Cell phone ‘port-out scam’ can threaten bank, other accounts

Fraudsters are using stolen info to trick cell phone carriers into transferring legitimate phone numbers to new devices, leaving consumers with dead cell phones and vulnerable to further attacks

If you’re like most Americans, your cell phone is probably one of the first things you look at in the morning and one of the last things you look at at night. Imagine then, waking up to find that your phone suddenly doesn’t work, and it’s just constantly in emergency mode. For a growing number of consumers, this is the first sign that they are a victim of the port-out scam.

In the scam (also known as the “SIM-swap scam”), a fraudster tricks a cell phone carrier into transferring or porting a consumer’s legitimate phone number to a phone in a scammer’s controls. Once a number is ported, all calls and text messages that are sent to that number go to the scammer’s phone. With that power, scammers are able to get around security features, like two-factor authentication, that are in place to protect consumers’ sensitive email, banking, and social media account information.

In a typical port-out scam, the fraudster will first obtain key details about their victims, such as the last four digits of a Social Security number, a phone number, name on the account, and the victim’s address--all of which are widely available on online black markets thanks to years of data breaches.

Armed with this information, the scammer then calls the victim’s wireless provider and impersonates their victim. Once the scammer establishes contact with the cell phone company, if the victim did not establish a security pin, all the scammer needs to do is correctly confirm the last 4 digits of their victim’s Social Security number and mailing address. The scammer then asks the wireless company to port “their” number to a different phone. After the carrier switches the victims’ phone number to the fraudster’s phone, the victim’s phone will go dead, and the scammer will then use the phone in his possession to reset passwords or gain entry to accounts that use two-factor text authentication. The most common target for these scammers are bank accounts. Once a bank account is accessed, the scammer can quickly transfer funds to an account that the scammer controls.

This scam can be financially devastating to its victims, but there are several steps you can take to prevent the scam from happening in the first place:

  • Contact your carrier and ask them to add a unique personal identification number (PIN) to your account. This PIN number will need to be provided any time you wish to make a change to your account, including upgrading your cell phone. This extra layer of security will help stem any would-be scammer from running the port-out scam on your phone. The process for adding a PIN depends on your provider. See below for details on how to add an account PIN for each of the four major national wireless providers:
    • AT&T -  Log into your ATT.com account, go to your profile by clicking your name, and under the wireless passcode drop down menu, click on “manage extra security.”
    • T-Mobile - Call 611 or (800) 937-8997 from your cell phone to speak with a customer service agent.
    • Sprint - Sprint automatically requires their customers to set up a PIN when an account is opened.
    • Verizon - Visit vzw.com/PIN or call (800) 922-0204.
  • Always use good password hygiene. Regardless of account, choose a password that is unique, complex, and contains upper- and lower-case letters, numbers, and symbols. It is critical not to reuse passwords across multiple accounts. That way, if one account becomes compromised, then every account with that password can become compromised as well. For the best password security, use a password manager that creates and remembers random passwords.
  • Consider alternatives to text two-factor authentication. For your most important accounts, like your online bank account, see if they allow other versions of two factor authentication such as a security key or or a third-party authenticator app like Authy.
  • Be wary of suspicious emails or phone calls from people purporting to be from your bank. Remember, your bank will never ask you to enter confidential information in an email.

Even despite our best efforts, fraudsters will likely still be able to pull off the port-out scam. If this happens to you, and your phone stops working, you should:

    1. Immediately notify your cell phone provider, and report any fraud to your bank. Quick action on your part can minimize any damage the fraudster could inflict on you. Your cell phone provider can turn off your phone number and prevent scammers from using that number to bypass two-factor text authentication. Notifying your bank the moment you notice unauthorized charges or that you are at risk for fraudulent two-factor authentication can also minimize your liability.
    2. File a report at Fraud.org via our secure online complaint form. We’ll share your complaint with our network of law enforcement and consumer protection agency partners who can investigate and help put fraudsters behind bars.
    3. File a police report at your local police station.