SIM Swapping: Scammers Hijack Smartphones and Steal Thousands

Play all audios:

By AARP Published December 13, 2024

Subscribe: Apple Podcasts | Amazon Music | Spotify | TuneIn

We use our smartphones for just about everything these days, and that makes them a prime target for scammers. Online banking often relies on a code sent in a text message to verify the

account holder's identity, but criminals have figured out a way to impersonate the phone and intercept these messages. This is exactly what happens when Jeff receives an SOS message on his

phone, and before the day is over, thieves steal tens of thousands of dollars from him. The good news is, there's a simple thing we can all do to safeguard our phones and our accounts

today.

Full Transcript Open All SIM Swapping: Scammers Hijack Smartphones and Steal Thousands

(MUSIC INTRO)

[00:00:01] Bob: This week on The Perfect Scam.

[00:00:04] Alex Quilici: People do everything on their phones now. They do their banking, they do bill paying on phones. And so a lot of your financial history and financial accounts are

accessible through your phones, which makes it a prime target. And even if you do work on your desktop, when you log in, they text your phone as a 2FA to let you in, which means your phone's

involved everywhere.

[00:00:24] Bob: So our phone is almost our password at this point.

[00:00:27] Alex Quilici: It is and it's the big motivation for SIM swaps. If they get your phone number and control of it, then it's like they have your password.

(MUSIC SEGUE)

[00:00:07] Bob: Welcome back to The Perfect Scam. I'm your host, Bob Sullivan. In many ways, our phones are now our passwords. They're often the key to logging into our bank accounts, our

work computers. Those short text messages with secret codes seem to rule our lives now. Criminals have taken notice, and they've figured out a diabolical way to intercept these messages. To

impersonate our phones, and in so doing, impersonate ourselves. Today, you'll hear from a victim who was targeted by this kind of phone hijacking attack. And before the day was over, tens of

thousands of dollars had been stolen from him. But the good news is, today's episode comes with homework. There's a five minute fix for this problem, one you could probably do yourself. To

be honest, a fix I didn't know about until we worked on this story. I'll soon explain how it's done. But first, we want to make sure you understand the problem. So, meet Jeff Drobman from

Los Angeles. He was on his way to lunch recently. On his way to a first date. When, innocently enough, His mobile phone suddenly stopped working.

[00:01:49] Jeff Drobman: Yes, I was having lunch with a friend out in Hollywood, which is an hour drive from where I live. So I couldn't get home really quickly to deal with all of this. So

what happened was I was trying to call that person and I noticed that my phone wasn't working. All of a sudden, just suddenly, it says SOS instead of a cellular service. It'll say SOS if you

have no service. So anyways, that's when I noticed something was wrong. So I'm thinking maybe a cell tower went down or something, you know, why am I not getting service? I don't know, but

I was meeting with somebody. Actually, it was a first blind date, so I didn't want to screw that up.

[00:02:27] Bob: Oh my God, all the pressure.

[00:02:31] Bob: So Jeff puts aside the phone issue for a while, tries to focus on the date, but his phone is still trying to get his attention. Calls won't go through, texts won't go

through, but he is getting emails, probably because of a Wi Fi connection.

[00:02:44] Jeff Drobman: It's about noon, my time. I started getting a flurry of fraud alerts from Bank of America. Someone's trying to access your account. Someone just changed your

password. I go, oh my god, if this wasn't you, call us. Well, okay, great. How can I call you? My phone's been disabled.

[00:02:59] Bob: Still, he somehow manages to enjoy lunch.

[00:03:04] Jeff Drobman: Yeah, I was actually at the Grove in Hollywood. That was a great place. I didn't want to leave, but I had to go. It took me an hour to get home, so it was more like

three, four o'clock before I could borrow my neighbor's phone and call in.

[00:03:14] Bob: Using that neighbor's phone, remember, he can't call anyone from his phone. Jeff calls his cell phone provider first so he can get that up and running.

