Sim swapping: scammers hijack smartphones and steal thousands

(MUSIC INTRO) [00:00:01] Bob: This week on The Perfect Scam. [00:00:04] Alex Quilici: People do everything on their phones now. They do their banking, they do bill paying on phones. And so a

lot of your financial history and financial accounts are accessible through your phones, which makes it a prime target. And even if you do work on your desktop, when you log in, they text

your phone as a 2FA to let you in, which means your phone's involved everywhere. [00:00:24] Bob: So our phone is almost our password at this point. [00:00:27] Alex Quilici: It is and

it's the big motivation for SIM swaps. If they get your phone number and control of it, then it's like they have your password. (MUSIC SEGUE) [00:00:07] Bob: Welcome back to The

Perfect Scam. I'm your host, Bob Sullivan. In many ways, our phones are now our passwords. They're often the key to logging into our bank accounts, our work computers. Those short

text messages with secret codes seem to rule our lives now. Criminals have taken notice, and they've figured out a diabolical way to intercept these messages. To impersonate our phones,

and in so doing, impersonate ourselves. Today, you'll hear from a victim who was targeted by this kind of phone hijacking attack. And before the day was over, tens of thousands of

dollars had been stolen from him. But the good news is, today's episode comes with homework. There's a five minute fix for this problem, one you could probably do yourself. To be

honest, a fix I didn't know about until we worked on this story. I'll soon explain how it's done. But first, we want to make sure you understand the problem. So, meet Jeff

Drobman from Los Angeles. He was on his way to lunch recently. On his way to a first date. When, innocently enough, His mobile phone suddenly stopped working. [00:01:49] Jeff Drobman: Yes, I

was having lunch with a friend out in Hollywood, which is an hour drive from where I live. So I couldn't get home really quickly to deal with all of this. So what happened was I was

trying to call that person and I noticed that my phone wasn't working. All of a sudden, just suddenly, it says SOS instead of a cellular service. It'll say SOS if you have no

service. So anyways, that's when I noticed something was wrong. So I'm thinking maybe a cell tower went down or something, you know, why am I not getting service? I don't

know, but I was meeting with somebody. Actually, it was a first blind date, so I didn't want to screw that up. [00:02:27] Bob: Oh my God, all the pressure. [00:02:31] Bob: So Jeff puts

aside the phone issue for a while, tries to focus on the date, but his phone is still trying to get his attention. Calls won't go through, texts won't go through, but he is getting

emails, probably because of a Wi Fi connection. [00:02:44] Jeff Drobman: It's about noon, my time. I started getting a flurry of fraud alerts from Bank of America. Someone's

trying to access your account. Someone just changed your password. I go, oh my god, if this wasn't you, call us. Well, okay, great. How can I call you? My phone's been disabled.

[00:02:59] Bob: Still, he somehow manages to enjoy lunch. [00:03:04] Jeff Drobman: Yeah, I was actually at the Grove in Hollywood. That was a great place. I didn't want to leave, but I

had to go. It took me an hour to get home, so it was more like three, four o'clock before I could borrow my neighbor's phone and call in. [00:03:14] Bob: Using that neighbor's

phone, remember, he can't call anyone from his phone. Jeff calls his cell phone provider first so he can get that up and running. [00:03:23] Jeff Drobman: And they looked up the

records and they said, well, somebody had your phone number transferred to their phone. I said, yeah, it wasn't me. They go, oh, okay. Okay, that's not okay. But I got to the fraud

people and they said, Okay, we'll deactivate their phone and we'll reactivate yours, which was not a simple process. They had to take me to a website, I had to do a QR code, da da

da, but eventually my phone was back in service. [00:03:46] Bob: Okay, so now his phone works, and now he has time to call his bank. He's gotten those disturbing alerts about someone

trying to access his account. [00:03:56] Bob: And by the time all, like, in my head, the clock is ticking towards 4 or 5 pm by now, right? [00:04:01] Jeff Drobman: Yes, about 4 or 4:30,

something like that. [00:04:03] Bob: So it's also the end of the banking day, and that's another cause for worry, right? [00:04:07] Jeff Drobman: Yep, you hit the nail on the head

there. [00:04:09] Bob: He gets through on the phone and discovers a series of withdrawals have already hit his account. [00:04:17] Jeff Drobman: They said, okay, we'll, we'll

denote that the fraud will shut down your account. But by then it was too late. They'd already stolen my money. So it was, um, letting, uh, closing the barn door after the cow had got

out. And I said, well, what do I do now? And they said, well, your bank is closed. So wait till tomorrow, but go into your bank tomorrow morning. And. See what's going on. [00:04:37]

