When I worked at the Apple Store, phone upgrades could be a pain. If someone came in to upgrade a line, she had to be an authorized user on the account, present a valid photo ID that matched the authorized user list and have the account’s details to even begin the process. While this kept a lot of kids from getting a new iPhone added to their parents’ cellular accounts right then and there (and made for some frustrated customers), it also stopped criminals from hijacking folks’ accounts, adding lines or getting free phones using another person’s credit and cellular account.
The phenomenon is increasingly more common here in the United States. According to a Federal Trade Commission (FTC) blog post published yesterday, mobile phone account identity theft increased from 1,038 reported incidents in January 2013 to 2,658 by January of this year, a total representative of 6.3 percent of all identity thefts reported to the regulatory agency. While that may not seem like a lot of individual cases, the scope of the problem is, in all actuality, much greater. After all, the U.S. Department of Justice estimates that only one percent of all identity theft cases are ever reported to the FTC.
These incidents have also made news headlines. In 2013, the government seized 5,500 phones from an operation in Michigan that had been fraudulently purchased via phone account identity theft from AT&T, Verizon, Best Buy, Radio Shack and Apple Stores and were making their way to markets overseas. Just last month, a man who had previously been arrested two times before for phone account identity theft was arrested in Oregon for trying to buy four iPhones at a Verizon Store with a fake ID.
How Do Criminals Pull Off Phone Account Identity Theft?
Criminals have worked up elaborate schemes to fraudulently acquire cell phones under unsuspecting victims’ names. Sometimes, the fault doesn’t even lie with lackadaisical security practices on the part of the victim. According to the FTC blog post, reverse number search websites make it easy for identity thieves to determine with which carrier a particular phone number is associated. For less than the price of a candy bar, fraudsters can also use these sites to find the name and address associated with the account.
So-called Dark Web sites also play a large role in the problem. Remember the identity theft scares associated with certain retail stores? Entire rolls of personal information, including social security numbers, can be obtained by people with ill intent for pennies on the dollar.
Phishing attacks also account for some of the problem. A thief will impersonate a phone carrier employee, asking for confirmation of personal details that will eventually be used for account identity theft.
Armed with a treasure trove of personal information, all a thief has to do is go into a retail store with a fake ID using her photo but the victim’s info and begin the process.
What’s even worse is how scammers use an information safeguard (two-factor verification via phone text message) to gain access to an unsuspecting victim’s bank account in what is known as a SIM swapping or SIM splitting scam. After buying bank account information and looking up personal information publically available on social networks that helps them answer bank account security questions, identity thieves call phone companies pretending to be someone else, insisting their phones have been lost or stolen. They then ask the carrier to switch the phone number associated with a victim’s SIM card to the thief’s device’s SIM card. They can then access bank accounts protected by two-factor phone verification, withdrawing money from bank accounts that aren’t theirs.
These attacks often aren’t even the fault of their unsuspecting victims.
What Should You Do If You Think Your Mobile Phone Account Has Been Hijacked
Have the phone numbers associated with your accounts been randomly shut off (even though your bill is paid)? Have you received notice from a bill collector that your Sprint account bill is overdue, even though your carrier is Verizon? Did your most recent phone bill include a line you never authorized? You may have been a victim of identity theft.
First of all, don’t panic. It’s easier said than done, especially in a situation that seems out of control. But your phone carrier will go through the proper procedures to restore your account and the FTC makes it easy to report identity theft and contact the proper authorities after identity theft.
Contact your phone carrier and explain your situation. The customer service representative will try to fix the problem over the phone or will refer you to another resource within the company. Call the carrier’s fraud department to reverse any changes made to your account and get your phones up and running again. Ask the company to close or put a freeze on your account. Then change your account’s passwords and PINs. This can be frustrating, especially if you’re being bounced back and forth to different departments or if you have to visit your carrier’s brick and mortar stores. But be persistent and patient and the carrier will work with you; after all, they don’t want to lose you as a customer.
Next, visit identitytheft.gov. This recently relaunched website created by the FTC offers an identity theft checklist and creates letters for you so you can get your life back in order. You will be directed to call the one of the three credit reporting agencies – Experian, TransUnion and Equifax – to place a free, 90-day fraud alert on your name. If the thieves try to open up a new line of credit in your name, the alert will pop up in businesses’ systems, forcing them to confirm the identity before proceeding.
Identitytheft.gov directs you in how to correct your credit reports and remove fraudulent charges from your accounts, as well as how to report identity theft to law enforcement. The site also offers easy-to-follow steps pertaining just what type of information has been compromised.
Companies are also required by law to provide identity theft victims business records related to the incident within 30 days of receiving a written request. Identitytheft.gov can help you fill out the letter and give further directions.
What Can Carriers Do to Prevent Mobile Phone Account Identity Theft?
As identity thieves become savvier at stealing people’s private information, it’s important that phone carriers stay abreast of new schemes and become better able to detect fraudulent account use. Carriers and other businesses are required by law to have a written identity theft prevention program.
Carriers should also evaluate their customer authentication and authorization procedures to see if there is more they and third-party authorized retailers could be doing to prevent fraud. Adding more advanced security features might be less than ideal for customers, but it’s in the name of protecting their valuable information. It’s all about accountability.
How You Can Prevent Mobile Phone Account Identity Theft
Any type of identity theft is frightening, but there are ways to protect yourself from someone gaining unauthorized access to your information.
It’s important to always stay vigilant. Get in the habit of checking your bank and phone accounts frequently to make sure there’s no suspicious activity. Stay abreast of any attacks that have hit companies you shop with to make sure you haven’t become a victim.
You can also use several safeguards provided by companies to protect your information. While the example above showed how two-factor authentication can be used against you, you are more likely to be protected than if you hadn’t turned it on at all.
Create a PIN number for your mobile phone accounts. This optional process creates an extra layer of security for your account by forcing you to give a four to six digit code before making any crucial account changes. If you are a Verizon customer, you can create or change your PIN by editing your online MyVerizon profile, calling their customer service number (1 (800) 922-0204) or by visiting a Verizon Wireless retail store. AT&T’s extra security option makes it necessary for customers to provide a special PIN whenever they interact with AT&T online, in-store or over the phone; this feature can be accessed by visiting the myATT app or the AT&T online portal. T-mobile customers can create a customer care password that will be required when making account changes by phone or in person by calling 1-877-453-1304 or visiting a T-mobile store. If you’re a Sprint customer, you’re in luck: when you created your account, you simultaneously provided a PIN number that is needed for any transaction.
Make sure any passwords or answers to security questions are strong. This is fairly self-explanatory, but please don’t make your password “Password.” Follow our guide to creating stronger passwords here.
Do not make personal information that can be used to answer security questions public using social networks. What is your hometown? What is your mother’s maiden name? What is the name of your first pet? If this info is available on your social networks, you’re opening yourself up to trouble. Check your social network privacy settings frequently to make sure your info isn’t easily harvestable.
Keep ahead of information phishing attacks. If you receive a phone call or email from someone claiming to be an authentic carrier representative or representative of another company, think twice before revealing any personal information. Do a Google search of the phone number to see if other people have been scammed by this particular number previously. Check the email address you received the message from- if the domain name (email@example.com) doesn’t match the company’s website (yourcompany.com), it’s probably not a legitimate representative. Never give people personal information unless you are absolutely certain you are corresponding with a legitimate company entity.
[Image credit: faceless person in hoodie via Shutterstock]