SIM swap scams are probably the scariest thing that can happen to anyone, where fraudsters trick a wireless carrier into transferring a victim’s number to a SIM card they control, usually at a different wireless carrier. This allows unauthorized access to a victim’s entire life including control of bank accounts, for example.
This is exactly what happened to Wayne and Diana Stork of the Greater Toronto Area, when they fell victim to a SIM swap scam and lost $140,000. The couple are Freedom Mobile customers and fraudsters were able to trick employees at a retail location to take control of Wayne’s number, changing it to a new SIM card last fall.
Speaking to Global News, Diana said, “We’re doing this, in part, to get the word out,” noting the whole process so far has been a “nightmare.”
Last September, Wayne’s phone suddenly stopped working, went into SOS mode and was deactivated he said. He was unable to use his phone as someone else had the personal info tied to his device.
“He (Wayne) was watching his accounts drain of money, that’s when the panic set in,” Diana said. Over the next 24 hours, fraudsters had access to Wayne’s brokerage trading account and more, including one crypto account at Coinbase with Bitcoin from an inheritance—which was emptied.
“The Bitcoin was worth $140,000, and we lost that,” Diana said. “That’s our retirement, that’s our money,” said Wayne.
After reaching out to Freedom Mobile, customer service said someone claiming to be Wayne got a new SIM card at a retail store in Toronto. Stork said the employee asked, “weren’t you in the store yesterday to get a new SIM card?”
The worst part about SIM swap scams are the fact fraudsters have full access to your phone number to receive 2-factor security codes. This extra layer of security is meant to protect your email and bank accounts for example. But when scammers get the codes now that they have full control of your number? Game over.
Stork reported the fraud to police and once Freedom Mobile took action, the damage was done. He lost $5,500 from a CIBC trading account, along with a TFSA account with $15,100. Shares in a Canadian Western bank were lost worth over $6,000.
Wealthsimple ended up reimbursing Stork for funds lost as the company said he was not at fault.
In the six months since he was victim to SIM swap, Freedom Mobile has not provided compensation, said Wayne.
Freedom Mobile told Global News, “we can confirm that we have been in contact with the customer to resolve the issue.”
The Canadian Telecommunications Association says from October 2020 to May 2021, after carriers added new security measures, there was a 95% drop in the “total number of unauthorized number transfers and SIM swaps.” But it’s clear something wasn’t in place for Wayne’s case.
Executive director of the Ottawa-based Public Interest Advocacy Centre, John Lawford, said there should be penalties in the regulatory system when SIM swaps happen. “In Australia it’s the equivalent of (a penalty of) $200,000 per incident of SIM swapping,” said Lawford. Maybe Canada and the CRTC should really step up here and follow suit. That’s when wireless carriers will really lock down SIM swaps when they are penalized each time it happens.
Lawford also says telecoms won’t divulge how many customers were victims of fraud in the last year, despite claiming to the CRTC cases of scams are down.
SIM swap scams have been happening for years now, dating back over five years at least when they were surging out of control. It’s incredible that it can still happen today.
How to prevent being a victim of a SIM swap? For starters, don’t share your entire life on social media such as your birthday and other personal info. CBC News was able to bypass Rogers security in their own test just by using information on a staffer found online back in 2019.
Fraudsters use your personal info to trick retail employees, claiming to be you. Never share 2-factor codes to anyone on the phone or text message, if they are reaching out to you pretending to be from a company. Just hang up and call back to confirm if they are actually trying to reach you. Also, use an app to get 2-factor codes and not text messages.
Want to see more of our stories on Google?
P.S. Want to keep this site truly independent? Support us by buying us a beer, treating us to a coffee, or shopping through Amazon here. Links in this post are affiliate links, so we earn a tiny commission at no charge to you. Thanks for supporting independent Canadian media!
Pretty simple lesson here: don’t store your life savings in Coinbase craptocurrency.
That’s not at all the lesson here but ok. The victim had funds pulled from several institutions.
Wealthsimple (the $15,000 TFSA) gave him his money back. So he’s only out $5K from CIBC and $140K from Coinbase. Honestly this guy is probably dumb for many reasons but Crapto is the biggest one. Also maybe don’t set your password to “password”.
My thoughts exactly, even if they had the 2 factor codes how did they get the passwords to all his accounts?