Bob: This seems like a heck of an afternoon. My God. [00:04:39] Yeah. Yes. It was a nightmare. Not even on Elm Street. It was a nightmare on my street. [00:04:44] Bob: How bad was it at that

moment? Did you get a sense like, wow, my money's gone or? [00:04:49] Jeff Drobman: No, they just said, goodbye. Go to your bank. Leave us alone. Goodbye. [00:04:53] Bob: And you, you

assume, well, the bank's got this under control, right? [00:04:55] Jeff Drobman: Well, they locked my account. They said, so whatever was stolen was stolen, but they can't steal

anymore because we've locked your account. I said, yeah, but then I can't use my account. That's correct, sir. You can't use your account. [00:05:04] Bob: Wonderful.

[00:05:06] Bob: And since Jeff can't access his online bank account, he can't really tell what's going on. His worst fears are confirmed the next morning when he goes into the

bank and eventually speaks with a fraud expert. [00:05:20] Jeff Drobman: And she goes and logs in. She says, I can log into your account. You can't, but I can log into your account. So

she logs into my account and she says, “Oh, looks like $21,000 has been withdrawn at four different bank branches in Chicago.” [00:05:31] Bob: (sighs) [00:05:32] Jeff Drobman: Chicago.

[00:05:33] Bob: What did you think of that? [00:05:35] Jeff Drobman: I was astonished and flabbergasted and frustrated. All those feelings mixed together. [00:05:41] Bob: $21,000 has been

stolen from him. All while his phone had stopped working. That can't be a coincidence. The teller offers a few more details. [00:05:53] Jeff Drobman: The bank fraud person I was dealing

with told me, I see here, that apparently what happened is they, the criminal group in Chicago of all places, walked into a bank branch and said, uh, “Yeah, we want to withdraw, you know,

how much cash can we withdraw from the account today?” Because they have limits, right? And so they did a 3,000 and a 4000 and a 7000 or an 8,000 for four different times they withdrew cash.

And then they, she told me, it looks like they went into a fifth branch and they finally got wise to it and said no. [00:06:25] Bob: Have you ever gone into a bank and withdrawn more than a

couple hundred dollars? [00:06:30] Jeff Drobman: No, Not ever. [00:06:31] Bob: Jeff's heart is up in his throat. What is he supposed to do now? [00:06:36] Bob: And you're talking

to this person who says $21,000 has been stolen and you're shocked. What does she tell you to do? [00:06:41] Jeff Drobman: She said, well, you file a fraud report. And I said, yeah,

let's do that. So I filed a fraud report. [00:06:47] Bob: And does she reassure you, don't worry, you'll get the money back? [00:06:50] Jeff Drobman: She said, I'm hoping

that they'll decide to give you your money back, but I can't guarantee that. [00:06:55] Bob: I'm hoping they'll decide? That sounds terrible. [00:06:59] Jeff Drobman:

She said, they probably will, but I can't guarantee that. [00:07:02] Bob: Can't guarantee that? Wow. But there's nothing else Jeff can do at this point other than, well,

remember his account has been deactivated, so to get access to any money, he has to... [00:07:17] Bob: So does she open a new account for you? How does she deal with the immediate problem?

  [00:07:21] Jeff Drobman: Yeah, so that's the annoying part too. They have to close that account, open a whole new checking account, throw out all your printed checks, throw out your

old debit card, and we'll mail you a new debit card. And also they did that with my credit card too. So just to be safe. [00:07:35] Bob: Yeah. And that's much more of a hassle than

people realize unless they've been through it. [00:07:38] Jeff Drobman: Well, especially with the credit card, because I auto bill a fair number to that credit card. And I had, yeah.

