An Auckland man is seeking answers after falling victim to a sophisticated mobile phone scam that almost cost him $20,000.
By Liu Chen of RNZ
Jade Wang was a customer of Kogan Mobile, a third-party operator that uses One NZ's network to provide services.
On April 24, Wang received a text message from One NZ just before 1.30pm, saying his phone number had been swapped to a new SIM.
The message also said Wang should contact One NZ if he had not authorised the activity.
Wang called One NZ, but an operator told him his number had not been registered with the provider before placing him on hold to seek advice.
Wang's call was disconnected while waiting for the operator to return.
However, he didn't receive a return call and wasn't a One NZ customer, and so thought the notification was the result of a system error.
Around 5pm, Wang noticed his mobile phone was out of service.
Wang contacted his wife, who found $19,300 had been withdrawn from their joint account at ANZ in two separate transactions.
The couple contacted the bank and filed a report with police, reporting the loss of photo ID and blocking his bank cards.
"I really panicked," Wang said. "I was in a very bad state emotionally."
How did the money disappear?
An ANZ investigation into the incident showed Wang's internet banking password had been reset using his customer number and a code that was sent to his mobile number, which was then used to verify the request.
After successfully transferring a total of $19,300, a third payment was held by ANZ while additional checks were undertaken.
"(At) 5:38pm, we called your registered mobile and spoke to someone claiming to be you," ANZ said in its report on the investigation. "We had concerns during the call and suspended your internet banking."
On May 6, the bank that received the funds returned $19,300 to Wang.
Wang was "thrilled" to get the money back, expressing shock the fraudster had tried to impersonate him on the phone.
SIM card mystery
Wang has yet to hear how another individual was able to hijack his SIM card.
He received a new SIM card from Kogan Mobile several days after the incident, adding that an investigation had been launched.
However, the results of the investigation have yet to be shared with Wang.
In an email seen by RNZ, One NZ said the alert text message that was sent to Wang was generated because of activity on its network.
Wang's initial call to One NZ had been disconnected as his SIM was in the process of being accessed by a third party, the company said.
When the One NZ agent tried to call Wang back shortly afterwards, they were unable to reach him as his number had been transferred to another SIM card, it said.
"Our investigation indicates that the individuals responsible had access to a significant amount of your personal information," it said.
"This included your full name, credit card details (including expiry date) and the email address used when registering the Kogan SIM.
"At this stage, we are not able to determine how this information was originally obtained."
Shocking speed
Wang was shocked at how quickly the SIM on his phone had been hijacked, losing control of his mobile number in around 15 minutes.
"I feel like the window of time was just too short," he said.
"There was nothing I could do. Just waiting on the phone call (to One NZ) alone took about 10 minutes."
One NZ spokesperson Nicky Preston, who also answered RNZ queries on behalf of Kogan Mobile, said the country's largest wireless carrier had concluded that Wang had suffered a fraudulent SIM swap.
"We have notified the Office of the Privacy Commissioner to alert them of the breach," Preston said.
Preston said there was a balance between making it easy for customers to manage their services and making it harder for fraudsters to exploit them.
"We have introduced a system-enforced 15-minute delay on SIM swaps, which is designed to provide customers with advance warning of potentially unauthorised activity while still allowing legitimate requests to proceed," she said.
"We continue to review this as part of our broader fraud prevention measures. We regularly train and support our customer service teams to recognise and respond to suspected fraud."
Preston said SIM swap fraud was an increasingly common form of identity crime both internationally and within NZ.
It included instances where a fraudster transferred a person's mobile number to another SIM to gain access to calls and text messages, including verification codes.
Preston said One NZ continued to strengthen protections through ongoing improvements to its systems, processes and staff training.
Vigilance warning
Wang warned mobile phone users to be vigilant about alerts they might receive on their devices.
He advised users to block bank accounts immediately if they received any unusual messages instead of thinking everything would be fine if they didn't click on a link or reply to a problematic message.
He said he still didn't know what personal information had been leaked and how.
"In any case, I think people really need to be careful," he said. "Information leaks are everywhere.
"I honestly don't even know what's safe and what isn't anymore. This whole experience has left me feeling very confused and with very little sense of trust."
Paul Brislen, chief executive of the Telecommunications Forum, the industry group for the telecommunications sector, said this type of fraud was "very unusual".
He warned individuals not to share any identifiable personal details on social media, including home addresses, phone numbers or IRD numbers, as these could be used by scammers.
Brislen said individuals should also use complicated passwords, and an app-based two-factor authentication where possible.
Telecoms companies in New Zealand blocked more than 23,000 malicious domain names that were set up pretending to be anything from banks to insurance companies and around 3 million requests for phishing content over the last few months, Brislen said.
"Scammers are getting pushback right across the board," he said.
"They're finding new avenues to try and steal money off people, and we all need to be very aware, very cognizant of the world we live in."
The Privacy Commissioner said SIM swaps could cause financial harm and identity theft.
It pointed to resources provided by the National Cyber Security Centre in terms of how people could protect themselves against SIM card swapping.
That included being careful about who people shared their identity information with, being creative with their account recovery questions, using an app-based two-factor authentication and checking their provider's policy, including what the process was for moving a mobile number to a new SIM card.
People were also advised to reset their important online accounts, making their online banking and email accounts a priority.
The morning's headlines in 90 seconds, including President Xi’s message to President Trump, what the Māori Queen told King Charles, and why Sporty Spice is teaching fitness classes. (Source: 1News)
SHARE ME