An Adelaide schoolteacher lost her entire life savings – a whopping $43,000 – after receiving a single text message from her bank.
An Adelaide schoolteacher lost her entire life savings – a whopping $43,000 – in a “sophisticated” hack that could happen to anyone.
Debra*, who requested her real name not be used, had her world turned upside down at the end of 2019 in a single text message.
The 36-year-old South Australian had just booked a trip to London when her mobile phone suddenly lost signal.
She had fallen victim to a SIM swap hack, where a cyber criminal had remotely gained control of her phone by impersonating her to her telco provider, Optus, and asking for an eSIM card.
Currently, most phone companies including Optus only need the customer’s full name, date of birth, phone number and address before authorising a SIM swap.
By the time Debra woke up the next morning, there was only $200 left in her account. Transaction records showed the other $42,900 had been transferred out in eight instalments to several international accounts over the course of less than two hours.
“I cannot believe these people left me with just $200,” Debra told news.com.au. “I thought ‘oh my god, what the hell, oh my god, how am I supposed to survive like this’.”
Debra is finally speaking out following the news earlier this month that the Australian Communications and Media Authority (ACMA) will soon require telco companies to use multi-factor authentication before completing a “high-risk transaction” like a SIM swap otherwise they will face legal action.
Debra used her computer to contact Optus to ask why her phone wasn’t working back in November 2019.
What they told her “blew me away”.
“The person on the other line said ‘oh you asked for a SIM card replacement’. I was like ‘what, huh?’”
She went to bed that night after managing to get her phone number locked down but unbeknownst to her, the damage was done. The hacker had already sent a password reset to her bank.
In the early hours of the morning, her life savings were completely cleaned out.
The hacker transferred cash from her savings account into her credit card holdings, where it was then sent on to international accounts.
Initially, $18,000 was transferred at 6.08am, followed by several lots of transfers of $5003. The final transaction occurred at 8.06am. The whole thing took less than two hours.
“They are just very quick,” Debra said. “This is a big chunk of money being taken out.
“I went to work crying and used the phone there to call the bank to inform them of what had happened.”
What followed was six weeks of hell while she waited for the bank to recover her funds.
Debra had purchased a property a year earlier and had to put her mortgage on hold. She also had to borrow money from friends and colleagues to pay for her groceries.
She was charged a late penalty because she couldn’t afford to pay off an instalment for her invisalign dental braces.
To date, Optus gave her $10 off her phone bill and waived a $55 fee to change phone numbers by way of compensation. She says it’s not enough.
When Debra looks back, she believes a text message from several days earlier kickstarted the chain of events which led to her being penniless.
She had just forked out $3000 for her trip to London and had transferred money between accounts when she received the message shown above, saying there had been unusual activity.
The two-sentence text message appeared to come from her bank, ANZ. She had previously been sent one-time use verification codes and even hyperlinks to opt out on the same text thread.
“I knew that I had transferred a big amount of money to savings account, I thought this was a legit message,” Debra said.
However, after clicking on the hyperlink, she soon realised her mistake.
But by clicking on the link, she believes the scammer was able to scrape information about her, including her name, date of birth and home address – which was all they needed to take control of her phone.
An ANZ spokesperson confirmed to news.com.au that this is a “sophisticated” scam that has been plaguing their customers for some time.
The hacker can trick the customer by “spoofing” their message to make it appear in the same thread as legitimate ANZ texts.
Debra found herself “distraught” by the theft, so much so she even hired a psychologist afterwards to reduce her anxiety.
“I felt so violated in the comfort of my home,” she said.
“I am still paranoid after two years, I constantly check my mobile app and see the signal on my phone.”
She obtained a transcript of the hacker’s conversations with Optus which showed that on November 19 and 20, the hacker made more than half a dozen queries about getting their SIM card replaced.
“This is the scariest part – apparently I rang Optus because I lost my SIM card when I was in the UK, when I hadn’t been to London yet,” Debra said.
For each event logged, the Optus staff member wrote that the caller had passed the ID check.
They called Debra’s phone eight times trying to verify the story but she didn’t pick up. The hacker claimed they couldn’t access their phone as it had been stolen, and eventually, Optus granted them their request.
Optus wouldn’t comment on Debra’s case but assured news.com.au it takes customer security seriously.
“Optus implements multifactor identification checks for high-risk transactions such as SIM-swap requests,” a spokersperson said in a statement.
“These identification requests may escalate to further verification checks, including the requirement to complete an in-store identity check or escalate the request with further verification checks. While many customers do feel this is burdensome, Optus takes customer security and data very seriously.”
Earlier this month, the ACMA announced that phone companies will need stronger customer identity checks for “high-risk transactions” like SIM swaps or account changes.
The new requirements, called the Telecommunications Service Provider (Customer Identity Authentication) Determination 2022, will come into effect on June 30.
From then on, telcos must use multi-factor authentication of their customers’ identities such as confirming personal information and responding with a one-time code, similar to how banks operate.
Under the new guidelines, the ACMA can punish telcos who breach the rules, including by taking them to court.
An Australian SIM swap victim will on average lose a whopping $28,000 to hackers, according to the ACMA.
Between 1 January and 30 September last year, there were at least 510 incidents of reported SIM swaps, resulting in 163 cases of financial loss.
These losses amounted to $4.68 million, with the largest single reported loss being $463,782.
*Names withheld over privacy concerns.
Do you know more or have a similar story? Continue the conversation | firstname.lastname@example.org | @AlexTurnerCohen