[00:07:43] Bob: So it's a real pain when you have to do all this. [00:07:45] Jeff Drobman: Uh, yes, yes. It's got a, it's a snake with many tails. That's for sure.

[00:07:50] Bob: But at least by the time he leaves the bank, he's got a working phone and a working bank account, so things are back to normal ish. [00:07:59] Jeff Drobman: Well, it was

back to normal for all of two hours. Two hours, my phone goes dead again. I got the SOS signal, I go, oh my god. [00:08:08] Bob: Jeff's phone has died. Again. And now he knows what

that might mean. Last time that happened, $21,000 was stolen from him, so he quickly calls his cell phone provider. [00:08:21] Jeff Drobman: So I call him back and said, yeah, we transferred

your phone to these other people. They said they wanted your phone number. I said, well, you guys can't do that. So they transferred me again to their top fraud guy and he said, okay,

I can lock your account so we won't transfer your phone number just because somebody calls and says, please do that. [00:08:37] Bob: And that works for one day. [00:08:41] Jeff Drobman:

The next day I got my phone locked again. So I called and talked to the guy and I said, okay, I guess I didn't do that right or something. So yeah, so yeah, now your phone is

definitely locked and we'll assign you a PIN number. [00:08:52] Bob: This is just crazy. It is crazy. Three times in one day. Yeah. [00:08:56] Jeff Drobman: Right. Well, the next day

too. So, and then I'm holding my breath and crossing the fingers the right way to make sure this doesn't happen a fourth time. [00:09:03] Bob: And remember, Jeff is trying to port

all his automatic payments over to his new bank account, so intermittent cell service isn't exactly helpful. But you know what would make that process even worse? [00:09:16] Jeff

Drobman: I had to, you know, contact everybody and give them the new account number. Oh, and here's the stupid thing. Just to make matters worse, because why not, they gave me a new

account number, and the next day I went into the bank to see what was going on, and they said, oh, it looks like they're The criminals had gotten a hold of this number, possibly,

because someone's trying to get that account. So they closed that one and gave me a third account number. [00:09:40] Bob: So, if you're keeping score, there's three confirmed

attacks on his cell service and two on his bank account within 24 hours. And while the attacks come rapid fire, the fix is decidedly slower. [00:09:54] Jeff Drobman: Well, I went into the

bank and talked to that lady many, many times, like just about every day, just about daily. I went in there, any good news? What's going on? We don't know. Can you check, you know,

can you check my fraud status? Eventually, I was able to log back into my own account and check my fraud status. So, they hopefully were able to also protect my account from being, having

my password changed by the criminals yet again. [00:10:16] Bob: But what about the $21,000? [00:10:21] Bob: So when did the bank finally call you with some good news? [00:10:24] Jeff

Drobman: They never once called me. [00:10:25] Bob: Wonderful. Uh, how did you find out they had restored or, you know, uh, approved the dispute? One day the money just reappeared in your

online banking? Is that what happened? [00:10:33] Jeff Drobman: Um, well, yeah, a month later, just. [00:10:35] Bob: It took a month? [00:10:36] Jeff Drobman: One month. [00:10:37] Bob: To

get your... [00:10:38] Jeff Drobman: One month later. [00:10:40] Bob: To get $21,000, that's crazy. [00:10:42] Bob: So what is going on here? How did criminals manage to make $21,000

worth of withdrawals from Jeff's accounts? And why did that happen at the same time his cell phone stopped working? Jeff was targeted by what's called a SIM swapping attack. Here

to explain how SIM swap attacks work and how you can protect yourself from them is Alex Quilici, CEO of a security company named YouMail, which protects consumers from unwanted and unsafe

calls, texts, and voicemails. [00:11:14] Alex Quilici: So the way to think about a SIM swap is a SIM connects your phone number to a device. So a SIM swap basically switches your phone

number to another SIM on another device. And once somebody has your phone number on another device, they can do, it's as if they own it, right? So they can do anything you could have

done, which means access to bank accounts and all of that. [00:11:37] Bob: And I think one of the reasons we've seen a lot more of these attacks is our phones play a much bigger role

