It was February 2018 when Ms Leigh, in her 40s, picked up a call from an Australian mobile number.

In a voice she described as “really bubbly”, the caller uttered five simple words that seemed so innocuous: “Hey Kris, how are you?”

Ms Leigh replied instinctively: “I’m good, how are you?”

Then the line cut out.

Thinking the incident was weird and wondering who it could be, she got back to work. Minutes later, her phone lost connection and switched to “SOS only” mode meaning it couldn’t send or receive text messages or calls.

The photographer had become the victim of an elaborate ‘SIM swap’ scam which, unbeknown to her, had been a year in the making and would have repercussions for many more years to come.

“I was a victim of it four years ago and still today I’m dealing with the carnage,” she told news.com.au.

Stream your news live & on demand with Flash. From CNN International, Al Jazeera, Sky News, BBC World, CNBC & more. New to Flash? Try 1 month free. Offer ends 31 October, 2022 >

A SIM swap hack is when a cyber criminal ports – or re-routes – the victim’s mobile number onto their own phone, allowing them to intercept text messages and reset passwords to things like bank accounts.

In Ms Leigh’s case, they were able to do this by impersonating her to her telco provider, Aldi Mobile, then convinced the company to switch her SIM card over to an eSIM card.

Looking back, she remembers receiving a lot of random messages from people who were supposedly council workers in the year leading up to the hack.

“Before it happened, for a good 12 months I was getting calls, people wanting my postcode, doing a survey, ‘what street do you live in’ type thing, they kept building that picture over 12 months, they sounded Aussie as,” she said.

“They say they’re doing a survey for NSW City Council; I never suspected.”

It’s here that she believes they managed to gather enough information about her to assume her identity to her mobile phone carrier.

For most telco providers, a password is not necessary to change SIM cards – other information like date of birth, name and address can be enough to convince them you are a legitimate customer.

Ms Leigh believes the scammer – a female with a broad Australian accent – was ringing her up one final time with the “how are you” message to see if the phone porting had worked.

Once they had switched her SIM over to their phone, the hacker hijacked her bank account, including the credit card linked to her home loan account where her salary was deposited.

They racked up $7500 of debt in her name through PayPal at online shopping places such as Myer and the Iconic.

The fraudster also tried to intercept her tax refund in July that year worth thousands of dollars.

Her email address and Apple account – which included her iCloud – were also stolen in the cyber attack.

Once they got hold of her email, Ms Leigh’s nightmare got even worse.

“They set up a responder to anyone who emailed me, it sent a virus out, sent it out to everyone,” she said.

On top of that, they “batch downloaded” her email, meaning that even after she booted them out from the account, they had all her previous emails safely stored in their own device.

Systematically, they went through them one by one and “hit the jackpot”, she said.

For a previous job, Ms Leigh had sent through a photograph of her passport and driver’s licence to the HR team.

She had never deleted the email and the hacker got their hands on it.

With those official documents, the hacker was then able to create accounts in Ms Leigh’s name, including a mobile phone plan, in what was a major identity theft scheme.

“It makes your brain explode; it really frustrates me,” she said.

“I even have now got a lock on my tax file number so I have to contact the fraud department each time I want to do something with ATO to get a temporary bar lift.

“It drives me and the accountant mad.”

The hacker constantly changes the email attached to her main accounts even now, years later.

One time, out of frustration, she emailed the address they had tried to list, telling them to “f**k off”.

Every few months they will try again.

“Police were telling me to let the [phone] number go. I couldn’t because I had photography clients,” Ms Leigh said.

“I had to buy a new modem, I’ve now got subscriptions to certain password vaults, virus protection is constantly monitoring it, same with my laptop. I spent $1200 on an IT professional.”

Her partner at the time also fell victim to the security breach. They started getting random calls and lost some money in mysterious transactions, which caused them to break up with her in the end.

“It wasn’t exactly the best,” she said.

In 2020, two years after the initial cyber attack, the criminal even created a Deliveroo account that was billed to her.

Later that year, Ms Leigh also noticed some strange charges to her credit card. When she was in Bondi, she had supposedly spent $280 on a single purchase.

After checking the name of the store, she discovered it did not exist. The hacker was tracking her in real time and so had hoped she wouldn’t think anything of the outgoing transaction because it was in the same location where she had been.

“There’s a couple of hours a week I spend checking my emails, checking the legitimacy of stuff, it’s extremely time consuming,” she said.

“And it frustrates my work too, how much time I spend doing it.”

Her details have also been sold on the dark web.

Four years later, Ms Leigh’s details are still being shared online among other scammers.

“I get alerts, I’ve got an online password manager that banks use. It gives me web monitoring,” she said.

“I got a message two days ago saying my name and email address has been sold on the dark web.”

She also has an alert system set up if anyone tries to touch her credit rating report.

When speaking to news.com.au, she revealed that the same day she had already been called by scammers from Turkey, Iran, New Zealand and California.

Ms Leigh said there’s one thing “that keeps getting me”.

The scammers will call her on a number that is the same as her own, but with one digit different.

More Coverage

List that cost woman $37,000

Alex Turner-Cohen

Chilling discovery in Melbourne Apple store

Alex Turner-Cohen

“Because it’s familiar they’re hoping I’ll pick up,” she said.

Ms Leigh recovered all her money from the bank but the culprit has never been caught, allowing them to continue to wreak havoc on her life.

Have a similar story? Continue the conversation | alex.turner-cohen@news.com.au | @AlexTurnerCohen