During late September 2019 I became a victim of identity theft fraud and I lost more than 7 figures. This impacted my happiness, peace, focus and productivity. It happened to me, it happened to food writer Jack Monroe, it happened to Twitter founder Jack Dorsey and it very easily could happen to you!
If you have a mobile phone, you could also become a victim - the potential damage, stress and hassle is huge. Trust me take the various steps mentioned to minimise your risk, the damage , the stress and the hassle. In this case prevention is better than cure.
This article chronicles what happened, how I dealt with it, steps you can take to reduce your risk and some great resources to help you.
On a Monday afternoon, I had a couple of calls from an unknown number to my mobile number, when I answered nobody spoke but it sounded like a call centre. I dismissed it as one of the many calls often received regarding PPI, or an investment opportunity or such. However in hindsight my Spider senses started tingling. I later understood that a call is often made to the mobile to check that the number is live.
Then around 5 pm I got a text message from my mobile network provider saying here is my PAC code (Porting Authorisation Code) and it is valid for 30 days. PAC codes are used to transfer or port a number from one network to another. A few minutes later I got text message from new network provider welcoming me to the network and saying that my number will be transferred in the next 24 hours. I later found out this was already too late and the point of no return - the damage had already be done! The fraudster already had control of my number and all things connected to it.
This all caused a panic as I knew not having my mobile number would cause hassles. The 2 main thoughts were: (1) my number had been given by mistake, a typo or something or (2) that something bad was going on.
I called my network provider and explained that I had not requested the PAC code and did not want to be ported to another network provider. That this process had to be stopped as so much is linked to my number, a number I have had for best part of 2 decades. In a way that number was part of me, my identity. I was assured that technical services would be made aware and if the number was ported that it would be able to get it back (relatively quickly I thought). I also found the number for the new network provider and called them explaining my predicament. They could not find my name or number on their systems and said I would have to wait for the number to switch before it could be switched back. Unfortunately the customer service teams at both networks did not action their fraud teams.
The PAC code request and start of switch had occurred around 5 pm - the time when many people are commuting so not actively able to view or check their messages. Also the customer service teams / fraud teams at the phone providers often only provide service till 6 pm so the fraudster took advantage of all this.
The next morning I had an email from my credit reference agency highlighting activity over the last 7 days. There was an entry on it for identity check that I did not recognise that had occurred the day before on the Monday. The Spider senses were on full alert. I probed into the report further, found the credit agency and queried them. To my horror, the fraudster had set up an account on another credit reference platform under my details and had access to my full credit report - my financial information of banks, credit cards, loans, mortgages, addresses, linked people etc. I later found out they had also done a credit card application quotation. This is when I knew things were not right.
My credit reference provider advised me to contact the platform and get the account closed. I also was directed to contact Action Fraud to lodge identity theft issue, sign up with the other major credit reference agencies (TransUnion, Experian and Equifax being the main 3 in the UK). I also went to CIFAS, an organisation that deals with fraud prevention and took out their 2 year Protective Registration service which means processes for taking out financial products etc.will be slower as extra steps will be needed.
Then just after midday I got a text from one of my credit card companies saying that a transaction valued £900 for a purchase from a particular company had been flagged as suspected fraud activity and for me to reply if the transactions were mine with a ‘Y’ or a ‘N’. I replied ‘N’ and got another message to call my credit card company on a particular number. I had read about fraudsters able to spoof emails and phone numbers to look like they are genuinely from a particular company and being on high alert with my Spider senses switched on I checked on the credit card companies website and confirmed the number was in fact genuine. I called them and talked through the transactions that were not mine informing that last night my mobile number had been requested to be switched so I was in the middle of identity theft fraud. They were great, reassuring and immediately cancelled my credit card and issued new ones. I requested that my mobile number be taken off as my mobile number was going out of my hands. I logged this fraud transaction activity with Action Fraud.
Just a few hours later I lost service on my phone. I called my number and it went to the voicemail of the new network provider. That was it, I was the victim of identity theft fraud known as ‘SIM Swap’, ‘Port Out’, ‘SIM Switch’ and other similar names. I still had my phone but no service, no number and no idea what next. I called my network provider as well as the new one and explained that fraud had already been attempted and for them to block the number and switch it back asap. I was annoyed and frustrated that despite being proactive and highlighting the issue and potential troubles; again unfortunately the teams at the network providers did not action the fraud teams or in my opinion actively deal with the incident to limit the damage.
Imagine if the text from my credit card company had been a few hours later when I no longer had my phone number and the fraudster had it. They would have received the text, replied Y and had the £900+ transaction go through and I would have been none the wiser, no idea that anything was wrong.
I saw a message come up on my phone about Yahoo Account Keys - I thought it suspicious but did not comprehend what it was about. This was the next step in the fraudsters process as I later found out.