That’s what’s so stupid about these systems. They are falsely named 2 factor. You don’t need both factors to login, you only need a single factor, the OTP code from text messages, as with this code alone you can reset the password to anything you want. The password is essentially a spare key in their implementation.
True. This is a major flaw with all these so-called “2 Factor” security systems. Only a few companies implement it properly so that it’s actually using two verification methods.
It is 2 factor? You need the password (1st factor) and a second one OTP from email, or text message (2nd factor)
Unfortunately it is not two factor. It is only the illusion of 2 factor. With only the SMS OTP code access alone, you can reset the password to anything you want. So the password is essentially worthless. The single factor SMS OTP codes can grant complete access to the account, even on a brand new, untrusted device. So it is not 2 factor by any definition. It is single factor only and they should not be allowed to refer to it as 2 factor, but unfortunately there are no laws or regulations governing the misuse of this term and falsely applying it to single factor systems.
Basically if someone is given a SIM swap to your account, they have complete access to your entire account. They do not need your password and there is nothing the user can do to prevent this. Even a SIM pin will not protect against this. So the only thing standing between you and complete financial ruin is a single incompetent employee at your carrier. It’s horrible and shameful.
You’re completely wrong. We aren’t learning from his investment plans. He didn’t lose his money from crypto, he lost it by fraud. The lesson is, don’t post sensitive information online.
If he had an e-sim would that stop the problem? Then if someone came in asking the swap to a new card, they would see on the account that there is no SIM card?
Nope. An eSIM is still a SIM and is not immune to illegitimate swaps.
eSIM does protect you from someone stealing your phone, removing the SIM and placing it in a phone of their own (however a SIM pin being active would protect against this). However, it unfortunately does not protect you from an employee of your carrier providing a SIM swap to a scam artist via fraudulent means. The only thing standing between you and all of your financial accounts being liquidated is the competence (or lack thereof) of the employees of your cell phone carrier.
But how the hacker knows bank name? Log in info? If I put sim into new phone, new phone seems not to remember a thing of past.
Morning just going over your question about my loss. Once the fraudster is given a SIM card replacement they go fishing for your email providers and banking institutions. They may or may not know what you have.
They randomly go through a list of possible institutions they you may have accounts to. They go to the login screen and click on forgot account or password. They drop your phone number and wait for a 2 factor reply. Once they get a hit they follow the steps and gain access.
The first thing the go for is to get your email account openned.
Now they can simply read all your email messages and search for any information about what institutions you have been using.
If you have photo recognition’s or passcode security on your personal device, it does not carry over to the phone the fraudster is using with SIM card they required. The fruaster has a fully functioning unsecured device with your account number operating on it.
Wayne
I’m in the early stages of getting a crowd funding account set up.
I’ve been invited and doing interviews as far as Australia with regards to what happened in my case.
Slowly getting the word out that the mobile carriers in Canada hold to legal accountability to the consumer and are not even in anyway under CRTC guidelines as there are non in place. The CRTC is not interested in protecting consumers identity or losses. The CRTC has classified Sim Swapping as a case of Faud and will reference the victim to contact the RCMP.
This must change and I’m working on getting the pieces people together.
Wayne
I don’t understand why hey don’t make a call or SMS to the phone number before a SIM Swap and actually wait for the answer before transferring. If the person don’t answer the call or respond to the SMS at all there’s no transfer and the person who attempt this will have to deal with the police to explain themselves.
This applies to porting out numbers when switching carriers. That was not the case here. In this case, the swap was performed from one Freedom SIM to another Freedom SIM by a Freedom employee. There are legitimate use cases where this would have to happen, such as if the customer’s phone was lost or stolen (including the eSIM or physical SIM inside it). In this case, there would be no way to “call” or “text” that number to verify, as the entire purpose of the SIM swap was to restore the customer’s access to that phone number, which was lost when the device and SIM were lost.
The employee is required to verify the customer’s identity in this case via a valid, current, government-issued photo ID. The employee either did not follow this procedure, or was duped by a fake ID.
For lost stolen mobile then police report needed. Just another Layer.
Sounds like whomever did this knows the person well enough to quickly drain his accounts in a short amount of time.
These actions dont happen on its own. Its for sure some employee on freedom mobile doing this. With so many indians, what you expect? It will only be on the rise.
I fell for an entirely different scam an it was definitely going to be the end of me if experts on D E F T R E C O U P . C O M had not intervened on my behalf. I am glad I got out of the most difficult period of my life in one piece but, I could never erase the trauma from my memory