What is SIM swap fraud?
SIM swap fraud, also known as number porting fraud, is a scam whereby criminals gain control of your phone number and online accounts through your cell phone provider.1
There are two parts to the scam: first, scammers comb the Internet to find as much information as they can about you. Then, using that information, they impersonate you, call your mobile phone company, and convince them to swap your phone number to a new SIM card, or transfer the phone number to a new carrier (porting).
Transferring numbers to new SIM cards (like we do when we get a new phone), or porting your phone number to a new phone company (like we do when we change service providers), are both legitimate and necessary. But scammers are able to take advantage of a lack of security checks to use these processes to steal phone numbers, and ultimately money from their victims.
What are the harms of SIM swap fraud?
A successful SIM swap is often the start of comprehensive identity theft. Once scammers have control of your phone number, they can use it to gain access to applications and accounts, by requesting reset codes to be sent by text.
And once they have control of your accounts, they can clean out bank accounts, apply for credit in your name, purchase items online and impersonate you to contacts.
In one example, a nurse in Ontario was scammed out of nearly $10,000 after falling victim to a SIM swap fraud.2
What are companies and regulators doing?
We don’t know - and they refuse to tell us. Sadly, there’s a huge lack of transparency over what companies are doing to protect us from this fraud.
The consumer rights non-profit Public Interest Advocacy Centre (PIAC), filed information requests with both the CRTC and The Canadian Wireless Telecommunications Association (CWTA), a consortium of Canadian telecom companies. However the CWTA refused to provide any relevant information about what measures are being taken to combat the fraud, or even basic information about how many people have been affected by SIM swap fraud.3
What should happen?
It is really pretty simple; companies shouldn’t be able to swap our phone numbers over without our explicit consent. This means rather than granting requests immediately over the phone, companies should be required to confirm the request via a text to the original number - and, ports should not be allowed to go ahead without this consent.
Crucially, this and other fixes MUST be regulated by the CRTC. Without regulation, there’s no pressure on telcos to fix the problem, no transparency for the public about what changes are being made, no way for us to measure whether changes are effective, and no consequences or liability for the companies if they fail to properly implement solutions.4
Why hasn’t this been put in place yet?
Because nobody is forcing companies to do the right thing. With the CRTC declining thus far to regulate them, phone companies are handling these frauds in the way that gives them the least liability, and customers the most responsibility.
And they’re refusing to talk to the public about it, even though experts agree that it’s simply untrue that refusing to disclose the number of frauds that have occurred, or how companies are planning to deal with it, has any security justification.
It is time for the government to fix this. As the minister in charge of the CRTC, minister Champagne must urgently tell the CRTC to regulate companies to fight this dangerous fraud.