The SIM-Swap Crypto Scam Out to Take Your Bitcoin

Unfortunately crims will be crims and are out to scam you in new and inventive ways. A dangerous process, called “phone porting” can be used to gain access via your banking apps or your crypto apps.

Phone porting is also known as a port-out scam, SIM splitting, simjacking, and SIM swapping. In this process, criminals convince your mobile carrier to transfer your phone number to a new SIM card under their control.

Phone porting is a method used by criminals (we call them ‘bad actors’) to steal your funds. Here’s what you need to know to minimise your chances of this happening.

Phone porting fraud

In one example, a CoinJar customer had the heart-stopping experience of a bad actor trying to break into her crypto account. She urgently contacted CoinJar in a panic to try to stop it.

Our customer, Melanie said that the bad actor had accessed her phone, and locked her out of it.

Then, they changed her phone number and details to their details. Melanie explained that the bad actor had already got into her bank accounts and managed to withdraw money, and they were actively working to break into her CoinJar account.

Melanie messaged CoinJar urgently, and CoinJar’s Security Team froze Melanie’s account and started the process to verify her identity.

She said, “Lucas was switched on and used video ID to save my account. ”

What is phone porting?

Phone porting is when criminals try to steal your phone number by calling your phone company claiming to be you. They say they have bought a new phone and need to switch the old number to the new phone.

All they need to steal your number like this is to get hold of your name, address, and birthdate. They can then switch your phone number to their own phone.

How do you know this has happened? Suddenly, your phone stops working. It’s because your number has been ported (hence the term ‘phone porting’) and the bad actors start receiving all your calls and messages - including any two factor authentication codes.

After this, they can use your mobile number to impersonate you via phone call, reset your banking passwords, access your crypto accounts, or even pretend to be you online.

How CoinJar deals with phone porting

Aaron McDonald is the Compliance Manager for CoinJar Australia. He has been dealing with cases involving phone porting since 2017. . “Phone porting is where your number is ported and moved to a different provider. Once it's moved, the SIM card in your phone doesn't work anymore. So you can't get calls, you can't get text messages.”

McDonald said that when Melanie contacted CoinJar, she was really solely focused on saving her crypto. “There have been cases where someone has gotten into a bank account through this exact method, and they've taken all the money. Sometimes the bank will refund this, but sometimes they don’t.”

McDonald said that the first thing that CoinJar did was verify Melanie’s identity. “We always want to make sure we're talking with the correct person because in these cases, when someone takes over your identity, we do have situations where a bad actor will actually contact us as that person. They will say, ‘Why can't I sell my crypto? Why can't I send it to another wallet? What's going on?’ They try to trick us into removing those restrictions.”

Be ready to show ID

The first thing you need to know is that if you need help from CoinJar, be ready to prove who you are, and have your ID ready.

Meanwhile, the bad actors were working fast. Says McDonald, “In the midst of Melanie contacting us, the bad actors managed to get into her CoinJar account and they changed the email attached to her account to a different one.”

CoinJar then received emails from the bad actor, impersonating Melanie. Meanwhile Melanie had created a new email account to be able to talk to CoinJar staff, and was saying, “Please freeze my account! Don't let anything happen to it!”

At the same time, Melanie was receiving emails from the bad actors with threats, attempting to extort her - they said they wouldn’t take her crypto if she paid them $1200 immediately.

There were also emails from the bad actor saying, “Unfreeze my account, why can't I send my money? If you don't do this, I'm going to report you to the regulator!”

McDonald says that the bad actors “really love turning those psychological screws.”

However Melanie, via her new email account, was already sending identity documents and she went on a live video chat to prove that she was a real person.

McDonald added, “Ultimately we were able to get her account back.”

This complete identity takeover all started from her phone number being ported. But there are things that are still a mystery: How did they get her date of birth? How did they get other details? Did they get her passwords? There are a lot of unknowns.

How would someone know my details?

Phone porting is a real threat to our personal security. But why should you care? Your phone number is an extension of your identity. When part of your identity is stolen, it can be used to gain access to other services and products that you regularly use.

Major companies like Optus, Medibank, Telstra, LinkedIn, and even government agencies like the ATO and Court Service Victoria have fallen victim to data breaches.

These incidents compromise user data on a massive scale. Your personal information — name, date of birth, address, document numbers, expiry dates, mobile numbers, and email addresses — can end up for sale on the dark web.

Armed with your personal data, criminals impersonate you by convincing your mobile carrier to transfer your phone number to a new SIM card under their control. Once they have access to your text messages and calls, they can compromise other services.

Those other services might be as innocent as your Netflix subscription, but could be as dangerous as your email account (think about times when you have emailed a copy of your licence or passport) or your bank account.

Phone porting can lead to devastating consequences. Imagine waking up to drained bank accounts, unauthorised credit card transactions, and compromised social media profiles. Your identity is at risk, and the fallout can be financially and emotionally distressing.

How do mobile carriers protect against phone porting?

Mobile carriers have strengthened their processes around phone porting requests, such as introducing further identity verification checks (like completing an in-store ID check). In addition, new delays have been introduced when completing a SIM swap online in case the request was not initiated by the owner of the phone number.

How to report cybercrime or scams

Phone porting, extortion, and theft are crimes. Crimes where computers are an integral part of an offence, such as online fraud, are called cybercrimes. If this happens to you, it is important to report it.