[00:03:23] Jeff Drobman: And they looked up the records and they said, well, somebody had your phone number transferred to their phone. I said, yeah, it wasn't me. They go, oh, okay. Okay,

that's not okay. But I got to the fraud people and they said, Okay, we'll deactivate their phone and we'll reactivate yours, which was not a simple process. They had to take me to a website,

I had to do a QR code, da da da, but eventually my phone was back in service.

[00:03:46] Bob: Okay, so now his phone works, and now he has time to call his bank. He's gotten those disturbing alerts about someone trying to access his account.

[00:03:56] Bob: And by the time all, like, in my head, the clock is ticking towards 4 or 5 pm by now, right?

[00:04:01] Jeff Drobman: Yes, about 4 or 4:30, something like that.

[00:04:03] Bob: So it's also the end of the banking day, and that's another cause for worry, right?

[00:04:07] Jeff Drobman: Yep, you hit the nail on the head there.

[00:04:09] Bob: He gets through on the phone and discovers a series of withdrawals have already hit his account.

[00:04:17] Jeff Drobman: They said, okay, we'll, we'll denote that the fraud will shut down your account. But by then it was too late. They'd already stolen my money. So it was, um, letting,

uh, closing the barn door after the cow had got out. And I said, well, what do I do now? And they said, well, your bank is closed. So wait till tomorrow, but go into your bank tomorrow

morning. And. See what's going on.

[00:04:37] Bob: This seems like a heck of an afternoon. My God.

[00:04:39] Yeah. Yes. It was a nightmare. Not even on Elm Street. It was a nightmare on my street.

[00:04:44] Bob: How bad was it at that moment? Did you get a sense like, wow, my money's gone or?

[00:04:49] Jeff Drobman: No, they just said, goodbye. Go to your bank. Leave us alone. Goodbye.

[00:04:53] Bob: And you, you assume, well, the bank's got this under control, right?

[00:04:55] Jeff Drobman: Well, they locked my account. They said, so whatever was stolen was stolen, but they can't steal anymore because we've locked your account. I said, yeah, but then I

can't use my account. That's correct, sir. You can't use your account.

[00:05:04] Bob: Wonderful.

[00:05:06] Bob: And since Jeff can't access his online bank account, he can't really tell what's going on. His worst fears are confirmed the next morning when he goes into the bank and

eventually speaks with a fraud expert.

[00:05:20] Jeff Drobman: And she goes and logs in. She says, I can log into your account. You can't, but I can log into your account. So she logs into my account and she says, “Oh, looks

like $21,000 has been withdrawn at four different bank branches in Chicago.”

[00:05:31] Bob: (sighs)

[00:05:32] Jeff Drobman: Chicago.

[00:05:33] Bob: What did you think of that?

[00:05:35] Jeff Drobman: I was astonished and flabbergasted and frustrated. All those feelings mixed together.

[00:05:41] Bob: $21,000 has been stolen from him. All while his phone had stopped working. That can't be a coincidence. The teller offers a few more details.

[00:05:53] Jeff Drobman: The bank fraud person I was dealing with told me, I see here, that apparently what happened is they, the criminal group in Chicago of all places, walked into a bank

branch and said, uh, “Yeah, we want to withdraw, you know, how much cash can we withdraw from the account today?” Because they have limits, right? And so they did a 3,000 and a 4000 and a

7000 or an 8,000 for four different times they withdrew cash. And then they, she told me, it looks like they went into a fifth branch and they finally got wise to it and said no.

[00:06:25] Bob: Have you ever gone into a bank and withdrawn more than a couple hundred dollars?

[00:06:30] Jeff Drobman: No, Not ever.

[00:06:31] Bob: Jeff's heart is up in his throat. What is he supposed to do now?

[00:06:36] Bob: And you're talking to this person who says $21,000 has been stolen and you're shocked. What does she tell you to do?

[00:06:41] Jeff Drobman: She said, well, you file a fraud report. And I said, yeah, let's do that. So I filed a fraud report.

[00:06:47] Bob: And does she reassure you, don't worry, you'll get the money back?

