What is Identity Theft?
There's a good chance a lot of information about you is available online. Information like your: full name, birthday, phone number, work history, social insurance number, and even your login credentials. That information makes up your digital identity. And you might be sharing it without even realizing it.
Whenever you use: social media, financial services, cloud services, web browsers, online databases, and online subscriptions, your data is collected. This is a major concern.
Cyber threats can expose your data and identity to phishing, data breaches, social engineering, and deepfakes. Review the tips and reminders below to ensure you protect your digital identity.
Tips & Reminders to Protect Yourself Against Identity Theft
| Monitor ALL financial transactions carefully | Get into the habit of regularly logging into all of your financial services (bank, credit card, PayPal, etc.) using your credentials. If you find that you cannot log in using your known credentials then you should assume that the account is compromised and immediately contact the fraud department for that service. |
| Enable Identity Alerts | Place an Identity Alert on your Equifax Credit Report (note that a Fraud Alert is only available to confirmed victims of identity theft/fraud), and also place a Potential Fraud Alert with TransUnion |
| Lock down your social media profile so that it is private and can be seen by your friends only | Don’t publish your phone number on any of your social media profiles and limit the amount of personal information you post online like your birthday, home address, elementary school name, or your pet’s name. |
| Never complete the online “quizzes” which ask about your childhood. | Fraudsters can use these clues to answer common identification questions and impersonate you. |
| Don’t allow your online shopping websites to “remember” your credit card or PayPal details. | If the fraudster can access your online shopping, don’t make it easy for them to see what financial institutions you belong to. |
| Don't use apps to sign into other apps, i.e. Facebook | The fraudster would only need to enter one to gain access to all connected apps. |
| Don’t use the same passwords or usernames across multiple accounts. | Always create a strong, unique password for your sensitive accounts. |
| Don’t click on links or attachments in suspicious emails or text messages. | Remember that UBC, CRA, and Financial Institutions will never send you an email, or call you on the phone, asking you to disclose personal information such as your password, credit or debit card number, or your mother’s maiden name. |
| Destroy and dispose of your incoming mail properly. | Never just recycle or throw away letters or financial information with any personal information on it without shredding or removing and destroying the personal information first. Did you know that Amazon Canada prints your full name, address, and phone number on all parcels? Ensure that this is removed or destroyed before the packaging goes into your recycling. |
| Ensure that all of your online services have the maximum security settings enabled that are available. | Many services – including Social Media - allow multiple levels of authentication, rather than just username, password, and cellphone number. |
| Contact your cellphone provider and ensure that you have “Port Protection” enabled on your account. | This will mean that a number cannot be “ported” before further verification with the account holder. This may delay legitimate account changes but will provide more security when your cellphone has been listed as your 2nd factor of authentication. This can be done through your provider directly. |
What is SIM Swapping?
A SIM swap scam (also known as a port swap scam) is a type of account takeover fraud. Attackers exploit a mobile service provider’s ability to easily transfer a telephone number to a device which has a different SIM card which, in legitimate circumstances, is very helpful if the real owner is switching their service to a new provider.
Once the attacker has access to your cellphone number, they can target a security weakness where you have two-factor authentication configured to use an SMS text message or a call placed to your cellphone number.
Most victims don’t have any idea that they have been compromised until they try to use their cellular data network, or place a call / send a text message which doesn’t go through.
How Does SIM Swapping Work?
The criminals begin their attack journey by trying to find some information about you like your name, email address, and phone number. They can do this in a number of ways… they may trick you into providing this information by sending you a phishing email, they can simply search online for the various pieces of information if you have published it on social media sites, or you could have your mail stolen.
Once they have collected enough personal information – usually your name, address, and cellphone number is sufficient for their purposes - they will contact their cellphone provider either on the phone or through the online chat pretending to be you and requesting the cellphone number to be transferred their account. Due to CRTC (Canadian Radio-television and Telecommunications) regulations, cell service providers have a limited time to make this switch, and their security check often consists of just an email or text to the current owner. If a service provider requests confirmation and the account holder does not respond very quickly, the change will be made. If the real owner is not looking at or actively monitoring their cellphone then it is likely that they will miss this warning.