McDonald says that for people who have suffered through this, don't delete any text messages. “Don't delete phone call records either, keep everything and give it to the police when you make a report.”

Contacting CoinJar quickly is important. “If someone contacts us saying their account has been compromised, we're very quick to respond as we get instant real-time alerts. Usually we can respond much quicker than a bank. Sometimes you can be waiting for 20 minutes calling a bank, just to get through to someone to say, ‘My account has been compromised!’ Every second counts.”

Tips to stay safe online

Never reuse passwords

Use a password manager to have unique passwords for every single account you own. Options here include iCloud Keychain, Bitwarden, 1Password.

Don’t use SMS as your two-factor authenticator

Instead, use an authenticator app.

Get a second mobile number for crypto accounts and banking.

If you must use SMS for two factor authentication, you can buy a number for SMS only that nobody knows about. Most modern phones can have two SIM cards installed, or two eSIMs configured. This setup means you can have one phone number for your regular use and a number, known only to you, for SMS two factor authentication.

You can get a SIM card from Aldi, for example, for a $5 once-off fee, and then just $15 per annum fee (at the time of writing) but check here for any updates.

The Aldi SIM allows global roaming and the majority of phones support two SIM cards.

Don’t talk about your crypto.

Don’t tell people you have online accounts or hardware wallets. Don’t make yourself a target.

Use a different email for different services

For example, you might use one email address for shopping, another for social media, and yet another for work-related matters. This way, if one email address gets compromised, it doesn’t affect the others. You can set up a new email address and get all emails forwarded on to your main email address, for example.

The “+” trick: Some email providers, like Gmail and Google Workspaces, allow you to use a clever trick. You can add a plus sign (+) and any word after your email address before the “@” symbol.

For instance, if your email address is youremailaddress@gmail.com, you can create variations like youremailaddress+shopping@gmail.com or youremailaddress+work@gmail.com.

These variations all lead to the same inbox but act like separate compartments. So, emails sent to youremailaddress+shopping@gmail.com will still arrive in your main inbox, but you can easily filter and organise them.

By using this trick, you don’t need to set up completely new email addresses for different services. Instead, you create virtual compartments within your existing inbox.

If you sign up for an online service (let’s say a cryptocurrency platform like CoinJar), use the youremailaddress+coinjar@gmail.com variation. If you start receiving spam or want to organise your emails better, you can filter based on these variations.

Secure your wireless network

Imagine your home network as a fortress. Keeping it secure is essential to prevent cyber threats.

Never allow unknown devices or strangers to join your wireless network, and ensure that your wireless network uses a strong password shared only with people you trust. If your wireless network came with a default password, change it to a unique password.

Secure your devices

Your devices should always use biometrics (facial recognition or fingerprint recognition) where available. If these features aren’t available, you should set a strong PIN or passcode.

Your PIN or passcode should contain letters and numbers, and should never be an easy to guess number like 0000, 1234 or your year of birth. Where available, enable the same features on individual apps - especially banking apps

Identity and credit monitoring

Equifax Credit and Identity Protect is a subscription service designed to help you manage your credit profile and reduce the risk of identity theft.

Equifax helps by doing dark web monitoring. It checks if your info shows up on shady parts of the internet.

You’ll get notified if anything important changes in your credit report. You can insure against identity theft too.

Hardware wallets and backup phrases

If you have a hardware wallet (a secure device for storing your cryptocurrency), it’s crucial to save your backup phrase.

A backup phrase is like a secret code that allows you to recover your crypto if you lose access to your wallet.

You can use products like Cryptosteel Capsule Solo or Cryptotag Zeus to securely store this backup phrase. Hide it somewhere safe where nobody else can find it.

When purchasing a hardware wallet, always buy directly from the official Ledger or Trezor website. Be cautious because there are fake wallets out there that look identical but can steal your funds.

Remember: You should never store your backup or recovery phrase online.

Self-Managed Superfund (SMSF)

If you’re using your hardware wallet within a self-managed superfund (SMSF), consult your accountant and auditor first.

Make sure your SMSF allows you to store your crypto independently.

Sharing access

If you’re using a hardware wallet or any other self-hosted wallet, ensure your friends and family know how to access your crypto. This way, if something happens to you, they can still retrieve it.

However, if you store your crypto in your CoinJar account, you don’t need to worry about this step.

Some extra resources:

Unique passwords: Click here.

Risks of non-unique passwords: Click here.

Creating strong passwords: Click here

Scams advice: Click here

2FA (Enhanced Security): Click here

One-time password: Click here

What can I do if I’ve been scammed?

Make a report to ReportCyber and ScamWatch

This is the fastest way to get the case referred to the correct law enforcement agency to investigate. If you submit the report online, you might be able to visit a police station and make an in-person report as well, providing them the reference number from ReportCyber for their records.

You can create a new report online here, and it should only take about 15 minutes to complete:

https://www.cyber.gov.au/report-and-recover/report

You can also make a report to Scamwatch:

https://www.scamwatch.gov.au/report-a-scam

Contact IDCare

IDCare offers Identity & Cyber Security Case Managers who listen and provide advice on next steps and how to keep yourself safe online.

https://www.idcare.org/contact/get-help

Support your mental health

Speak with Lifeline Australia – they are available 24 hours a day, 7 days a week, and offer crisis support over phone, online chat or text:

Phone: 13 11 14

SMS: 0477 13 11 14

Online Chat: https://www.lifeline.org.au/crisis-chat/

You can also reach out to Beyond Blue.