Telephone numbers stolen by port-out fraudsters
Fraudsters are taking control of victim’s telephone numbers by porting them to SIM cards under their control. They then use the numbers to access the victims’ bank accounts.
This increase in incidents corresponds with the timing of TSB’s computer system update. This resulted in 1.9 million users being locked out of their accounts.
Opportunistic fraudsters are using TSB’s system issue to target individuals. There has also been an increase in phishing and smishing communications targeting TSB customers.
Victims’ bank account and personal details including their phone number are collected by the fraudster. Giving them with the information to execute the fraud.
Porting is used to change networks
Number porting is a genuine service provided by telecommunication companies. It allows customers to keep their existing phone number and transfer it to a new SIM card.
The existing network provider sends the customer a Port Authorisation Code (PAC). This is presented to the new provider to allow the number to be transferred across. This service can be abused by fraudsters.
To gain control of the victim’s phone number, fraudsters convince the victim’s mobile phone network provider to swap their number on to a SIM card in the fraudster’s control.
Once the fraudster has control of the number they are able to intercept the victims’ text messages, allowing them to use services linked to the victim’s phone number.
Such as requesting an online banking password reset or access to any two factor authentication services.
One victim dismissed text messages they received from their network provider containing a PAC number.
Two days later £6,000 was removed from the victim’s TSB current account. The victim subsequently contacted their phone provider. It said that someone contacted the provider purporting to be the victim and had cancelled their contract and transferred their number to a new SIM. This action allowed the banking fraud to take place.
How to protect yourself:
PAC Code notifications
If you receive an unsolicited notification about a PAC Code request, contact your network provider immediately to terminate the request. Also notify your bank about your phone number being compromised.
Clicking on links/files
Don’t be tricked into giving a fraudster access to your personal or financial details. Never automatically click on a link in an unexpected email or text.
Criminals can spoof the phone numbers and email addresses of companies you know and trust, such as your bank.
Requests to move money
A genuine bank or organisation will never contact you out of the blue to ask for your PIN, full password or to move money to another account.
Port-out Fraud versus SIM Swapping
Port-out fraud is often incorrectly referred to as SIM swap fraud. SIM swap fraud works in a similar fashion, but instead of porting the victim’s number to a new network provider, the fraudster impersonates the victim and requests a new SIM card. Once they have access to the new sim, they have access to the number.
ActionFraud is the UK’s national fraud and cyber crime reporting centre.