[00:00:04] Alex Quilici: People do everything on their phones now.
They do their banking, they do bill paying on phones.
[00:00:24] Bob: So our phone is almost our password at this point.
[00:00:27] Alex Quilici: It is and it’s the big motivation for SIM swaps.
If they get your phone number and control of it, then it’s like they have your password.
(MUSIC SEGUE)
[00:00:07] Bob: Welcome back to The Perfect Scam.
I’m your host, Bob Sullivan.
In many ways, our phones are now our passwords.
They’re often the key to logging into our bank accounts, our work computers.
Those short text messages with secret codes seem to rule our lives now.
Criminals have taken notice, and they’ve figured out a diabolical way to intercept these messages.
To impersonate our phones, and in so doing, impersonate ourselves.
Today, you’ll hear from a victim who was targeted by this kind of phone hijacking attack.
And before the day was over, tens of thousands of dollars had been stolen from him.
But the good news is, today’s episode comes with homework.
There’s a five minute fix for this problem, one you could probably do yourself.
To be honest, a fix I didn’t know about until we worked on this story.
I’ll soon explain how it’s done.
But first, we want to verify you understand the problem.
So, meet Jeff Drobman from Los Angeles.
He was on his way to lunch recently.
On his way to a first date.
When, innocently enough, His mobile phone suddenly stopped working.
So I couldn’t get home really quickly to deal with all of this.
All of a sudden, just suddenly, it says SOS instead of a cellular service.
It’ll say SOS if you have no service.
So anyways, that’s when I noticed something was wrong.
I don’t know, but I was meeting with somebody.
Actually, it was a first blind date, so I didn’t want to screw that up.
[00:02:27] Bob: Oh my God, all the pressure.
[00:02:44] Jeff Drobman: It’s about noon, my time.
I started getting a flurry of fraud alerts from Bank of America.
Someone’s trying to access your account.
Someone just changed your password.
I go, oh my god, if this wasn’t you, call us.
Well, okay, great.
How can I call you?
My phone’s been disabled.
[00:02:59] Bob: Still, he somehow manages to enjoy lunch.
[00:03:04] Jeff Drobman: Yeah, I was actually at the Grove in Hollywood.
That was a great place.
I didn’t want to leave, but I had to go.
Jeff calls his cell phone provider first so he can get that up and running.
I said, yeah, it wasn’t me.
They go, oh, okay.
Okay, that’s not okay.
He’s gotten those disturbing alerts about someone trying to access his account.
[00:04:01] Jeff Drobman: Yes, about 4 or 4:30, something like that.
[00:04:07] Jeff Drobman: Yep, you hit the nail on the head there.
But by then it was too late.
They’d already stolen my money.
And I said, well, what do I do now?
And they said, well, your bank is closed.
So wait till tomorrow, but go into your bank tomorrow morning.
See what’s going on.
[00:04:37] Bob: This seems like a heck of an afternoon.
[00:04:39] Yeah.
It was a nightmare.
Not even on Elm Street.
It was a nightmare on my street.
[00:04:44] Bob: How bad was it at that moment?
Did you get a sense like, wow, my money’s gone or?
[00:04:49] Jeff Drobman: No, they just said, goodbye.
Go to your bank.
[00:04:55] Jeff Drobman: Well, they locked my account.
I said, yeah, but then I can’t use my account.
That’s correct, sir.
you’ve got the option to’t use your account.
[00:05:04] Bob: Wonderful.
[00:05:20] Jeff Drobman: And she goes and logs in.
She says, I can log into your account.
you’re free to’t, but I can log into your account.
[00:05:31] Bob: (sighs)
[00:05:32] Jeff Drobman: Chicago.
[00:05:33] Bob: What did you think of that?
[00:05:35] Jeff Drobman: I was astonished and flabbergasted and frustrated.
All those feelings mixed together.
[00:05:41] Bob: $21,000 has been stolen from him.
All while his phone had stopped working.
That can’t be a coincidence.
The teller offers a few more details.
Because they have limits, right?
[00:06:30] Jeff Drobman: No, Not ever.
[00:06:31] Bob: Jeff’s heart is up in his throat.
What is he supposed to do now?
What does she tell you to do?
[00:06:41] Jeff Drobman: She said, well, you file a fraud report.
And I said, yeah, let’s do that.
So I filed a fraud report.
[00:06:55] Bob: I’m hoping they’ll decide?
[00:06:59] Jeff Drobman: She said, they probably will, but I can’t guarantee that.
[00:07:02] Bob: Can’t guarantee that?
How does she deal with the immediate problem?
[00:07:21] Jeff Drobman: Yeah, so that’s the annoying part too.
And also they did that with my credit card too.
So just to be safe.
[00:07:35] Bob: Yeah.
And that’s much more of a hassle than people realize unless they’ve been through it.
And I had, yeah.
[00:07:43] Bob: So it’s a real pain when you have to do all this.
[00:07:45] Jeff Drobman: Uh, yes, yes.