now in our security. Right? [00:11:44] Alex Quilici: It's absolutely crazy, right? People do everything on their phones now. They do their banking on their phones. They do bill paying

on phones. And so a lot of your financial history and financial accounts are accessible through your phones, which makes it a prime target. And even if they're not on your phone and you

do work on your desktop, when you log in, they text your phone as a 2FA to let you in, which means your phone's involved everywhere. [00:12:08] Bob: So our phone is almost our password

at this point. [00:12:11] Alex Quilici: It is, and that's the big part of the problem, and it's the big motivation for SIM swaps. If they get your phone number and control of it,

then it's like they have your password. [00:12:21] Bob: SIM cards, that word stands for Subscriber Identity Module, tie a piece of hardware, a handset, to a telephone number. Perhaps

you remember a time when physical SIM cards were standard. When you got a new phone, you could yank the SIM card out of one device and put it in another. Today, many carriers use eSIM cards,

virtual cards, so the change happens in software. That's significant because in the past, SIM swap attacks would have required physical access to someone's phone. But today, they

can be done remotely. And since all that really stood between Jeff's bank account and a criminal was a six digit code texted to his smartphone, well a criminal who had hijacked his

smartphone could log in and steal his money. [00:13:10] Alex Quilici: It doesn't surprise me because think about it, when you go to log into a bank account, they text your phone, you

put the text in, and now you have full access to the bank account. So the minute a bad guy has switched over this guy's phone number to their control, it, it happens very fast what they

can do at that point, and they're set up to do as much as possible. [00:13:30] Bob: Jeff got a very painful lesson. and SIM Swap attacks during this episode. [00:13:35] Jeff Drobman:

That's the huge issue here. The huge issue is everybody, all the banks and all the financial institutions and a lot of others are using text back codes as a way to authenticate you.

And, uh, we all thought, well, that's safe. That's got to be perfectly safe. They send a code to my phone. No one else has my phone. I have my phone. I text back the code. And

they're going, yeah, that's, that's how we do that. So these criminals have figured out how easy it is to steal your phone. So all they had to do was call a suspect and say,

Hey, uh, Hey, Bob, Bill, I just got a new phone. Hey, here. Hey, can you transfer this? My phone number, which was my phone number. Can you transfer this phone number to my new phone? They

said, sure, no problem. Here you go. I used to think I'm, fairly well versed in cybersecurity, I used to think that one of the measures to authenticate yourself is it's not only

something you know, but something you have. And so we thought that text back codes were perfect because the phone is something you have. No one else could have my phone, or if my phone got

stolen, I would have reported that. It never occurred to me that it was that easy to steal your SiM, because they made it an eSIM. [00:14:34] Bob: That's certainly enough to make anyone

paranoid and well, Jeff sure is. Every time there's a cell phone network blip, well, he's worried he might be robbed. [00:14:44] Bob: It must be a part of your life now. How do

you feel? We all go through these dead zones with our cell phones where suddenly the phone doesn't work. Aren't you worried every time that someone's hacking your bank again?

[00:14:53] Jeff Drobman: Yeah, do you like getting electric shocks? That's my electric shock. Every time I look at my phone and it says SOS, I go, oh no, oh no, hopefully nobody hacked

my phone. [00:15:03] Bob: There have been several high profile SIM swap attacks. Especially because smartphones often act as passwords for high value crypto accounts. Investor Michael Turpin

had 24 million stolen from him. He was the subject of a _Perfect Scam_ episode about a year ago. But today, SIM swap attacks are hitting all kinds of account holders. [00:15:26] Bob: Can

you give me some idea of scale here? Because I started to see a lot of stories about SIM Swap bank attacks, you know, maybe a year or two ago, maybe even longer, but it seems like

they're a big problem now. Can you give me some idea of how the scale of the problem? [00:15:38] Alex Quilici: So what I've seen recently are statistics for 2023, which estimated

somewhere between 80,000 and 100,000 of these SIM swaps. which is up dramatically from 2018 when I think they estimated 600 and 2021 when it was, you know, four or five thousand. So they

seem to be escalating in terms of, you know, the number of attempts here. [00:15:59] Bob: Just to put a fine point on it, we're talking to you today about SIM swapping. Why would a