[00:06:50] Jeff Drobman: She said, I'm hoping that they'll decide to give you your money back, but I can't guarantee that.

[00:06:55] Bob: I'm hoping they'll decide? That sounds terrible.

[00:06:59] Jeff Drobman: She said, they probably will, but I can't guarantee that.

[00:07:02] Bob: Can't guarantee that? Wow. But there's nothing else Jeff can do at this point other than, well, remember his account has been deactivated, so to get access to any money, he

has to...

[00:07:17] Bob: So does she open a new account for you? How does she deal with the immediate problem?

[00:07:21] Jeff Drobman: Yeah, so that's the annoying part too. They have to close that account, open a whole new checking account, throw out all your printed checks, throw out your old

debit card, and we'll mail you a new debit card. And also they did that with my credit card too. So just to be safe.

[00:07:35] Bob: Yeah. And that's much more of a hassle than people realize unless they've been through it.

[00:07:38] Jeff Drobman: Well, especially with the credit card, because I auto bill a fair number to that credit card. And I had, yeah.

[00:07:43] Bob: So it's a real pain when you have to do all this.

[00:07:45] Jeff Drobman: Uh, yes, yes. It's got a, it's a snake with many tails. That's for sure.

[00:07:50] Bob: But at least by the time he leaves the bank, he's got a working phone and a working bank account, so things are back to normal ish.

[00:07:59] Jeff Drobman: Well, it was back to normal for all of two hours. Two hours, my phone goes dead again. I got the SOS signal, I go, oh my god.

[00:08:08] Bob: Jeff's phone has died. Again. And now he knows what that might mean. Last time that happened, $21,000 was stolen from him, so he quickly calls his cell phone provider.

[00:08:21] Jeff Drobman: So I call him back and said, yeah, we transferred your phone to these other people. They said they wanted your phone number. I said, well, you guys can't do that. So

they transferred me again to their top fraud guy and he said, okay, I can lock your account so we won't transfer your phone number just because somebody calls and says, please do that.

[00:08:37] Bob: And that works for one day.

[00:08:41] Jeff Drobman: The next day I got my phone locked again. So I called and talked to the guy and I said, okay, I guess I didn't do that right or something. So yeah, so yeah, now your

phone is definitely locked and we'll assign you a PIN number.

[00:08:52] Bob: This is just crazy. It is crazy. Three times in one day. Yeah.

[00:08:56] Jeff Drobman: Right. Well, the next day too. So, and then I'm holding my breath and crossing the fingers the right way to make sure this doesn't happen a fourth time.

[00:09:03] Bob: And remember, Jeff is trying to port all his automatic payments over to his new bank account, so intermittent cell service isn't exactly helpful. But you know what would make

that process even worse?

[00:09:16] Jeff Drobman: I had to, you know, contact everybody and give them the new account number. Oh, and here's the stupid thing. Just to make matters worse, because why not, they gave

me a new account number, and the next day I went into the bank to see what was going on, and they said, oh, it looks like they're The criminals had gotten a hold of this number, possibly,

because someone's trying to get that account. So they closed that one and gave me a third account number.

[00:09:40] Bob: So, if you're keeping score, there's three confirmed attacks on his cell service and two on his bank account within 24 hours. And while the attacks come rapid fire, the fix

is decidedly slower.

[00:09:54] Jeff Drobman: Well, I went into the bank and talked to that lady many, many times, like just about every day, just about daily. I went in there, any good news? What's going on? We

don't know. Can you check, you know, can you check my fraud status? Eventually, I was able to log back into my own account and check my fraud status. So, they hopefully were able to also

protect my account from being, having my password changed by the criminals yet again.

[00:10:16] Bob: But what about the $21,000?

[00:10:21] Bob: So when did the bank finally call you with some good news?

[00:10:24] Jeff Drobman: They never once called me.

[00:10:25] Bob: Wonderful. Uh, how did you find out they had restored or, you know, uh, approved the dispute? One day the money just reappeared in your online banking? Is that what happened?

