Key Points:

·      Black Friday scams make headlines every year. The reality is, over the past decade, the number of Black Friday scams reported to IDCARE has been comparatively low.

·      This holiday season, you are far more likely to be impacted by an unauthorised mobile phone port or SIM swap.

·      Reports of phone porting/ SIM swapping to IDCARE have nearly doubled since May, with approximately 100 cases reported a month.

·      With your phone number,criminals may gain access to the two-factor authentication codes, one-time passwords and password resets that protect access to your financial accounts,emails and government services.

·      Most clients do not know how or why this happened. It could be from criminals accessing breached data on the dark net or just really poor identity verification controls.

·      IDCARE is calling on the telecommunications industry to not just message customers that they are sorry to see them leave when a Port has been initiated, but to request that they positively confirm the request. It would be no different than a doctor or dentist texting a patient to ask them to confirm that they have booked an appointment with a ‘Y’ or a ‘N’. No confirmation, no appointment!

Rockhampton’s Joshua Kapernick is scam aware and watches out for any Black Friday fake selling opportunities that may be circulating.

However, the cyber incident that hit him, his family and their accounts hardest was not a scam and had nothing to do with online shopping.

Josh came home from his shift working job, went to sleep, and woke up to find his mobile phone was on “SOS”.

He discovered a text message from his telco – his mobile number had been ported to another service and his email had been changed.

With no landline service, Josh was unable to contact his telco to find what was going on. When he finally got to work and could use a phone, his telco said he had phoned them earlier in the day to request his mobile phone number be ported to another service.

And then, on the same day, his wife also received a message her number had been transferred.

Joshua and his wife were the victims of unauthorised mobile phone ports. They had done nothing wrong to enable this, hadn’t clicked on any links or had a conversation with someone over the phone.

Most likely, the criminals had obtained their information over the dark net from one of the multiple data breaches which impacted Australians in the last couple of years.

The criminals had also gained access to their emails and had attempted to drain funds from three of their bank accounts. Two were blocked immediately, but $28,000 was transferred out of one offset account.

Their Qantas Frequent Flyer points were also cashed in for gift cards and his Uber account was also used.

The criminals systematically went through anything they could to try and leverage for financial gains.

“It was a complete, professional systematic approach on the attack,” Josh said.

“They knew exactly what to do.”

Josh and his wife spent hours on the phone trying to resolve the multiple issues that developed from the mobile phone port – and also to understand how it was authorised.

His telco admitted the voice of the person pretending to be him sounded AI-generated. There were significant pauses between answers to questions and the voice sounded artificial.

Yet the port was authorised as the person had “sufficient information”.

Josh and his wife are not alone. IDCARE analysts have detected a nearly 100% increase in reports of mobile phone porting or SIM swapping since May.

While Josh and his wife were able to get their funds reimbursed, they have not yet had their Qantas points refunded, and nothing can ever compensate them for the number of hours and stress fixing this problem has caused.

The Australian Government introduced legislation in 2020 to make it harder for unauthorised mobile phone ports or SIM swaps. Criminals are finding their ways around this.

IDCARE is calling on the telecommunications industry to increase its authentication practices to prevent unauthorised porting or SIM swapping.

IDCARE’s Managing Director, Dr David Lacey, said mobile phone numbers were attractive targets for criminals and the telecommunications industry had a responsibility to prevent unauthorised porting or SIM swapping.

“When you consider how many two-factor authentication codes or one-time PINS are shared via text, you can understand the harm that is caused when a criminal gains control of these. Too often community members receive the message from their telco to say they are sorry to see them leave, but push forward on the request without getting a firm ‘Yes’ or ‘No’ from the customer to proceed. This would knock a lot of this out,” he said.

If you are not harmed enough from losing access to your mobile, you almost certainly will be by the response.

“People who experience having their mobile phone number shifted to another service that criminals control are spending days and weeks trying to recover from the harm that is caused. Imagine watching crime unfold in real-time in your name and one of the key means of trying to stop it has just been disconnected.

“We often find that along with an unauthorised SIM-swap or port, community members often find their email account has been accessed and funds transferred out of their bank accounts. This is the typical ‘ham cheese and tomato’ of offending with these crimes.”

Dr Lacey said while it was always important to be mindful of online shopping scams, particularly those that take advantage of shopping trends like Black Friday, IDCARE analysts had not detected a spike in online shopping reports associated with Black Friday in previous years.

Media Contacts:

Kathy Sundstrom

0424486115

kathy@idcare.org

‍

Check out our latest video on the upcoming Cyberstorm that is Black Friday:

https://fb.watch/v_k4SENM57/

‍