If you’re using a T-Mobile phone, you may want to watch your bank account.
Mobile cell phone provider T-Mobile is warning its customers about the appearance of a new scam that targets your phone number linked to your bank account. According to T-Mobile, this scam could potentially affect any other service provider (i.e. Verizon) who has provided security information to their bank.
It may seem ironic, but the same security measures used to thwart identity thieves actually create a loophole. Essentially, the scam is a straight-forward exploit of lax security measures: First, scammers obtain your phone number, pretend to be a consumer, and finally transport your number to another phone. The scam works because it takes advantage of how banks and other financial institutions use password-recovery options that are linked to cellphone numbers. These same numbers may also be linked to social media accounts, like Twitter and Facebook, further compounding the complications of identity-theft.
How the Scam Works
The scam all starts with thieves getting your personal information, which includes your name, phone number, email addresses, and possibly your Social Security number. From there, thieves typically take their victim’s T-Mobile phone number by accessing their account information. Combined with their victim’s personal information, they are able to transfer that number to another phone — for T-Mobile users, it can be Metro PCS, a company that is owned by T-Mobile.
According to technology experts, thieves then immediately contact the victim’s bank to reset the password on the victim’s bank account. Banks then provide a verification code sent to the phone number on the scammer’s MetroPCS phone (or another mobile device). Once the new password is set, thieves can transfer funds just as normally as if the victim were doing it themselves.
Users who have experienced this scam typically begin by receiving a text message from T-Mobile, alerting the user that they’ve made changes to their service plan and that their phone number has been transferred to a T-Mobile-related cell service, MetroPCS. However, the scammer has deliberately made this change, transferring the user’s phone number to a new phone and then cutting off service to the user’s phone. Those who get in touch with the cell phone provider naturally inquire about their phone account, which is usually rectified immediately.
While this may just seem like adding insult to injury, there is also has a compounding effect to this approach. For those who may not have a way to immediately get in contact with their financial institution to place a hold, freeze their accounts, and verify the account for suspicious activity, the thieves get a window of opportunity to transfer money from the bank account to another. By the time most customers begin to investigate their account activity and get their phones back online, the scammers have already moved on. It has been reported that this entire process only takes a few minutes, showing the speed and sophistication of the attack.
What makes this recent wave of identity theft especially possible is an app known as Zelle. Recently, banks have been offering a free money-transfer service via Zelle to process the transactions smoothly between other bank accounts. To use this service, people register their email addresses or phone numbers to verify their Zelle account — which creates the perfect opportunity for thieves to gather a customer’s private information. While Zelle’s purpose is to facilitate easy transfers of money between accounts, it may be too easy for scammers to empty an account in short order.
What Can Customers Do to Protect Themselves?
As with any scam or unusual account activity, it typically falls on the shoulders of the customer to be vigilant. This includes the normal preventative measures of not providing their personal information to untrustworthy sources, shredding documents, and creating passwords online that are hard to crack. In most cases, when the scam has been caught early, consumers have been able to mitigate their losses and stop the unwanted money-transfers.
However, basic preventative measures may not be enough to protect consumers. The extent of the scam has forced T-Mobile and other cell phone service providers to issue an alert to combat this issue. The company has provided a link on its website dedicated to this scam, stating, “Our industry is experiencing a phone number port out scam that could impact you.” Additionally, the Better Business has issued a nationwide alert in an effort to stop the scam that is responsible for stealing thousands of dollars from T-Mobile customers.
To further protect its customers, T-Mobile has been contacting their customers via text message to immediately add extra layers of security protection to their accounts. This new security feature requires any number-porting request to be verified with a special passcode. T-Mobile users are encouraged to call 611 from their T-Mobile phone and create a new 6-to-15-digit passcode to add another barrier to identity thieves. Additionally, T-Mobile suggests that its customers have strong passwords on all of their accounts and ask their bank for any other added security measures, including text-to-PIN authentication or unlinking of their contact information.
For more information on T-Mobile’s security and privacy resources, click here.
* * *
According to recent estimates, this scam has been able to siphon anywhere between $1,000 – $3,000 in unwanted transactions per attack, but it may be more widespread than is being reported.
Experts have detected similar bank-verification scams dating back to 2016 and 2017, indicating that this is not the first instance of tech-savvy cellphone crimes that can exploit your bank account via phone. In similar circumstances, Verizon, Sprint and AT&T phone-number verifications from a financial institution were exploited in the same fashion — ill-gotten personal information allowed thieves to pose as a customer and attempt to change information for account transfers.
With newer money transfer services like Zelle and VenMo, transactions can occur rapidly with minimal verification. This may indicate a trend of identity theft that focuses on manipulating security measures for a window opportunity. Despite the industry-wide warnings, there continue to be instances of this scam appearing across the United States, particularly in the Seattle area.