For the purposes of helping others avoid the same fate, and with permission, here’s Lesley’s story…
On Wednesday Lesley received a text message from her mobile provider saying she’d changed her account password and then another saying the provider was sorry she was leaving them! Lesley immediately phoned to state she was not leaving them, nor had she changed her password.
They confirmed that someone had just been taken through their vetting process as her and was currently in the process of cancelling her account and had been given her PAK number to give to a new provider in order to retain the mobile number. Although the provider locked her account and reset the password, the number transfer had already been agreed. This number transfer would occur at 11am the next day.
Her phone provider sent a new SIM card and advised Lesley to contact her bank immediately.
Essentially, from what we gathered, the fraud happens thus:
- If someone is calling from a registered number with the bank, banks will use this as a secondary security measure to confirm someone’s ID, often not asking as many vetting questions.
- If you can’t remember your online banking password, the bank will send a text is to the registered phone number (more usually a mobile) of a secure code to input in order for you to change the password and gain access.
- Criminals usually rely on phoning a customer pretending to be from the bank and asking them to read out the code sent to the phone back to them.
- What happened to Lesley is an attempt to bypass the human element by taking the registered phone number to therefore receive the text directly to a phone in their possession.
Lesley left work and went to her nearest bank branch.
The bank was initially unhelpful: “Since there is no fraudulent act happened at the moment, we can only make a note to look out for it”.
However, explaining the activity which was likely to go ahead once the number transfer was complete, the assistant put Lesley in touch with their fraud dept. who agreed to shut down all Lesley’s banking as a precaution. The fraud dept. explained this type of fraud attempt has begun only in the past 2 weeks and has been aggressive while phone providers and banks look at ways to close it down.
On Thursday at 11am Lesley lost her number. Within the hour she received emails saying that her email password had been changed. Again, asking for a password reset triggers a coded text to a registered number. Lesley managed to regain her email pretty quickly (redirecting codes to a newly created email account) and remove her ‘old’ number from her original email account.
Even though there was no hint of activity in it, Lesley also tried to deregister her number from her Apple account. This proved virtually impossible without again sending a confirmation text to the original number, or replacing it with another mobile number (which she did not yet have). As a precaution Lesley removed payment method information in the meantime.
The phone provider is actively investigating a breach of their procedure and also data. It transpires that, correctly, the people were unable to prove they were Lesley earlier on the Wednesday primarily because they were not calling from her phone number. They failed to get any further. Disastrously, in a second attempt on the Wednesday, although still not calling from the correct phone number (so no material difference to the first time), they were passed as genuine. Someone is likely to have made a very grave error by not following due process.
Once Lesley’s ‘old’ number has been used on a provider’s platform this is flagged as being used fraudulently and it will be returned to Lesley. This can take between 5 and 30 days. Once back in the possession of Lesley, she will ask for it and her previous data held to be destroyed.
Currently Lesley can only use her bank accounts by going to branch with her passport and being given a secure line to the fraud dept. Once she has control of her phone number again, the bank can lift the shields and deregister the phone number. Lesley is also getting new bank cards (again, as a precaution).
Lesley now has a new mobile number and will be very careful aboutwhere she chooses to register it in future, as well as looking to direct bank and phone provider email into separate email accounts.
All in all – although it seems nothing but inconvenience has occurred – it was an extremely unsettling time and I dearly don’t wish it on anyone.