At around 5 pm (24 hours after the PAC code request and submission to another provider) I saw an email come into my inbox, luckily I was online and on my email. The email was from Samsung confirming the order for 2 high end mobile phones worth over £2,000 to be delivered the next day by courier. The email had a name, delivery address and a contact number (no doubt all also identity thefts of another victim). Now panic set in, my email was hacked and compromised. Oh Shit, this is bad. What else was impacted?
This is where my childhood dream of being a detective really kicked in. I had to put my investigative skills to use. My practices of gratitude and mindfulness helped me with clarity of thought, planning and solution finding. I had to :
Secure my emails
Contact Samsung and flag the fraud
Consider what else is at risk and get a plan together - in reality everything was at risk; all things connected to my email address or mobile number such as other online accounts for shopping, banking, credit cards, financials, personal data, business, social media
Remember I don’t have my mobile number so needing to use a landline or somebody else’s mobile number and now I don’t have full control of my email. The 2 main communication channels, my mobile number and my email were not in my full control!
I called Samsung told them that order was fraudulent, to stop the transaction and not deliver the 2 phones the next day. I asked them how it had been paid for and was told PayPal. I tried to log into my PayPal account but could not so had to request pass code/password via alternative option of email. I could not do using the my connected mobile number as I no longer had it. I managed to get into PayPal as see what method of payment was used; another credit card. I contacted the credit card company explained what had happened and asked for the transaction to be stopped, my card cancelled and re-issued. Again their customer service and fraud team were great, reassuring and explained what would happen and that I would not be out of pocket.
I initially struggled to get a number for PayPal and talk to someone (again UK team closes at at certain time) but did manage to get through to someone I think maybe in USA explain what was happening and requested the transaction be stopped, my account blocked till further notice. They took action immediately. I was realising that whatever I used my phone for to get pass codes to access the account was at risk - almost everything: bank accounts, emails, financial platforms - almost anything with an account, email and pass code via text message.
Frantically trying to work out how to secure yahoo email, remove the mobile number pass code and use alternate email option. The fraudster had used a feature of Yahoo called account keys which means if Yahoo is accessed from the device with the mobile number no password etc needs to be entered. It is a faster access method.
From Yahoo web page:
“Tired of remembering and managing multiple passwords? Account Key is more secure and lets you use your mobile phone instead of a password to sign in. Once enabled, Yahoo sends a notification to the mobile device of your choice. You can approve access with a tap on your phone, so no one else can get into your account.”
However if you no longer have you mobile number and the fraudster has put into a new phone, requested account keys to set up access to your Yahoo email then they have access to your email even if you change he password as the phone is the device to allow log in.
I looked in my deleted folder and saw a Yahoo pass code request notification email, the fraudster had received this and deleted it without my noticing it. I also saw a similar one for PayPal. This is how they had accessed these accounts. There was also one for an Argos account having been created.
I had to secure my email by removing the link to my mobile number and get the email browser session closed that the fraudster was using. This took a few hours to research, experiment and try but after 9 pm it seemed to be that I had secured my email by removing the mobile number completely as an alternate option, changing my password by using an alternate email option. On Yahoo you can go to Account Info and see recent activity. Here I could see the browser sessions that were open for yahoo. The fraudster had a session open so I signed out from all sessions. With that action, removing the mobile number and changing the password I felt the email was now secure again.
I went to the Argos site and asked for a password reset by email to my Yahoo account. Using this I reset the password and was able to get into the Argos account the fraudster had set up. In the basket was another £900 phone ready to be purchased. The name on the account was different from the Samsung one - so probably a bogus or one of another identity fraud victim. The email was obviously mine which they had access of up to this point and the mobile number for contact was the same as the one on the Samsung order. This led me to believe that the fraudster was using that number to get notifications of delivery for the orders placed. I believe that the address and name the fraudster had used on the order was probably of another identity theft victim and also that the mobile number was another victim of sim swap. With the delivery courier using text to say when they will deliver the phones I suspect the fraudster waited outside the delivery address with the phone and text message so they could show the courier, take receipt of the phones and be on their way with not trace left.
I checked my other email accounts for recent activity and any change requests to see if they had been compromised.
I needed to think fast and started contacting some of my credit card providers and banks to highlight that I was victim of identity theft fraud and my mobile number that is connected to the card had been compromised so to be extra vigilant with any activity or change requests on the account or transactions and to temporarily remove my number.
After being on edge all day, reacting and responding to events as they unfolded, I turned in late at night after a day where I needed to think on my feet fast, act quickly, be vigilant and mindful with my game of cat and mouse with the fraudster I thought of the damage that they were so easily able to do in 24 hours or so. Take control of my phone number and any associated alerts, use one of my credit cards, access my email and subsequently my PayPal account and hence another credit card, set up an Argos account and attempted over £4,000 worth of purchases for 4 high end mobile phones. I thought the financial damage was limited as the credit card company had caught the credit card usage, I had contacted Samsung about the 2 phones so deliver could be thwarted and I had accessed and changed the Argos account.
