Canada saw a rash of phone number fraud attacks over a 10-month period spanning from mid-2019 to 2020, according to data obtained by The Globe and Mail.
The data, obtained through an access to information request, provide the first-ever glimpse into the prevalence of attacks known as SIM swaps and fraudulent customer ports in Canada. The fraud involves a scammer impersonating a customer in order to commandeer his or her phone number, and then using the phone number to reset passwords to the victim’s e-mail, banking and other online accounts.
According to the data, which were obtained from Canada’s telecom regulator, 24,627 unauthorized number ports and SIM swaps occurred between August, 2019, and May, 2020. (The figures may include instances where a customer’s phone number was ported to another carrier in error rather than because of fraud.)
The majority – 21,589 – of the incidents were fraudulent customer ports, which occur when, by impersonating a mobile customer, a scammer is able to transfer or “port” that customer’s phone number to the scammer’s account at a different wireless carrier. By gaining control of the victim’s phone number, the fraudster is able to reset the victim’s password on banking, e-mail and other applications that rely on text-message based, two-factor authentication. The attack takes advantage of rules meant to make it seamless for customers to switch wireless providers.
The remaining 3,038 attacks involved SIM swaps, where the scammer calls the customer’s mobile service provider, claiming their phone has been lost or stolen and requesting to link the victim’s phone number to a new SIM card that the scammer controls. (SIMs, or subscriber identity modules, are the tiny chip-containing cards that connect cellphones to wireless networks.)
A data analysis by The Globe found that nearly 1 per cent of customer transfers, or ports, during the 10-month period were unauthorized. The proportion of unauthorized ports hit a peak of 2.5 per cent in April, 2020.
The Canadian Radio-television and Telecommunications Commission started collecting statistics from wireless carriers on SIM swaps and fraudulent customer ports in 2020, but despite pressure from consumer advocates has repeatedly declined to release that data to the public. The CRTC initially redacted the figures when it responded to The Globe’s information request in August, 2020, but a year later agreed to release them after a complaint filed by The Globe with the Office of the Information Commissioner of Canada.
The Public Interest Advocacy Centre (PIAC), an Ottawa-based consumer group, has been calling for greater transparency around SIM swaps and port fraud in Canada, arguing in filings with the CRTC that the public interest of disclosing the data outweighs the potential harms to the telecom industry.
The telecoms, meanwhile, say releasing the figures and the steps that they have taken to tackle the problem would allow the scammers to find ways to get around the security measures.
The CRTC recently disclosed the total number of unauthorized ports and SIM swaps declined by 95 per cent from October, 2020, to May, 2021, owing to new security measures undertaken by the carriers. John Lawford, PIAC’s executive director, said the regulator should go further and disclose the monthly totals, as well as what the new security measures entail.
“We can’t tell consumers how to avoid the fraud because we don’t know exactly what steps [the telecoms] are taking – and saying ‘trust us’ is not good enough,” Mr. Lawford said in an interview.
Tara Howlett, a controller based in Brampton, Ont., was chatting on her cellphone one day in January, 2020, when suddenly her line went dead. She initially assumed it was a network outage, but when she reached her wireless provider she learned her number had been ported to a different carrier. (Ms. Howlett had received a text message from her carrier about the requested transfer the night before but had dismissed it, assuming it was a scam.)
As Ms. Howlett scrambled to regain control of her identity, the fraudster siphoned $10,000 out of her bank account through PayPal transactions and ordered items ranging from a Nintendo Switch to a dog bed using her Amazon credentials. The experience was “beyond” stressful, Ms. Howlett said.
“I was trying to prove who I am and I couldn’t because I didn’t have my phone number, my e-mail – I didn’t have access to these things,” she said. “I felt helpless.”
Although it took several weeks, Ms. Howlett was able to regain access to her accounts and reverse the financial transactions. Not all port fraud and SIM swap victims are so lucky, however.
“The consumer losses can be significant and life changing,” Mr. Lawford said.
In 2020, the Canadian Anti-Fraud Centre received 1,118 reports of SIM swaps and port frauds – a sharp increase from 37 reports the previous year. In 2021, the centre has received 155 reports so far.
The Canadian Wireless Telecommunications Association, an industry group, said in a statement that its members take issues relating to customers’ privacy and security seriously. “As fraudsters employ new techniques to try and take advantage of consumers, our members respond by implementing new security measures and procedures.”
Your time is valuable. Have the Top Business Headlines newsletter conveniently delivered to your inbox in the morning or evening. Sign up today.