of a scam called “unauthorized porting.”

Story continues below advertisement
Police are receiving multiple complaints about new phone scam
Police are receiving multiple complaints about new phone scam

In the time she had lost control of her phone, the culprit had downloaded email and banking apps and had tried to reset passwords.

“I had logins from all sorts of countries,” she says. “Phillippines, Argentina…. “

She scrambled to change her passwords, praying she got it done before any real theft could occur.

“I tried to stay ahead of it, at least I hope I did,” she says.

Unauthorized porting is similar to another scam the Ontario Provincial Police warned consumers about this week: SIM swapping. Both involve a third party convincing a call centre employee that they’re you. In SIM swapping, the victim’s information is transferred to the criminal’s SIM card. The only difference with unauthorized porting is that the phone number is moved to another carrier.

READ MORE: With ‘spike’ in spoofed phone calls, telecom companies prepare to implement solutions

Once the fraudster has control of the phone, email and banking apps are downloaded and password reset requests are sent out. From there, they can gain access to personal and financial information.

“It’s shaken people because we’ve told people that you can be more secure by adding a PIN or by using your phone number for a verification code for your bank or for other services,” says Herjavec Group COO Ira Goldstein. “And now that verification call code — the thing that we’ve told people will make them more secure — is in itself insecure.”

Story continues below advertisement

Hole had a PIN that she says even her husband didn’t know, yet someone else was still able to get control of her account.

The Canadian Wireless Telecommunications Association told Global News it is constantly speaking to carriers about fraud.

“From an industry perspective, our members take their customers’ privacy and security very seriously,” the CWTA said.

READ MORE: Study says cellphone radiation not hazardous to your health, unless you’re a male rat

But there is a glaring hole in the system. When the Canadian Radio-television and Telecommunications Commission mandated that carriers allow customers to port their phone numbers when they switch cell phone providers, it inadvertently made it easier for fraudsters to gain access to customers’ accounts. On the CWTA website, consumers are told they only need to provide a phone number and account number to verify identity, both easily accessible to fraudsters.

“I think the wireless carriers have a problem,” says Goldstein. “Consumers have a problem really fundamentally. And the question is, who is going to solve the problem? I really think this comes down to an ecosystem of carriers that provide phone service to people and they need to ensure that that ecosystem is secure.”

PIN numbers and security measures only work if they’re used, says Goldstein. And even then, human error and fraud still occur.  He says the only real way to ensure security is through biometrics because a fraudster might be able to guess a password, but facial recognition and fingerprints are unique.

Story continues below advertisement