I woke up at 4 am with a need to double check that my email was secure and no further activity had occurred. It was safe. I also worried about another bank account and some credit cards I had not informed them of the fraud activity going on. I called them, spoke to the fraud teams explaining what was going on and requested for my cards to be cancelled and re-issued, for my mobile number to be removed from the accounts, to freeze any online access to the accounts. I spoke with Action Fraud again highlighting what had happened adding more information to reports including information about the Samsung delivery later that day which could allow them to catch the fraudster. I filed a police report and gave them a run down of the sequence of events and again details of the number I believe the fraudster is using to receive delivery information and when the delivery for Samsung was going to be so they could attempt to catch them. I later found out that no action was done by Action Fraud, the police or by Samsung so the fraudster did get away with 2 high end phones worth over £2,000. This was disappointing after having given enough information and acting proactively to various organisations.
I emailed and contacted my network provider making a complaint, sharing the police report case number and requesting action from the teams / senior management. Eventually action took place and I got my number back after one week while the fraudster was able to take my number in a few hours. Something very wrong with this.
I set up my profile on other credit reference agencies and set up a password for any requests.
The fraudster only needed my name, address, date of birth and mobile number to initiate the sim swap - they were not asked for pin / password or memorable information associated with my account. I am sure they also had my email address and the long number of one of my credit cards. How they got this I do not know. It could be a data breach from a company that has my information, it could be a dodgy employee at a company or discarded paperwork from a company ( I shred all my personal info before discarding).
At the end of the day the fraudster got away with 2 high end mobile phone worth over £2,000, I did not lose any money from my accounts; however I was not able to progress my normal day to day activities whilst I dealt with this issue so that had a knock on impact as did all the research, phones calls, time waiting and explaining.
“Identity Theft Fraud: How I lost more than 7 figures...
this was my mobile number not financial sum!”
Throughout this incident I was reminded of the age old question that we must all answer at some stage ….
WHO AM I?
I am grateful for fraud activity alerts
I am grateful for fraud activity teams
I am grateful for being vigilant, aware and alert.
I am grateful for informative articles on identify theft and organisations that help
This is a very quick and easy fraud that can happen to you and cause a lot of damage, hassle and worry. Please take steps suggested to reduce your risk and also share with others
ACTION PLAN
Here are suggested actions to take to reduce your risk and other resources.
Read these articles to understand the damage that can be caused and how easily
https://www.bbc.co.uk/news/technology-50043230
https://www.theverge.com/2019/8/31/20841448/jack-dorsey-twitter-hacked-account-sim-swapping
https://www.nerdwallet.com/article/finance/sim-swap-criminals-really-number
Contact your network provider and request to have a password set up that must be used for any PAC requests or account access/changes
Create a free account with the 3 main credit reference companies in the UK and request for a password to be associated for any credit profile or report requests.
Transunion Telephone 0330 024 7574 https://www.transunion.co.uk
Experian Limited Telephone: 0344 481 0800 www.experian.co.uk
Equifax Ltd Telephone: 0800 014 2955/ 0333 321 4043 www.equifax.co.uk
Dissociate your mobile number from your email for pass codes/password resets. This is one of the most important things to do but not the easiest. Set up two factor authentication (2FA) by using a trusted 2nd mobile number (e.g. a second personal sim, partner’s number etc.) and/or alternate email account.
Set up alerts on you various financial accounts such as banking, credit card company, share dealing, crypto, business accounts (e..g mailchimp etc) to send email and text when a login to account occurs, a transaction is done such as a payment and regular balance / transaction updates. This will let you monitor activity and stay vigilant.
Check haveibeenpwned.com to see if your email / data has been part of the many data breaches occurring in organisations
Register with CIFAS.org.uk (the UK’s Fraud Prevention Service) and request a Protective Registration to be applied to your credit details. A CIFAS Protection Registration warning on an address indicates to lenders and other organisations that they may need to carry out additional checks on any applications from that address. Telephone 0330 100 0180.
If you become a victim of fraud contact the police and Action Fraud Telephone 0300 123 2040 https://www.actionfraud.police.uk/
This article, The SIM Swapping Bible, is packed with brilliant information, is very comprehensive, has action steps and is a must read and action as much as you can. I am taking action on many of the suggestions.
Please do take action regarding this issue - do not be complacent, that is what the fraudsters are counting on. Share with others and please share your suggestions, recommendations and useful information/tips in the comments.
About the Author
Shaileen Shah is a Happiness Coach, Speaker and Trainer. Previously having been in finance technology for the investment banking arm of RBS during the RBS takeover of Natwest, the RBS takeover of ABN Ambro and the financial crisis he has experienced the challenges brought by uncertainty, change and stress. He is certified in The Science of Happiness and shares through Happy Life Habits. Happy Life Habits Positively Impacts Happiness & Well Being Levels by creatively and uniquely combining Personal Development + The Science of Happiness + Spirituality. A business for Good; supporting the UNs Sustainable Development Goals. For more information see HappyLifeHabits.co.uk.
