PHOENIX - A Chandler family has become the latest victim of a sophisticated cybercrime known as "SIM swapping.”
It is a relatively new form of identity theft and fraud that allows hackers to gain access to your bank account, credit card numbers and other personal data.
It is tough to spot and even tougher to undo the resulting damage.
The couple, who asked to remain anonymous, first noticed something was wrong when their cell service was turned off. This was followed by an email notification letting them know their password had been "successfully changed."
After that, they kept getting more emails letting them know their bank password had changed, and that money had been successfully transferred from their account to a Venmo account.
Upon calling T-Mobile, their cell phone carrier, they were informed that someone pretending to be them had called earlier to transfer their cell phone number over to another SIM card. The person had enough information to convince the customer service representative that the caller was the account holder.
Once the crooks had successfully hijacked the victim's phone, they were able to get into bank accounts by hitting the "forgot password" link on the sign-in page. The bank would then text an authentication code to the number on file, which was now in control of the hacker. The hacker was then able to change the password and get into your account.
The victim said they got several emails notifying them that hundreds of dollars were being transferred from their account over to Venmo.
"As I'm on my phone my wife is yelling at me, ‘hey, I see Venmo payments going out, in real time.’ All this stuff is just flying out at you so there's really no time to think. You're really just trying to stop it at this point.”
Mike Lombardi, a digital forensics expert who owns Vertigrate, said he was hearing about more cases of SIM swapping.
"Basically SIM swapping is where someone steals your cell phone number and by doing so they can make and receive calls and text messages using the phone they have in their possession, and you can't make any calls," explained Lombardi.
"It's all about the path of least resistance and low hanging fruit for these guys," he added.
Thankfully this couple was able to catch the criminals in the act and freeze all of their accounts.
Cybersecurity experts said many thieves will hit victims during a long weekend like the one we just had, hoping people are on vacation, away from their phones and emails, and thus not able to catch what's going on until hours after they're done with the dirty deeds.
The victim who was aware of identity theft said this one was different -- it felt very well planned and methodical and he called it eye-opening.
"It just feels like it's not a matter of if you're going to be the next victim, it's when you're going to be the next victim."
In order to get information about you, cybersecurity experts said these crooks are laying the groundwork by collecting as much information about the victim as possible. Fraudsters might send phishing mail — messages that impersonate legitimate businesses like credit card companies and health insurers — intended to fool victims into forking over their legal names, dates of birth, addresses, and phone numbers. Unfortunately, many people can’t tell the difference between real emails and phishing emails. Alternatively, they might scrape public websites, social media, and data dumps from criminals who specialize in collecting personal data.
To prevent this, you can discuss adding extra security features to your account with your bank or cell phone carrier. You can download apps like the Google or Microsoft Authenticator (or search other authenticators in your app store) to intercept any authentication code text messages so they do not go into your text message folder.
Above all, in any case of identity theft acting fast is key. Report any suspicious activity to your bank immediately.
Here are some other ways carriers are helping protect their customers:
AT&T has “extra security,” a feature that requires you provide a passcode for any online or phone interactions with an AT&T customer representative. You can turn it on by logging into AT&T’s web dashboard or the myAT&T app.
Sprint asks customers to set a PIN and security questions when they establish service.
T-Mobile lets subscribers create a “care password,” which it’ll require when they contact T-Mobile customer service by phone. You can set one up by visiting a T-Mobile store or by calling customer
Verizon allows customers to set an account PIN, which they can do by editing their profile in their online account, calling customer service, or visiting a Verizon store.