[00:10:33] Jeff Drobman: Um, well, yeah, a month later, just.

[00:10:35] Bob: It took a month?

[00:10:36] Jeff Drobman: One month.

[00:10:37] Bob: To get your...

[00:10:38] Jeff Drobman: One month later.

[00:10:40] Bob: To get $21,000, that's crazy.

[00:10:42] Bob: So what is going on here? How did criminals manage to make $21,000 worth of withdrawals from Jeff's accounts? And why did that happen at the same time his cell phone stopped

working? Jeff was targeted by what's called a SIM swapping attack. Here to explain how SIM swap attacks work and how you can protect yourself from them is Alex Quilici, CEO of a security

company named YouMail, which protects consumers from unwanted and unsafe calls, texts, and voicemails.

[00:11:14] Alex Quilici: So the way to think about a SIM swap is a SIM connects your phone number to a device. So a SIM swap basically switches your phone number to another SIM on another

device. And once somebody has your phone number on another device, they can do, it's as if they own it, right? So they can do anything you could have done, which means access to bank

accounts and all of that.

[00:11:37] Bob: And I think one of the reasons we've seen a lot more of these attacks is our phones play a much bigger role now in our security. Right?

[00:11:44] Alex Quilici: It's absolutely crazy, right? People do everything on their phones now. They do their banking on their phones. They do bill paying on phones. And so a lot of your

financial history and financial accounts are accessible through your phones, which makes it a prime target. And even if they're not on your phone and you do work on your desktop, when you

[00:12:08] Bob: So our phone is almost our password at this point.

[00:12:11] Alex Quilici: It is, and that's the big part of the problem, and it's the big motivation for SIM swaps. If they get your phone number and control of it, then it's like they have

your password.

[00:12:21] Bob: SIM cards, that word stands for Subscriber Identity Module, tie a piece of hardware, a handset, to a telephone number. Perhaps you remember a time when physical SIM cards

were standard. When you got a new phone, you could yank the SIM card out of one device and put it in another. Today, many carriers use eSIM cards, virtual cards, so the change happens in

software. That's significant because in the past, SIM swap attacks would have required physical access to someone's phone. But today, they can be done remotely. And since all that really

stood between Jeff's bank account and a criminal was a six digit code texted to his smartphone, well a criminal who had hijacked his smartphone could log in and steal his money.

[00:13:10] Alex Quilici: It doesn't surprise me because think about it, when you go to log into a bank account, they text your phone, you put the text in, and now you have full access to the

bank account. So the minute a bad guy has switched over this guy's phone number to their control, it, it happens very fast what they can do at that point, and they're set up to do as much

as possible.

[00:13:30] Bob: Jeff got a very painful lesson. and SIM Swap attacks during this episode.

[00:13:35] Jeff Drobman: That's the huge issue here. The huge issue is everybody, all the banks and all the financial institutions and a lot of others are using text back codes as a way to

authenticate you. And, uh, we all thought, well, that's safe. That's got to be perfectly safe. They send a code to my phone. No one else has my phone. I have my phone. I text back the code.

And they're going, yeah, that's, that's how we do that. So these criminals have figured out how easy it is to steal your phone. So all they had to do was call a suspect and say, Hey, uh,

Hey, Bob, Bill, I just got a new phone. Hey, here. Hey, can you transfer this? My phone number, which was my phone number. Can you transfer this phone number to my new phone? They said,

sure, no problem. Here you go. I used to think I'm, fairly well versed in cybersecurity, I used to think that one of the measures to authenticate yourself is it's not only something you

know, but something you have. And so we thought that text back codes were perfect because the phone is something you have. No one else could have my phone, or if my phone got stolen, I would

have reported that. It never occurred to me that it was that easy to steal your SiM, because they made it an eSIM.

[00:14:34] Bob: That's certainly enough to make anyone paranoid and well, Jeff sure is. Every time there's a cell phone network blip, well, he's worried he might be robbed.

