At least 17 sets of Year 12 parents from an eastern suburbs high school have fallen victim to a sophisticated ‘SIM swap’ hack leaving them collectively hundreds of thousands of dollars out of pocket.

Sophia* thinks the “mess” started when a fraudster got hold of a class list sent around to parents which contained all their names and contact details.

“We believe that in our group a school class list was obtained through hacking an email account,” Sophia told news.com.au.

“The group of hackers then methodically worked through names on the list.”

Using the personal information they had acquired, the hacker was then able to hijack the phones of some of the parents.

They remotely gained control of parents’ mobile phone numbers by convincing their telco provider Optus to switch their SIM card over to an eSIM card.

This meant the hacker could then get into parents’ bank accounts by sending a password reset and intercepting the text message.

Sophia’s family lost a whopping $37,000 and nearly lost tens of thousands more in subsequent hacking attempts.

Question that changed Sophia’s life

Back in June last year, Sophia, her husband and her Year 12 son we working from home due to Covid-19 concerns when something strange happened.

“My husband was upstairs in our home office, it was quite late in the afternoon,” Sophia recalled.

“He was in a meeting [and] while he’s on this call, he called out to me ‘Did you do something with Optus? Something’s wrong with my phone.’”

His phone had changed to “SOS only” mode, indicating it had lost signal and was unable to make calls.

“He got this message which was something to do with a change to do with our bank, which is where our mortgage offset [account] is,” Sophia continued.

“We start thinking ‘oh sh*t’.”

Sophia jumped on her own phone, which was still working perfectly, while her husband borrowed their son’s phone.

In the meantime their son jumped on his computer to message his friends as he had heard this happening to some of their parents. Everyone who fell victim at the school was an Optus customer.

For an excruciating 40 minutes, Sophia called Optus while her husband was waiting for the bank to pick up.

“We were starting to get very stressed, my husband is getting notifications from the bank,” Sophia continued.

“He couldn’t log in but got an email about the contact details being changed.”

Unfortunately, by the time they got to the front of the queue for their phone provider and their bank, it was after business hours.

“The problem is both of them took so long to answer their phones, it was well over 40 minutes before we got to speak to a human,” Sophia explained. “It was probably a two-hour conversation.”

In the space of just 30 minutes, the hacker made 15 outgoing transactions, taking $37,000 out of their mortgage offset account.

They also tried to steal a further $15,000 attached to the family’s business bank account, held at another bank, but this attempt was blocked by automatic security protocols.

Sophia also aborted an attempt to rack up debt through their PayPal account by changing the password before the hackers could.

Have a similar story? Continue the conversation | alex.turner-cohen@news.com.au

Their primary bank informed the family they wouldn’t be able to do anything until the following morning because the fraud team had gone home for the day.

“They [the bank] were hopeful that first thing in the morning, someone in the morning could contact all the destination banks and prevent the transactions from going through,” Sophia said.

But the next day, all the money was gone.

“Our major organisations, banks and telecommunications companies, failed so badly at protecting the customers’ interest,” she continued.

“It makes you feel ... like you’ve been left to the wolves.”

It was only because of months of “constant pressure” that Sophia was able to get the bank to recover their funds.

She estimates she and her husband’s financial losses were higher than $37,000 because of the hundreds of hours they spent securing their accounts and chasing up their money.

They know of other parents in their son’s school year group who lost much more and haven’t yet been reimbursed.

Disturbing trend

When the group of 34 parents got together and compared notes, they soon noticed a disturbing trend.

Rather than being based overseas, the hacker is a homegrown criminal, who, like them, is located in Sydney.

“Some of us obtained phone records showing location of calls made that matched,” Sophia said.

“There was an additional mobile number added to our account.

“It was an Australian mobile number, we know the location of where these calls were made from — it’s Parramatta.”

The parents all lodged a police report and an investigation is still underway, eight months later.

“Officers attached to Eastern Suburbs Police Area Command have commenced an investigation after receiving reports about a possible phone scam,” NSW Police said in a statement to news.com.au.

“Inquiries are ongoing and no further information is available at this time.

In the past Optus has only required the name, phone number and date of birth of the customer to carry out an eSIM transfer.

In Sophia’s case, her husband’s name and phone number were on the leaked class contact list but not his birthday.

What’s more, the phone number was attached to his business, causing the family to wonder how the hacker paired his phone number with the family business instead of his own name.

“It’s in a business name, not a personal name. It’s not even our publicly known business name,” she added.

“It’s not information that is in front of you, you have to go a few steps to find it.”

Sophia demanded answers and compensation from Optus but claims she hit a brick wall.

She claims Optus refused to provide her with call logs of the conversation that occurred between the hacker and the staff member who granted the eSIM card.

They also did not compensate the couple, but did allow them to end their contract and change providers without financial penalty.

The couple lodged an investigation with the Telecommunications Industry Ombudsman, but the investigation stopped once they were no longer customers at Optus.

In a statement to news.com.au, an Optus spokesperson said: “The Telecommunications Industry Ombudsman, [the customer] and Optus resolved the issue with all parties reaching an agreememt.”

They added: “Unfortunately, identity theft continues to be an economy wide issue which opens the doors for fraudsters to access innocent Australian’s services in ways that can have real harm to them.

“Optus, along with the wider telco industry is working to enhance existing protocols and controls to reduce unauthorised access to customers’ accounts and services.

“Optus takes customer security and data very seriously, we encourage customers to regularly change their passwords, not re-use passwords and protect their personal information vigilantly.”

All faith in humanity lost

Sophia also forked out cash for IT specialists to come to her home at the height of Sydney’s 106-day lockdown to check for spyware on their devices.

Luckily, the search came up clean.

After the ordeal, “we have no faith,” Sophia admitted.

“We do have additional security now.

“We also have books of passwords hidden in the house, everything has a different password, nothing is connected.”

Name* withheld over privacy concerns.

alex.turner-cohen@news.com.au

More Coverage

‘Creepy’ text sets off alarm bells

Alex Turner-Cohen

‘Screwed’: Family ‘devastated’ by phone hack

Alex Turner-Cohen

Originally published as Sydney couple lose $37k after leaked class list exposes them to scammers