It’s got a, it’s a snake with many tails.
That’s for sure.
[00:07:59] Jeff Drobman: Well, it was back to normal for all of two hours.
Two hours, my phone goes dead again.
I got the SOS signal, I go, oh my god.
[00:08:08] Bob: Jeff’s phone has died.
And now he knows what that might mean.
They said they wanted your phone number.
I said, well, you guys can’t do that.
[00:08:37] Bob: And that works for one day.
[00:08:41] Jeff Drobman: The next day I got my phone locked again.
[00:08:52] Bob: This is just crazy.
Three times in one day.
[00:08:56] Jeff Drobman: Right.
Well, the next day too.
But you know what would make that process even worse?
Oh, and here’s the stupid thing.
So they closed that one and gave me a third account number.
And while the attacks come rapid fire, the fix is decidedly slower.
I went in there, any good news?
What’s going on?
We don’t know.
Can you check, you know, can you check my fraud status?
Eventually, I was able to log back into my own account and check my fraud status.
[00:10:16] Bob: But what about the $21,000?
[00:10:21] Bob: So when did the bank finally call you with some good news?
[00:10:24] Jeff Drobman: They never once called me.
[00:10:25] Bob: Wonderful.
One day the money just reappeared in your online banking?
Is that what happened?
[00:10:33] Jeff Drobman: Um, well, yeah, a month later, just.
[00:10:35] Bob: It took a month?
[00:10:36] Jeff Drobman: One month.
[00:10:37] Bob: To get your…
[00:10:38] Jeff Drobman: One month later.
[00:10:40] Bob: To get $21,000, that’s crazy.
[00:10:42] Bob: So what is going on here?
How did criminals manage to make $21,000 worth of withdrawals from Jeff’s accounts?
And why did that happen at the same time his cell phone stopped working?
Jeff was targeted by what’s called a SIM swapping attack.
So a SIM swap basically switches your phone number to another SIM on another gadget.
[00:11:44] Alex Quilici: It’s absolutely crazy, right?
People do everything on their phones now.
They do their banking on their phones.
They do bill paying on phones.
[00:12:08] Bob: So our phone is almost our password at this point.
If they get your phone number and control of it, then it’s like they have your password.
Perhaps you remember a time when physical SIM cards were standard.
Today, many carriers use eSIM cards, virtual cards, so the change happens in software.
But today, they can be done remotely.
[00:13:30] Bob: Jeff got a very painful lesson.
and SIM Swap attacks during this episode.
[00:13:35] Jeff Drobman: That’s the huge issue here.
And, uh, we all thought, well, that’s safe.
That’s got to be perfectly safe.
They send a code to my phone.
No one else has my phone.
I have my phone.
I text back the code.
And they’re going, yeah, that’s, that’s how we do that.
So these criminals have figured out how easy it is to steal your phone.
Hey, can you transfer this?
My phone number, which was my phone number.
Can you transfer this phone number to my new phone?
They said, sure, no problem.
And so we thought that text back codes were perfect because the phone is something you have.
[00:14:34] Bob: That’s certainly enough to make anyone paranoid and well, Jeff sure is.
Every time there’s a cell phone internet blip, well, he’s worried he might be robbed.
[00:14:44] Bob: It must be a part of your life now.
How do you feel?
We all go through these dead zones with our cell phones where suddenly the phone doesn’t work.
Aren’t you worried every time that someone’s hacking your bank again?
[00:14:53] Jeff Drobman: Yeah, do you like getting electric shocks?
That’s my electric shock.
[00:15:03] Bob: There have been several high profile SIM swap attacks.
Especially because smartphones often act as passwords for high value crypto accounts.
Investor Michael Turpin had 24 million stolen from him.
He was the subject of aPerfect Scamepisode about a year ago.
But today, SIM swap attacks are hitting all kinds of account holders.
[00:15:26] Bob: Can you give me some idea of scale here?
Can you give me some idea of how the scale of the problem?
So they seem to be escalating in terms of, you know, the number of attempts here.
Why would a company named YouMail know about SIM swapping?
And how do they get it?
[00:16:32] Alex Quilici: Well, what we usually see are suspicious things.
And so if they’re doing that, that means they didn’t ask for the 2FA code.
So someone else has got that 2FA code generated for them and is trying to take over their phone.
Now they’re actually going after people with very specific data for those people.
They may have other information that they need.
then convinces you, Hey, this really is my bank.
And I think the danger level has gone way up.
The volume has gone down, but the bad guys are getting, you know, smarter and smarter.
And that’s one reason he really wanted to speak to us.
[00:17:55] Jeff Drobman: Well, time, money, aggravation, frustration, yes.
And the fact that they hacked my phone multiple times, so I was never sure.
That I was safe from that.
It also kind of messes up my account with them.
I keep having to do these, uh, SIM swap back to my phone.
But the main thing is hopefully everyone’s hurt of the idea of SIM Swap.
[00:18:16] Bob: As you’re free to tell, Jeff is still a bit frustrated.