[00:14:44] Bob: It must be a part of your life now. How do you feel? We all go through these dead zones with our cell phones where suddenly the phone doesn't work. Aren't you worried every

time that someone's hacking your bank again?

[00:14:53] Jeff Drobman: Yeah, do you like getting electric shocks? That's my electric shock. Every time I look at my phone and it says SOS, I go, oh no, oh no, hopefully nobody hacked my

phone.

[00:15:03] Bob: There have been several high profile SIM swap attacks. Especially because smartphones often act as passwords for high value crypto accounts. Investor Michael Turpin had 24

million stolen from him. He was the subject of a Perfect Scam episode about a year ago. But today, SIM swap attacks are hitting all kinds of account holders.

[00:15:26] Bob: Can you give me some idea of scale here? Because I started to see a lot of stories about SIM Swap bank attacks, you know, maybe a year or two ago, maybe even longer, but it

seems like they're a big problem now. Can you give me some idea of how the scale of the problem?

[00:15:38] Alex Quilici: So what I've seen recently are statistics for 2023, which estimated somewhere between 80,000 and 100,000 of these SIM swaps. which is up dramatically from 2018 when

I think they estimated 600 and 2021 when it was, you know, four or five thousand. So they seem to be escalating in terms of, you know, the number of attempts here.

[00:15:59] Bob: Just to put a fine point on it, we're talking to you today about SIM swapping. Why would a company named YouMail know about SIM swapping?

[00:16:06] Alex Quilici: Well, one of the big things people need to do SIM swaps is your personal information. And how do they get it? They get it through robocalls, robotext, emails, other

things that are essentially phishing you to try to get you to provide that information. And so we're well aware of SIM swaps simply because we see all the attempts to get the information

that's needed to do those SIM swaps.

[00:16:26] Bob: And given all the network traffic that you see, you probably see a lot of attempts, right?

[00:16:32] Alex Quilici: Well, what we usually see are suspicious things. So one suspicious thing is suddenly someone's getting the six digit two FA codes and they're reporting them as spam.

And so if they're doing that, that means they didn't ask for the 2FA code. So someone else has got that 2FA code generated for them and is trying to take over their phone. So there are

different things that we can see that we think are either a part of a SIM swap or the precursor to a SIM swap.

[00:17:00] Bob: SIM swapping is a bit more alarming now because, as with Jeff, the attacks seem more targeted.

[00:17:07] Alex Quilici: So, you know, two, three years ago, it was spray and pray. There'd be massive numbers of robocalls or massive texts, hoping to get someone to click or someone to

call back or someone to answer and press one. Now they're actually going after people with very specific data for those people. So if they pretend to be a bank, they may have your account

number they got from a data breach. They may have other information that they need. then convinces you, Hey, this really is my bank. And I think the danger level has gone way up. The volume

has gone down, but the bad guys are getting, you know, smarter and smarter. And if you look at the amount of data breaches that are out there, it's, it's crazy, right?

[00:17:45] Bob: And while Jeff did ultimately get his money back, don't say the crime didn't cost him anything. And that's one reason he really wanted to speak to us.

[00:17:55] Jeff Drobman: Well, time, money, aggravation, frustration, yes. And the fact that they hacked my phone multiple times, so I was never sure. That I was safe from that. It also kind

of messes up my account with them. I keep having to do these, uh, SIM swap back to my phone. But the main thing is hopefully everyone's hurt of the idea of SIM Swap.

[00:18:16] Bob: As you can tell, Jeff is still a bit frustrated. He's also left wondering what happened to the criminals who were brazen enough to walk into a bank branch and steal thousands

of dollars.

[00:18:29] Jeff Drobman: Well, I hope they caught these guys 'cause I also gave them a phone number and an address. These guys had the audacity to, while they had access to my bank account,

to request a physical debit card, a new debit card to be mailed to them at this post office box in, not post office, this apartment address in Chicago. So I said, I have an address for them.

Are you going to arrest these guys? Well, we don't know. So I don't know if they ever caught, and they also got a phone number, somebody who was trying to get my phone transferred, and they

actually provided a phone number. So I gave them that phone number, but I never heard if they were able to arrest any of these people.