company named YouMail know about SIM swapping? [00:16:06] Alex Quilici: Well, one of the big things people need to do SIM swaps is your personal information. And how do they get it? They get

it through robocalls, robotext, emails, other things that are essentially phishing you to try to get you to provide that information. And so we're well aware of SIM swaps simply

because we see all the attempts to get the information that's needed to do those SIM swaps. [00:16:26] Bob: And given all the network traffic that you see, you probably see a lot of

attempts, right? [00:16:32] Alex Quilici: Well, what we usually see are suspicious things. So one suspicious thing is suddenly someone's getting the six digit two FA codes and

they're reporting them as spam. And so if they're doing that, that means they didn't ask for the 2FA code. So someone else has got that 2FA code generated for them and is

trying to take over their phone. So there are different things that we can see that we think are either a part of a SIM swap or the precursor to a SIM swap. [00:17:00] Bob: SIM swapping is a

bit more alarming now because, as with Jeff, the attacks seem more targeted. [00:17:07] Alex Quilici: So, you know, two, three years ago, it was spray and pray. There'd be massive

numbers of robocalls or massive texts, hoping to get someone to click or someone to call back or someone to answer and press one. Now they're actually going after people with very

specific data for those people. So if they pretend to be a bank, they may have your account number they got from a data breach. They may have other information that they need. then convinces

you, Hey, this really is my bank. And I think the danger level has gone way up. The volume has gone down, but the bad guys are getting, you know, smarter and smarter. And if you look at the

amount of data breaches that are out there, it's, it's crazy, right? [00:17:45] Bob: And while Jeff did ultimately get his money back, don't say the crime didn't cost

him anything. And that's one reason he really wanted to speak to us. [00:17:55] Jeff Drobman: Well, time, money, aggravation, frustration, yes. And the fact that they hacked my phone

multiple times, so I was never sure. That I was safe from that. It also kind of messes up my account with them. I keep having to do these, uh, SIM swap back to my phone. But the main thing

is hopefully everyone's hurt of the idea of SIM Swap. [00:18:16] Bob: As you can tell, Jeff is still a bit frustrated. He's also left wondering what happened to the criminals who

were brazen enough to walk into a bank branch and steal thousands of dollars. [00:18:29] Jeff Drobman: Well, I hope they caught these guys 'cause I also gave them a phone number and an

address. These guys had the audacity to, while they had access to my bank account, to request a physical debit card, a new debit card to be mailed to them at this post office box in, not

post office, this apartment address in Chicago. So I said, I have an address for them. Are you going to arrest these guys? Well, we don't know. So I don't know if they ever caught,

and they also got a phone number, somebody who was trying to get my phone transferred, and they actually provided a phone number. So I gave them that phone number, but I never heard if they

were able to arrest any of these people. [00:19:07] Bob: Another important element of Jeff's story is the use of something new called virtual debit cards. I only became aware of these

recently when I got a new physical debit card. My bank added software to my app so I can withdraw cash from an ATM by tapping with my smartphone using this virtual debit card. Not unlike

paying with Apple Pay. And that's a nice feature, but... [00:19:32] Jeff Drobman: Yes, that was the key to the whole thing. So you think that they hacked into my bank account in order

to steal money out of my bank account. But I'm figuring they were smart enough, so that's why I think they were a pretty smart criminal group, that if they transferred the money to

some account that would be traceable. So they apparently hacked into my account in order to, uh, well one, lock me out, but also to request a physical debit card to be mailed to them. And

also to request a virtual debit card, which they could get immediately. So that was the other key. That's why these guys are pretty sophisticated. So they got a virtual debit card. And

so that was what they used when they walk into the bank. They said they apparently must have shown them the virtual debit card. [00:20:11] Bob: Okay, so my question is this. They were, the

bank was sending you fraud alerts? [00:20:15] Jeff Drobman: Yes. [00:20:16] Bob: Actively, multiple fraud alerts. But yet still allowed someone to take cash four different times in the

thousands of dollars. How did the bank explain that? I mean, what's the point of the fraud alert if to not hold up the transaction? [00:20:27] Jeff Drobman: You're absolutely

right. If they suspect fraud, why would they hand over 21,000 in cash? Here you go. Would you like those in tens or twenties or fifties? Here you go, buddy. [00:20:35] Bob: Yeah, let me,

because the implicit message is, we're sending you this fraud alert, unless we hear from you, we're going to just perform the transaction, which is crazy. [00:20:42] Jeff Drobman:

