Many T-Mobile customers recently received a text message that the company has “identified an industry-wide phone number port-out scam and encourage you to add account security.” The text then directs you to a page on the T-Mobile website to learn more. In case you’re wondering if this threat is real, it is. And you need to take action on it now, even if you’re an AT&T, Sprint or Verizon customer. Failure to do so could result in having your bank account cleaned out, as has happened to numerous consumers.
Here’s how the scam works. The fraudster either calls into your carrier or goes into a local store claiming to be you. With so much of our public information now in the public sphere, including our social security number, it’s not hard to do (thank you, Equifax and others). They then “port out” your phone number to a pre-paid phone on another carrier.
Now that they have control over your number, they can receive the two-factor authorization texts required to reset your email password. And from there, it becomes relatively easy, assuming they have other basic identifying information about you, to reset your banking information and gain access to your accounts.
To protect yourself from these scams, it’s critical that you set up a port-out validation PIN with your carrier that prevents anyone who doesn’t know this number from transferring your phone to another account. You may already have a PIN on your account, but the default PIN is sometimes the last four digits of your SSN (as I recently discovered it was for my T-Mobile account), which makes it incredibly insecure, so you should change it to something that can’t be easily guessed.
To set up your port validation PIN on T-Mobile, you need to call 611 from your T-Mobile phone or dial 1-800-937-8997 (you can’t do this online). You can learn more about the PIN creation policies and processes for each of the carriers on their websites: AT&T, Sprint, T-Mobile, Verizon).
Even if you have a strong PIN, there are phishing attacks specifically targeted to uncovering it. For example, I received a pre-recorded call earlier this week with the message:
“Dear AT&T Customer, we value your security and invite you to validate your wireless account passcode. Please press 1 to verify now.”
Had I “validated” my AT&T passcode (which I don't have, anyhow, because I'm a T-Mobile customer), the scammers would now have exactly what they needed to transfer my account. Always protect your passcode and never give it to anyone or type it anywhere unless you go directly to your carrier's site login page (NOT by following a link in an email you received) or initiate the call to your carrier.
In addition, carriers use your email and/or security questions to remind you of forgotten user IDs and passwords. So always use strong, unique passwords for both your email and mobile accounts, and make sure your security questions can’t be guessed using publicly available information (even if that means lying).
[Image credit: scam alert via BigStockPhoto]