[00:19:07] Bob: Another important element of Jeff's story is the use of something new called virtual debit cards. I only became aware of these recently when I got a new physical debit card.

My bank added software to my app so I can withdraw cash from an ATM by tapping with my smartphone using this virtual debit card. Not unlike paying with Apple Pay. And that's a nice feature,

but...

[00:19:32] Jeff Drobman: Yes, that was the key to the whole thing. So you think that they hacked into my bank account in order to steal money out of my bank account. But I'm figuring they

were smart enough, so that's why I think they were a pretty smart criminal group, that if they transferred the money to some account that would be traceable. So they apparently hacked into

my account in order to, uh, well one, lock me out, but also to request a physical debit card to be mailed to them. And also to request a virtual debit card, which they could get immediately.

So that was the other key. That's why these guys are pretty sophisticated. So they got a virtual debit card. And so that was what they used when they walk into the bank. They said they

apparently must have shown them the virtual debit card.

[00:20:11] Bob: Okay, so my question is this. They were, the bank was sending you fraud alerts?

[00:20:15] Jeff Drobman: Yes.

[00:20:16] Bob: Actively, multiple fraud alerts. But yet still allowed someone to take cash four different times in the thousands of dollars. How did the bank explain that? I mean, what's

the point of the fraud alert if to not hold up the transaction?

[00:20:27] Jeff Drobman: You're absolutely right. If they suspect fraud, why would they hand over 21,000 in cash? Here you go. Would you like those in tens or twenties or fifties? Here you

go, buddy.

[00:20:35] Bob: Yeah, let me, because the implicit message is, we're sending you this fraud alert, unless we hear from you, we're going to just perform the transaction, which is crazy.

[00:20:42] Jeff Drobman: Yeah, it should be the reverse. Until we hear from you, we're not going to give out any money.

[00:20:46] Bob: Yeah.

[00:20:47] Jeff Drobman: That's what it should be.

[00:20:48] Bob: Okay, so we promised at the top of this episode to give you homework, a simple task that can protect you from a lot of SIM swap attacks. Nothing is perfect, of course, but

I'll let Alex explain.

[00:21:01] Bob: This seems rather helpless.

[00:21:02] Alex Quilici: Well, I don't think it's helpless. I mean, there's a number of things people can do. The number one thing is now the carriers in the US allow you to have something

that they call along the lines of SIM swap protection. And what that basically is, when that's turned on, your phone number can't move from the SIM until you turn that permission back on.

And so that's a really great level of protection. I mean, it's a pain because you get a new phone and a new SIM, you've got to go and make sure you turned it off, do the swap and then turn

it back on. But that is a big part of protecting yourself is making sure that feature is on your wireless carrier.

[00:21:37] Bob: So it sounds like you are, without exception, recommending that people call their carrier Go online and set this up right away.

[00:21:44] Alex Quilici: I absolutely, that's the first thing you should do. It's a pretty easy thing to find on their website. It takes a couple minutes to turn it on. Go do it. It's worth

the hassle when you get another phone later on, or you want to do something. It's just like a credit freeze. There is a significant amount of protection by doing that.

[00:21:59] Bob: So, uh, you know, my first instinct with that is I'm sure that's great, but then also I'm sure the hackers have figured out a way to get around that, right?

[00:22:06] Alex Quilici: Well, they have, but that usually involves people. So one of the most famous SIM swaps is, uh, a gentleman named Michael Turpin. And the way they did the SIM swap

was basically bribe employees at the, uh, at the carrier. And so the employees just switched it regardless of everything else. But that's a lot more difficult to do if they have to go bribe

employees, you know, once you've got this SIM protection setting on.

[00:22:32] Bob: Okay. I'm convinced. I did it with my carrier, as soon as I got off the phone with Alex. The process is a little different with each carrier, but basically I navigated to my

account, to a tab labeled security, and found an on/off toggle for SIM locking. The experience should be pretty similar for you. You can call your carrier and ask for it too. Jeff really

hopes you do.

