Canadian Couple Loses Over $166,000 in SIM Swap Scam | How to Protect Yourself

Last fall, a Toronto area couple sadly fell prey to a SIM swap scam that emptied their bank accounts of over $140,000, demonstrating the lengths cybercriminals can go to these days to hijack and hack into financial accounts with little to no contact with their victims.

As reported by Canada’s Global News, Wayne Stork and his wife Diana had never even heard of a SIM scam until it happened to them. Last September, Wayne’s phone abruptly stopped working while he was at home. “My phone went into SOS mode, it was deactivated,” he told Global News. In a matter of hours, scammers had infiltrated his stock trading and cryptocurrency accounts, leaving them with a devastating loss of just over $166,000.

The couple spoke to Global News partly because they wanted to get the word out and warn other people who might not know about these attacks or how serious they can be.

The financial losses incurred by Wayne and Diana were substantial, including $140,000 in Bitcoin that were proceeds from an inheritance, $5,500 from a stock account, $15,100 in a tax-free savings account (TFSA), and $6,013 worth of shares in Canadian Western Bank. The three investment accounts were managed through Wealthsimple.

He was watching his accounts drain of money, that’s when the panic set in.Diana Stork

The couple, both longtime customers of Freedom Mobile, called customer service and were told that someone claiming to be Wayne Stork had visited a retail location in Toronto to obtain a new SIM card. It’s unclear how much time elapsed between Wayne noticing his phone was out of service and contacting Freedom Mobile, nor how long it took the carrier to deal with it, but it clearly wasn’t fast enough to prevent the scammers from draining his accounts.

After Stork reported the fraud to the police and Wealthsimple, the company acknowledged he wasn’t at fault and returned the money taken by the thieves. However, the $140K of inheritance money in his separate account with Coinbase, which the couple were saving for their retirement, is gone for good.

It’s been six months since his accounts were compromised, and Freedom Mobile still has not provided any compensation. When Global News reached out to the company, it responded with a general statement that it takes the security of its customers seriously and is “actively working to prevent [SIM swaps]” from happening, adding that it has been in contact with Stork “to resolve the issue,” without providing further detail.

What is a SIM Swap Attack?

This cautionary tale is a stark reminder of the devastation a SIM swap scam can cause. Also sometimes known as “SIM-jacking,” the technique typically involves criminals convincing a cellular carrier to transfer your phone number to a new SIM card that’s under their control.

That’s precisely what happened in this case, with one of the thieves visiting a Freedom Mobile store and pretending to be Wayne Stork. It’s unclear what procedures Freedom uses to verify identity in situations like this, but whatever the method, it obviously wasn’t enough to prevent the crook from walking out of the store with a SIM card activated with Stork’s number.

Since many websites send text messages to your phone for password resets and two-factor authentication, the thief was able to receive those messages that would have otherwise gone to Stork’s phone and use them to break into his accounts.

As Global News notes, most Canadian cellular providers added new security measures to prevent SIM swap attacks in late 2020 and early 2021, resulting in a 95 percent decline in the total number of unauthorized number transfers. These techniques typically include better verification of customers’ identities before authorizing a number transfer and sending a text message to the original SIM card asking for express confirmation before the transfer goes through.

How to Protect Yourself from SIM Swap Attacks

Sadly, criminals are finding ways around even these precautions, taking advantage of more clever social engineering tactics and carrier stores where employees may be less prepared to deal with being scammed and may not exercise the diligence they’re supposed to.

For instance, some carriers now automatically send text messages requesting confirmation before transferring a number to a new SIM card — even if that transfer is initiated by an unsuspecting (or complicit) store employee. Canada’s mobile carriers have had this in place for years for “porting” numbers to a new account, but it’s not always as rigidly enforced when simply moving to a new SIM card.

However, you can take several precautions to defend against SIM swap attacks without relying solely on your carrier’s protection.