Yeah, it should be the reverse. Until we hear from you, we're not going to give out any money. [00:20:46] Bob: Yeah. [00:20:47] Jeff Drobman: That's what it should be. [00:20:48]

Bob: Okay, so we promised at the top of this episode to give you homework, a simple task that can protect you from a lot of SIM swap attacks. Nothing is perfect, of course, but I'll let

Alex explain. [00:21:01] Bob: This seems rather helpless. [00:21:02] Alex Quilici: Well, I don't think it's helpless. I mean, there's a number of things people can do. The

number one thing is now the carriers in the US allow you to have something that they call along the lines of SIM swap protection. And what that basically is, when that's turned on, your

phone number can't move from the SIM until you turn that permission back on. And so that's a really great level of protection. I mean, it's a pain because you get a new phone

and a new SIM, you've got to go and make sure you turned it off, do the swap and then turn it back on. But that is a big part of protecting yourself is making sure that feature is on

your wireless carrier. [00:21:37] Bob: So it sounds like you are, without exception, recommending that people call their carrier Go online and set this up right away. [00:21:44] Alex

Quilici: I absolutely, that's the first thing you should do. It's a pretty easy thing to find on their website. It takes a couple minutes to turn it on. Go do it. It's worth

the hassle when you get another phone later on, or you want to do something. It's just like a credit freeze. There is a significant amount of protection by doing that. [00:21:59] Bob:

So, uh, you know, my first instinct with that is I'm sure that's great, but then also I'm sure the hackers have figured out a way to get around that, right? [00:22:06] Alex

Quilici: Well, they have, but that usually involves people. So one of the most famous SIM swaps is, uh, a gentleman named Michael Turpin. And the way they did the SIM swap was basically

bribe employees at the, uh, at the carrier. And so the employees just switched it regardless of everything else. But that's a lot more difficult to do if they have to go bribe

employees, you know, once you've got this SIM protection setting on. [00:22:32] Bob: Okay. I'm convinced. I did it with my carrier, as soon as I got off the phone with Alex. The

process is a little different with each carrier, but basically I navigated to my account, to a tab labeled security, and found an on/off toggle for SIM locking. The experience should be

pretty similar for you. You can call your carrier and ask for it too. Jeff really hopes you do. [00:22:56] Jeff Drobman: So there's two levels of protection to advise everybody out

there. One is absolutely contact your cell phone carrier, make sure you have a PIN set up, that they will not transfer your phone number without the PIN. So make sure you do at least that.

In addition to the PIN, I also was able to get them to set a complete anti-fraud lock on my account. So I have to call the fraud department, authenticate myself there with three or four

different ways of authentication. And then, then they'll unlock the fraud lock and then I can use the PIN to transfer the phone. [00:23:28] Bob: SIM swap locks are particularly

important because Alex says criminal attacks are becoming even more targeted. [00:23:36] Alex Quilici: The one other thing that's important. What's going on now that I think people

should be aware of are what I would call ultra targeted scams. So an example is, uh, my wife got one a few days ago. She got a text message saying, we, you know, we're going to sue you

because your daughter threatened the life of our daughter and all the, you know, this nonsense with the text, right? And so they knew my daughter's name, they knew my wife's name,

they knew her phone number, they knew what high school my daughter had gone, uh, gone to last year. All of this stuff and mocked up a, you know, very terrible kind of SMS and threatened to

sue us and essentially unless we pay the money. [00:24:10] Bob: Wow [00:24:10] Alex Quilici: And so that's some real work for someone to do, right? To Google and put some of that stuff

together. And we see more and more of it. I know Michael Arrington, who's Famous in the crypto world of TechCrunch has posted a whole thing on Twitter where they're going after all

his friends, pretending to be him with real information about him. And so I think these kind of super ultra targeted scams are what we have to watch out for now. And you can imagine, these