[00:22:56] Jeff Drobman: So there's two levels of protection to advise everybody out there. One is absolutely contact your cell phone carrier, make sure you have a PIN set up, that they will

not transfer your phone number without the PIN. So make sure you do at least that. In addition to the PIN, I also was able to get them to set a complete anti-fraud lock on my account. So I

have to call the fraud department, authenticate myself there with three or four different ways of authentication. And then, then they'll unlock the fraud lock and then I can use the PIN to

transfer the phone.

[00:23:28] Bob: SIM swap locks are particularly important because Alex says criminal attacks are becoming even more targeted.

[00:23:36] Alex Quilici: The one other thing that's important. What's going on now that I think people should be aware of are what I would call ultra targeted scams. So an example is, uh, my

wife got one a few days ago. She got a text message saying, we, you know, we're going to sue you because your daughter threatened the life of our daughter and all the, you know, this

nonsense with the text, right? And so they knew my daughter's name, they knew my wife's name, they knew her phone number, they knew what high school my daughter had gone, uh, gone to last

year. All of this stuff and mocked up a, you know, very terrible kind of SMS and threatened to sue us and essentially unless we pay the money.

[00:24:10] Bob: Wow

[00:24:10] Alex Quilici: And so that's some real work for someone to do, right? To Google and put some of that stuff together. And we see more and more of it. I know Michael Arrington, who's

Famous in the crypto world of TechCrunch has posted a whole thing on Twitter where they're going after all his friends, pretending to be him with real information about him. And so I think

these kind of super ultra targeted scams are what we have to watch out for now. And you can imagine, these are hard to detect. right? The way we knew it was suspicious was one, we know our

daughter, right? So she's not going to threaten someone's life, but it didn't mention what phone number she had. It didn't, didn't mention who, like, it was nothing. There was no meat on the

bone. So we were very comfortable with the scam and, you know, worked to get it shut off. But I think that's what people are, are seeing more and more of. And, you know, grandparent scams

where it used to just be, “Hey, I'm in jail, send $10,000.” Now they know about the person. They might know what, because of social media says where they went on vacation. So hey, I'm here

in this location in Hawaii and I've been, you know, gotten in an accident, you get bailed in jail. It's, they're, they're getting more and more sophisticated and you throw in, you know,

voice cloning and some of the other stuff there. This is a really tough world for people.

[00:25:21] Bob: Yeah. I mean, so, you know, every time there was one of those massive data leaks. We all sort of speculated, oh, this could one day be used for, you know, highly targeted

attacks. In truth, you know, I haven't heard about a lot of things like you're describing, but what, what your wife received there is, is a stunner to me.

[00:25:39] Alex Quilici: It freaked her out at first.

[00:25:40] Bob: Yeah, sure.

[00:25:41] Alex Quilici: Right? Her first thought was actually, I can't believe my daughter did this, and then I just said, we know our daughter, she'd never do that.

[00:25:47] Bob: Good for you, way to go, yeah.

[00:25:48] Alex Quilici: And on top of that, they didn't have her phone number here as part of the text they were trying to show you, it's all blurred out. They didn't say who they were.

They're saying, I'm just filing a demand. Like that, you know, a letter, this is just suspicious. Trust me, this isn't real. And obviously I used my contacts to try to figure out what was

going on, but you know, a lot of people might go, “Oh my God. Okay. I can get out of this for 500 bucks. Okay. Let me just do it.”

[00:26:09] Bob: You know, and honestly, what you said about that being a lot of work to put together, that that's what has me. on the hook here, because, you know, normally these guys

succeed one out of 10,000 times, right? So they don't have time to make personal messages like that. But some, something is going on. I wonder if they're using ChatGPT or something to write

these things up.