Once the criminals have successfully secured the phone number, they now have access to all services you’ve linked to your phone, which could include bank accounts, online shopping, and access into systems which has the cellphone number listed as a 2nd factor of authentication or password recovery. In addition, any incoming calls and texts would now be going to the attackers instead of the real owner.
They then use that information to log into PayPal with an email address (which they had likely found online through social media or LinkedIn) and go through the process to say that they have forgotten their password.
PayPal sends a password reset PIN to the cellphone, which of course the fraudster now has. The attacker then has access to PayPal, including all of the credit or debit card information associated with that account.
With debit card information, the attacker now knows the banking preferences of the victim. They can log into online banking with the information that they now have; email address, home address, bank card reference and they can say that they have forgotten their password. What does the bank do? It helpfully allows the attacker to reset the password, but not before doing their due diligence when it comes to security! They send a password reset PIN to the cellphone first! The problem is, the attacker has that cellphone number now … you get the picture.
Once the attacker has unlimited access to the bank account or credit card then they can do a world of damage to the victim, including financial loss, identity fraud, negative credit history, and a whole lot of stress.
How To Protect Yourself Against SIM Swapping
| Contact your cellphone provider and ensure that you have “Port Protection” enabled on your account. | This will mean that a number cannot be “ported” before further verification with the account holder. This may delay legitimate account changes but will provide more security. This can be done through your provider directly, or with the support of your office administrator if the cellphone contract is owned by UBC. |
| Lock down your social media profile so that it is private and can be seen by your friends only. | Don’t publish your phone number on any of your social media profiles and limit the amount of personal information you post online like your birthday, home address, elementary school names, or your pet’s name. Never complete the online “quizzes” which ask about your childhood. Fraudsters can use these clues to answer common identification questions and impersonate you. |
| If available, set up a passcode/PIN with your cellphone service provider to access your phone for any online or phone interactions. | Never use the same PIN as you would use for other accounts, like your bank account. |
| Do not allow your online shopping websites to “remember” your credit card or PayPal details. | If the fraudster can access your online shopping, don’t make it easy for them to see what financial institutions you belong to. |
| Do not use apps to sign into other apps | The fraudster would only need to enter one to gain access to all connected apps. |
| Do not use the same passwords or usernames across multiple accounts. | Always create a strong, unique password for your sensitive accounts. |
| Do not click on links or attachments in suspicious emails or text messages. | Remember that UBC, CRA and Financial Institutions will never send you an email or call you on the phone asking you to disclose personal information such as your password, credit or debit card number, or your mother’s maiden name. |
| Destroy and dispose of your incoming mail properly. | Never just recycle or throw away letters or financial information with any personal information on it without shredding or removing and destroying the personal information first. Did you know that Amazon Canada prints your full name, address, and phone number on all parcels? Ensure that this is removed or destroyed before the packaging goes into your recycling. |
| Ensure that all of your online services have the maximum security settings enabled that are available. | Many services allow multiple levels of authentication, rather than just username, password, and cellphone number. |
What to do if you are a victim of SIM Swapping
There is a lot to do and you need to act fast:
- Check that you can still log into all of your financial services (bank, credit card, PayPal etc.) using your credentials. Once you are logged in, make sure to remove your cellphone number as a method of contact or 2nd factor of authentication and replace it with a different number which you know is safe.
- Reset your password to a new, unique, hard-to-guess password. If you find that you cannot log in using your credentials then you should assume that the account is compromised and immediately contact the fraud department for that service.
- Check that you can log into your UBC account using your CWL credentials and reset your CWL password. If you know that you have your compromised cellphone number as an option for multi-factor authentication (MFA) then you should contact security@ubc.ca to inform them that your cellphone number needs to be removed from Enhanced CWL settings ASAP.
- Remove your cellphone and reset your password for all online shopping services
- Remove your cell phone number and reset your password from all utilities such as gas, electricity, home internet, cable, Netflix, etc.
- Contact the fraud department with your cellphone provider and tell them what happened. You will need to convince the support technician that you are who you say you are, and you should be prepared to have access to your old cellphone statements to go through enhanced security measures.
- Contact the RCMP Canadian Anti-Fraud Centre at [Toll-free] 1-888-495-8501
- Report the fraud at the two credit bureaus in Canada: Equifax - 1-800-465-7166; TransUnion Canada - 1-877-525-3823