Avoid SMS Verification Wherever Possible

First and foremost, try to avoid using SMS verification as much as possible, especially for your most important accounts. This includes not only your financial accounts but also your email and cellular provider. Your email is another place where password reset requests typically end up, and access to your cellular provider could allow a scammer to more easily conduct a SIM swap online.

For two-factor authentication, use a 2FA app that generates one-time codes directly. Apple’s built-in iPhone password manager can do this, and there are plenty of solid third-party apps from which to choose. You can also consider using a hardware security key or a digital passkey for online accounts that support those technologies.

In addition to two-factor authentication, keep an eye out for how password resets are handled. Some services that fully support 2FA will still use your mobile number to send password reset requests. In some cases, this will only reset the password, in which case a hacker still won’t be able to access your account without the second factor; however, some services also disable 2FA when resetting a password via SMS. If you’re unsure, try it out for yourself by doing a “Forgotten Password” reset as a test to see what happens.

Ask Your Mobile Provider About Additional Security

If you’re not sure how your mobile provider handles SIM transfer requests, it’s worth contacting them and finding out. They may have additional security controls available, but you may also have to ask them to set these up. These can include things like a PIN, passcode, or “port lock” on your account, which prevents your number from being ported or transferred without additional identity verification.

This all depends on your carrier, but some providers already have automatic protections against these kinds of transfers, which can set your mind at ease by letting you know what they are.

Switch to an eSIM

While using an eSIM won’t prevent a social engineering or carrier-based SIM swap, as a number can be transferred away from an eSIM just as easily as a physical SIM, it will protect you from the more blunt version where a thief simply steals your SIM card and inserts it into their phone.

If you’re using an eSIM, there’s no SIM card to steal, and since your iPhone is (hopefully) protected using a strong passcode and Face ID or Touch ID, anybody who gets their hands on it shouldn’t be able to get anywhere near your Messages app.

Many carriers let you switch your physical SIM to an eSIM right through the iPhone Settings app in under five minutes without contacting customer service. Moving to an eSIM also frees up your physical SIM card slot for a second line when you’re traveling.

Keep your Personal Information Private

Unlike many online scams, SIM swaps are targeted attacks by their very nature. Criminals aren’t picking out random phone numbers to swap over to new SIM cards to see what happens. If you’re falling prey to one of these attacks, it’s because a scammer somehow noticed you.

This means that one of the best ways to defend against these attacks is to fly below the radar as much as possible. As the FBI recommends, this includes not advertising information about your financial assets, limiting the amount of information you post online, and being careful about giving out your phone number and especially your account information.

Be careful about sharing other personally identifiable information on social media, such as your birthday, home address, names of extended family members, or where you bank, work, or go to school. Scammers can use any of these to try to impersonate you. Also, be sure any security questions and answers for account verification with your carrier are difficult to guess.

Remember, you don’t have to give real answers as long as you can remember them (the word I use when asked for my “mother’s maiden name” has never been the maiden name of anybody I know, much less my mother).

That’s not to suggest that the Storks or anybody else who has been victimized in this way has done anything wrong. Even with the best efforts, criminals can find many ways to get enough information about someone to mark them as a target for these scams.

Keep an Eye Out and React Quickly

If you receive an email or text message about a password change or an update to information for one of your accounts, don’t ignore it. It could be a scammer attempting to break into your account.

Whatever you do, do NOT click on any links in these messages — they could be scams by themselves. Instead, go to the app or open the account webpage in a new browser window and log in directly. Check for any warnings or anything else that looks suspicious, and if in doubt, change your password yourself just to make sure it’s secure — and be sure to pick a new one that you don’t use anywhere else.

Similarly, if your iPhone suddenly shows “No Service” or “SOS” in the status bar for no apparent reason, call your carrier immediately, as there’s a good chance someone has just moved your number to a new SIM.

While you’re doing that, log in to your most important accounts and remove your phone number from them, just in case. It’s better to be safe than sorry, and if the problem turns out to be nothing more than a network glitch, you can always add your phone number back later when you’ve confirmed everything is okay.