[00:26:27] Alex Quilici: I actually looked at that. And, you know, some of our team was trying to figure out, could they find all of this with chatGPT? And the simple answer was with basic

prompts, no. But if they decided for some reason, you know, to go after me, but they figure I probably know what's going on. They would easily find my wife and daughter's names that. It's

been in the paper before for local things. They could figure out what high school she goes from her, went to, from her Instagram and her TikToks, which now have some, you know, real social

presence. It's not hard, right, to kind of put that together. And I guess if you have cheap labor, you know, in a foreign country somewhere, you can imagine them just doing this. Like, okay,

we want to attack, Let's get a list of people in a particular zip code because that's a reasonably wealthy area. Let's find out everything we can and let's actually put some effort into

going after it.

[00:27:13] Bob: Wow.

[00:27:14] Alex Quilici: And so it's, it's moved from, like I said, spray and pray to very targeted, very direct and, and with some data and other effort behind it to make it seem real.

[00:27:23] Bob: There is one other important suggestion Alex has.

[00:27:27] Alex Quilici: It's a giant pain, but there are things called authenticator apps, which really tie your authentication code to your particular device, not the SIM. And so, for

example, with Gmail, you can make it so the 2FA goes through an authenticator app versus a text, to your phone number or versus, you know, an email with the code. And those are much harder

to break. right? Because they have to have your physical device, because it's generating code specific to knowing that you're on the device that's going to help you get in. And so it's

painful, it adds time, and sometimes it's confusing, but I really recommend that where possible and where it's supported, do the authenticator layer for 2FA versus a text to your SMS. And

secondly, at least for me personally, a lot of times I have the 2FA go to an email address. Because it's harder to break into my email address than I think it is to try to do the SIM swap.

So I tend to stay away from SMS for accounts that really matter to me.

[00:28:25] Bob: Could you say that a little bit more about that? I think that's really interesting. So when you, your bank tells you to put on 2FA and you go there, I assume, it's been a

while since I've done it, you just check a box that says send me a text message, but you can say, send me an email instead.

[00:28:39] Alex Quilici: Usually they'll send me an email and there's usually the third option, at least now more and more, which is use an authentication app, like Microsoft Authenticator

or Google Authenticator. And to me, that's the preferred solution, even if it's sort of the biggest pain.

[00:28:53] Bob: But if you don't want to use an authenticator app, and by the way, I agree with you, I think, I don't actually think that they're that much of a pain nowadays. But, you know,

not, I'm just interested in, in, if you're, send it to your email, there's a couple of good things about that. One is Someone who's hacked your SIM wouldn't get it, right? And the other is

the problem this poor fella had was, so all these messages were coming saying, if this isn't you, call us. Well, his phone doesn't work.

[00:29:16] Alex Quilici: Exactly, right? That's the problem. So, you know, email's not a great solution, but if you're worried about SIM swapping, at least it's going to a different place.

[00:29:25] Bob: So again, I'd strongly recommend you take a few moments and place a SIM swap lock on your mobile phone account. You'll be just a little safer in a world where cell phones Are

often the key that opens up your entire digital life. For the perfect scam, I'm Bob Sullivan.

(MUSIC SEGUE)

[00:29:48] Bob: If you have been targeted by a scam or fraud, you are not alone. Call the AARP Fraud Watch Network Helpline at 877-908-3360. Their trained fraud specialists can provide you

with free support and guidance on what to do next. Our email address at The Perfect Scam is: [email protected], and we want to hear from you. If you've been the victim of a scam

or you know someone who has, and you'd like us to tell their story, write to us. That address again is: [email protected]. Thank you to our team of scambusters; Associate

Producer, Annalea Embree; Researcher, Becky Dodson; Executive Producer, Julie Getz; and our Audio Engineer and Sound Designer, Julio Gonzalez. Be sure to find us on Apple Podcasts, Spotify,

or wherever you listen to podcasts. For AARP's The Perfect Scam, I'm Bob Sullivan.

(MUSIC OUTRO)

END OF TRANSCRIPT

%{postComment}%

The Perfect ScamSM is a project of the AARP Fraud Watch Network, which equips consumers like you with the knowledge to give you power over scams.