What is phone account takeover fraud? Why it’s smart to protect your mobile phone number


This fraud happens when a scammer takes control of your wireless phone account and phone number. It can cause plenty of financial pain.

Has your mobile phone suddenly stopped working? Do you get an error message every time you try to make a phone call? Or maybe you've received a text from your phone provider stating that your phone number has been transferred to a new SIM card.

If so, you might be the victim of an online scam known as phone account takeover fraud.

This fraud happens when a scammer takes control of your wireless phone account and phone number. They can then use your number to make and receive phone calls and texts. They might be able to access your online bank accounts, credit card portals, email, or social media accounts, relying on the one-time PINs that many financial institutions and social media companies use to verify the identity of their customers.

Account takeovers, then, can cause you plenty of financial pain. Fortunately, there are steps you can take to protect yourself. And the first? Learning how these crimes occur.

What are the two types of account takeover fraud?

Here are the two types of account takeover fraud.

1. SIM swap fraud — how it works

Your phone's SIM card — that tiny piece of plastic that you inserted long ago into your smartphone — is important. It is a type of ID, allowing you to make phone calls and receive texts.

SIM swap fraud happens when a criminal contacts your cell phone provider and convinces it to assign your phone number to a new SIM card. The criminal can then insert that card into any other device, giving the thief the ability to make calls and receive texts using your phone number.

The criminal might also be able to use your number — and the access it gives him to your texts and, possibly, email messages — to gain access to your online financial and social media accounts. The con artist might then be able to drain your bank account or run up fraudulent online purchases with your credit card account.

Scammers will usually use passwords, tax file numbers, and other personal information that they've already tricked consumers into giving up. They might rely on phishing emails — emails supposedly sent by legitimate banks, credit card providers, and other companies but actually sent by scam artists — to steal this information.

2. Porting-out fraud — and how it works

Ever sign up with a new carrier for your smartphone but wanted to keep your current phone number? You can do this through what is known as porting a phone number, moving it to a new service plan with a new phone carrier.

Scammers armed with enough of your personal information can call a mobile phone provider and request that it ports — or moves — your phone number from your current provider. The scammer would then gain access to your phone number and could use it to reset the passwords or other credentials to your online financial accounts. You might not notice this scam has happened until you try to use your mobile phone and realize that you no longer have service.

How do scammers pull off this con? Once again, it's all about stealing your personal information. Scammers will try to trick you into giving up your tax file number, PINs, passwords, birth date, and address by sending fake emails that supposedly come from a legitimate financial institution. If criminals are able to steal enough of this information, they may be able to convince a customer service representative from a different service provider that it's you who is making the porting request.

How to protect yourself from account takeover scams

The key to protecting yourself both from SIM swap and porting-out scams? It’s all about protecting your personal and financial information. If scammers can’t get this, they won’t have enough information to persuade your mobile phone provider to assign your number to a new SIM card or port it to another phone.

How do you protect your personal information? It starts with recognizing phishing emails. These emails are the most common trick thieves use to steal your financial or personal information. They’ll send you an email that looks as if it is coming from a bank, lender, credit card company, or service provider such as Netflix or Amazon.

The message might say that your account is in danger of being shut down or warn that cybercriminals have hacked your bank account or credit card portal. To keep your account open, or to protect you from fraud, the messages say, you’ll need to click on a link to verify your identity.

Once you do this, you are taken to a new website, one that again looks like it belongs to a financial institution or service provider. This website asks you to provide key financial or personal information such as your tax file number, passwords, birthdate, address, or account numbers. Once you provide this information, thieves can use it to take control of your mobile phone number. And once thieves have this, they can read your texts and emails and, possibly, access your online bank accounts and run up fraudulent charges on your credit cards.

Fortunately, keeping this personal and financial information away from cybercriminals isn’t complicated. Just remember this rule: Never send sensitive information to an individual or company that suddenly contacts you through email. Companies will never ask for information such as your tax file number, passwords, or account numbers through email. If you get a message asking for this information, delete it. It’s a scam.

Be wary, too, when anyone texts or calls you asking for your tax file number, account numbers, or passwords. Legitimate companies or government agencies won’t ask for this information by phone or text.

If you’re worried that your bank or credit card company really is about to freeze your accounts or needs to verify your personal information, call its customer service number and ask if there are any problems. Most likely, the bank or credit card provider doesn’t need this information and, by calling that customer service number, you avoided giving your personal information to a con artist.

Finally, set up a PIN or password on your mobile phone account. This way, a criminal will need to know not only your personal information, but also this number to swap your phone number to a new device or SIM card. This could make it much more difficult for a scammer to complete an account takeover of your phone number.

What to do if you’ve been a victim of account takeover

But what if your mobile phone is no longer working and someone has stolen your number? First, contact the provider of your mobile service immediately. Your provider should be able to return your number to you. Be sure, too, to set a PIN with your mobile phone provider if you haven't already done so. This can help prevent thieves from stealing your phone number in the future.

Next, check your credit card, bank account, and other financial statements for any fraudulent charges or withdrawals. If cybercriminals have stolen enough information to nab your phone number, they might also have enough to break into your online financial accounts. If you notice any suspicious activity on these accounts, call your card provider or bank immediately.

Change the passwords to your financial and personal accounts. You'll need to protect these accounts and changing your passwords to more complex ones is a good way to start.

The bottom line on phone account takeover

Our mobile phones are important tools, connecting us to the world and our friends and family members. But they are also tempting targets for thieves. If your phone service suddenly stops working or if you receive a notice that your phone number has been switched to a new device? Take action immediately. The faster you react, the more likely you are to minimize the damage in an account takeover online scam.

Norton logo
  • Norton
Norton empowers people and families around the world to feel safer in their digital lives

Editorial note: Our articles provide educational information for you. Our offerings may not cover or protect against every type of crime, fraud, or threat we write about. Our goal is to increase awareness about Cyber Safety. Please review complete Terms during enrollment or setup. Remember that no one can prevent all identity theft or cybercrime, and that LifeLock does not monitor all transactions at all businesses. The Norton and LifeLock brands are part of Gen Digital Inc. 


    Want more?

    Follow us for all the latest news, tips and updates.