So I said, I have an address for them.
Are you going to arrest these guys?
Well, we don’t know.
I only became aware of these recently when I got a new physical debit card.
Not unlike paying with Apple Pay.
So you think that they hacked into my bank account for steal money out of my bank account.
And also to request a virtual debit card, which they could get immediately.
So that was the other key.
That’s why these guys are pretty sophisticated.
So they got a virtual debit card.
And so that was what they used when they walk into the bank.
They said they apparently must have shown them the virtual debit card.
[00:20:11] Bob: Okay, so my question is this.
They were, the bank was sending you fraud alerts?
[00:20:15] Jeff Drobman: Yes.
[00:20:16] Bob: Actively, multiple fraud alerts.
But yet still allowed someone to take cash four different times in the thousands of dollars.
How did the bank explain that?
I mean, what’s the point of the fraud alert if to not hold up the transaction?
[00:20:27] Jeff Drobman: You’re absolutely right.
If they suspect fraud, why would they hand over 21,000 in cash?
Would you like those in tens or twenties or fifties?
Here you go, buddy.
[00:20:42] Jeff Drobman: Yeah, it should be the reverse.
Until we hear from you, we’re not going to give out any money.
[00:20:46] Bob: Yeah.
[00:20:47] Jeff Drobman: That’s what it should be.
Nothing is perfect, of course, but I’ll let Alex explain.
[00:21:01] Bob: This seems rather helpless.
[00:21:02] Alex Quilici: Well, I don’t think it’s helpless.
I mean, there’s a number of things people can do.
And so that’s a really great level of protection.
But that is a big part of protecting yourself is making sure that feature is on your wireless carrier.
[00:21:44] Alex Quilici: I absolutely, that’s the first thing you should do.
It’s a pretty easy thing to find on their website.
It takes a couple minutes to turn it on.
It’s worth the hassle when you get another phone later on, or you want to do something.
It’s just like a credit freeze.
There is a significant amount of protection by doing that.
[00:22:06] Alex Quilici: Well, they have, but that usually involves people.
So one of the most famous SIM swaps is, uh, a gentleman named Michael Turpin.
And so the employees just switched it regardless of everything else.
[00:22:32] Bob: Okay.
I did it with my carrier, as soon as I got off the phone with Alex.
The experience should be pretty similar for you.
you might call your carrier and ask for it too.
Jeff really hopes you do.
[00:22:56] Jeff Drobman: So there’s two levels of protection to advise everybody out there.
So see to it you do at least that.
[00:23:36] Alex Quilici: The one other thing that’s important.
So an example is, uh, my wife got one a few days ago.
To Google and put some of that stuff together.
And we see more and more of it.
And you could imagine, these are hard to detect.
The way we knew it was suspicious was one, we know our daughter, right?
It didn’t, didn’t mention who, like, it was nothing.
There was no meat on the bone.
So we were very comfortable with the scam and, you know, worked to get it shut off.
But I think that’s what people are, are seeing more and more of.
Now they know about the person.
They might know what, because of social media says where they went on vacation.
This is a really tough world for people.
[00:25:21] Bob: Yeah.
I mean, so, you know, every time there was one of those massive data leaks.
[00:25:39] Alex Quilici: It freaked her out at first.
[00:25:40] Bob: Yeah, sure.
[00:25:41] Alex Quilici: Right?
[00:25:47] Bob: Good for you, way to go, yeah.
They didn’t say who they were.
They’re saying, I’m just filing a demand.
Like that, you know, a letter, this is just suspicious.
Trust me, this isn’t real.
I can get out of this for 500 bucks.
Let me just do it.
So they don’t have time to make personal messages like that.
But some, something is going on.
I wonder if they’re using ChatGPT or something to write these things up.
[00:26:27] Alex Quilici: I actually looked at that.
And the simple answer was with basic prompts, no.
They would easily find my wife and daughter’s names that.
It’s been in the paper before for local things.
It’s not hard, right, to kind of put that together.
Let’s find out everything we can and let’s actually put some effort into going after it.
[00:27:13] Bob: Wow.
[00:27:23] Bob: There is one other important suggestion Alex has.
And those are much harder to break.
So I tend to stay away from SMS for accounts that really matter to me.
[00:28:25] Bob: Could you say that a little bit more about that?
I think that’s really interesting.
And to me, that’s the preferred solution, even if it’s sort of the biggest pain.
One is Someone who’s hacked your SIM wouldn’t get it, right?
Well, his phone doesn’t work.
[00:29:16] Alex Quilici: Exactly, right?
That’s the problem.
For the perfect scam, I’m Bob Sullivan.
Call the AARP Fraud Watch data pipe Helpline at 877-908-3360.
Their trained fraud specialists can provide you with free support and guidance on what to do next.
That address again is: theperfectscampodcast@aarp.org.
Be sure to find us on Apple Podcasts, Spotify, or wherever you listen to podcasts.
For AARP’s The Perfect Scam, I’m Bob Sullivan.
