Scam victims speak out as government cracks down on terrifying phone hack

An Aussie doctor was about to go on a two week holiday with her family — but then she noticed an unusual transaction in her bank account.

Alex Turner-Cohen

@AlexTurnerCohen

5 min read

April 11, 2022 - 7:49PM

Catfishing, online fraud and identity theft on the rise

Costs

Don't miss out on the headlines from Costs. Followed categories will be added to My News.

Several months ago Christine’s* worst fears were realised when she received an alert from a meal delivery company saying she’d spent $79 on coke, burgers, southern fried chicken tenders, buffalo wings and garlic bread.

The problem was, the NSW-based doctor never made the order.

Just hours earlier her phone had stopped receiving calls or texts and its signal had switched to ‘SOS only’ mode.

Turned out she had been SIM swapped, where a scammer had remotely gained control of her phone by impersonating her to her telco provider and asking for an eSIM card.

This meant the cyber criminal could then get into all her logins, including her bank, social media, emails and even food delivery accounts, by sending a password reset and intercepting the text message.

Christine lost $200 after the hacker made a small transfer from her bank but is certain all the information they managed to acquire about her has been sold on the dark web.

“The whole hack experience made me feel very vulnerable and unsafe, the whole structure of who I am, that was being taken away,” the healthcare professional told news.com.au.

It comes as the telecommunications watchdog has cracked down on telco providers for allowing SIM swap scams to occur.

Currently, some phone companies like Optus only requires the customer’s full name, date of birth, phone number and address before authorising a SIM swap.

The Australian Communications and Media Authority (ACMA) announced new rules on Friday, warning that legal action will be taken against telco organisations if they’re not followed.

Stream your news live & on demand with Flash. From CNN International, Al Jazeera, Sky News, BBC World, CNBC & more. New to Flash? Try 1 month free. Offer ends 31 October, 2022 >

A fast food order signalled to Christine that something was seriously wrong. File photo of a similar fast food order.

Christine is unsure how the hackers got the amount of personal details needed to impersonate her, however she suspects an important letter was stolen out of the mail.

She knew something was wrong when she began receiving messages from her telco provider saying her contact details had been changed.

“I remember I was on the phone when I was getting these text messages,” she said. “I thought I’d deal with it when I get home, which was a bad mistake.”

The doctor is usually on-call for medical emergencies and by a stroke of good luck she soon went on leave, as no patients’ lives were ever at risk during the hack.

But it took her two whole weeks to deal with the carnage the hackers had wreaked and she was unable to go on a family holiday as a result.

Her phone switched to SOS only mode after hackers ported her mobile number.

Her friend called her phone number and spoke briefly to a woman on the other end, before being passed onto a man, who hung up the phone. At the time the friend was confused but in hindsight realised they had been speaking directly to the hackers.

Christine’s phone company also informed her that a woman had rung up pretending to be her requesting for an eSIM card.

“I know that they’re real humans. These people who did this are not nice people,” she said.

In another disturbing twist, she added: “A number of SIM cards were delivered to my home address.

“I assume they [the hackers] had requested additional SIM cards. They might have been outside my place ready to pick it up.”

She suspects the same for the food delivery order.

If Christine had been on call when the hackers took her phone, it could have endangered her patients’ lives.

“I am concerned now, this is going to worry me for the next five or 10 years. I’m afraid,” Christine said.

“That’s quite profound actually. We live in a world where you are your mobile number, you are your Medicare number, this is something really personal, it’s quite unsettling.”

To make matters more frustrating, Christine knows it would be easy to catch the hackers who have made her life a misery.

“When I got access to my emails I could see the IP address [they used],” she explained.

“On my telco phone bill, the location is available. We have the suburb where this is happening, their names, it should be possible to find these people.”

However, the police refused to take a victim statement from her and instead she reported it to the Australian Cyber Security Centre (ACSC), who have no special enforcing powers.

Christine and Ally are both NSW health workers who were targeted by SIM swap hackers. Picture: Jenny Evans/Getty Images

Christine isn’t the only medical professional worker who had her life turned upside down by SIM swap hackers.

Ally*, a NSW Health worker, has been compromised since May last year after her SIM was swapped for an eSIM by cyber criminals.

This was especially a problem for her because as a healthcare worker, she needed to constantly access her vaccination certificate, when vaccine mandates came into effect following the delta surge of Covid-19.

“I have been through numerous phones, two SIM cards and spent $880 on professional IT support to no avail,” Ally told news.com.au.

“My SIM cards were purchased through Telstra. I have not been reimbursed in anyway since they stated the fault was with the iPhone.

“I have been through two iPhones, sold these and now am undergoing similar problems with a Samsung phone.

“I placed a credit ban when I noticed that my emails and alarm notifications were being intercepted.”

She even noticed a small $20 direct debit transaction had been sent to the government of Canada.

“My phone continuously locks my account stating I have given the wrong pass code, I am required to reset it very often and this has resulted in complete erasure of my apps, contacts, emails and photos,” she added.

“Keeping track of my finances has become a challenge.”

MEDIA RELEASE: New rules for telcos introduced by the ACMA will help protect consumers from SIM-swap scams. ðŸ“±
Read more: https://t.co/ErzqZ3xYNc pic.twitter.com/chxQjJV7IT
— ACMA (@acmadotgov) April 7, 2022

On Friday, the ACMA announced that phone companies will need stronger customer identity checks for “high-risk transactions” like SIM swaps or account changes.

The new requirements, called the Telecommunications Service Provider (Customer Identity Authentication) Determination 2022, will come into effect at the end of June.

Under the new guidelines, the ACMA can punish telcos who breach the rules, including by taking them to court.

An Australian SIM swap victim will on average lose a whopping $28,000 to hackers, according to the ACMA.

Earlier this year, news.com.au reported on a Sydney family who lost $37,000 to an elaborate SIM swap hack.

And news.com.au knows of one person who lost $52,000 and another who had millions of credit card debt racked up in their name.

“SIM swap scams can cause a lot of harm as scammers take control of your phone number and then use that to gain access to your online banking accounts,” Chair of the ACMA’s Scam Taskforce Fiona Cameron said.

“These new rules require multi-factor authentication of your identity such as confirming personal information and responding with a one-time code consistent with how other essential services like banking operate.

“We expect these rules will go a long way to stamping out unauthorised transactions like SIM-swap fraud and improve safeguards for telco customers.”

*Names withheld over privacy concerns

Have a similar story? Continue the conversation | alex.turner-cohen@news.com.au | @AlexTurnerCohen