are hard to detect. right? The way we knew it was suspicious was one, we know our daughter, right? So she's not going to threaten someone's life, but it didn't mention what

phone number she had. It didn't, didn't mention who, like, it was nothing. There was no meat on the bone. So we were very comfortable with the scam and, you know, worked to get it

shut off. But I think that's what people are, are seeing more and more of. And, you know, grandparent scams where it used to just be, “Hey, I'm in jail, send $10,000.” Now they

know about the person. They might know what, because of social media says where they went on vacation. So hey, I'm here in this location in Hawaii and I've been, you know, gotten

in an accident, you get bailed in jail. It's, they're, they're getting more and more sophisticated and you throw in, you know, voice cloning and some of the other stuff there.

This is a really tough world for people. [00:25:21] Bob: Yeah. I mean, so, you know, every time there was one of those massive data leaks. We all sort of speculated, oh, this could one day

be used for, you know, highly targeted attacks. In truth, you know, I haven't heard about a lot of things like you're describing, but what, what your wife received there is, is a

stunner to me. [00:25:39] Alex Quilici: It freaked her out at first.   [00:25:40] Bob: Yeah, sure. [00:25:41] Alex Quilici: Right? Her first thought was actually, I can't believe my

daughter did this, and then I just said, we know our daughter, she'd never do that. [00:25:47] Bob: Good for you, way to go, yeah. [00:25:48] Alex Quilici: And on top of that, they

didn't have her phone number here as part of the text they were trying to show you, it's all blurred out. They didn't say who they were. They're saying, I'm just

filing a demand. Like that, you know, a letter, this is just suspicious. Trust me, this isn't real. And obviously I used my contacts to try to figure out what was going on, but you

know, a lot of people might go, “Oh my God. Okay. I can get out of this for 500 bucks. Okay. Let me just do it.” [00:26:09] Bob: You know, and honestly, what you said about that being a lot

of work to put together, that that's what has me. on the hook here, because, you know, normally these guys succeed one out of 10,000 times, right? So they don't have time to make

personal messages like that. But some, something is going on. I wonder if they're using ChatGPT or something to write these things up. [00:26:27] Alex Quilici: I actually looked at

that. And, you know, some of our team was trying to figure out, could they find all of this with chatGPT? And the simple answer was with basic prompts, no. But if they decided for some

reason, you know, to go after me, but they figure I probably know what's going on. They would easily find my wife and daughter's names that. It's been in the paper before for

local things. They could figure out what high school she goes from her, went to, from her Instagram and her TikToks, which now have some, you know, real social presence. It's not hard,

right, to kind of put that together. And I guess if you have cheap labor, you know, in a foreign country somewhere, you can imagine them just doing this. Like, okay, we want to attack,

Let's get a list of people in a particular zip code because that's a reasonably wealthy area. Let's find out everything we can and let's actually put some effort into

going after it. [00:27:13] Bob: Wow. [00:27:14] Alex Quilici: And so it's, it's moved from, like I said, spray and pray to very targeted, very direct and, and with some data and

other effort behind it to make it seem real. [00:27:23] Bob: There is one other important suggestion Alex has. [00:27:27] Alex Quilici: It's a giant pain, but there are things called

authenticator apps, which really tie your authentication code to your particular device, not the SIM. And so, for example, with Gmail, you can make it so the 2FA goes through an

authenticator app versus a text, to your phone number or versus, you know, an email with the code. And those are much harder to break. right? Because they have to have your physical device,

because it's generating code specific to knowing that you're on the device that's going to help you get in. And so it's painful, it adds time, and sometimes it's

confusing, but I really recommend that where possible and where it's supported, do the authenticator layer for 2FA versus a text to your SMS. And secondly, at least for me personally, a

lot of times I have the 2FA go to an email address. Because it's harder to break into my email address than I think it is to try to do the SIM swap. So I tend to stay away from SMS for

accounts that really matter to me. [00:28:25] Bob: Could you say that a little bit more about that? I think that's really interesting. So when you, your bank tells you to put on 2FA

and you go there, I assume, it's been a while since I've done it, you just check a box that says send me a text message, but you can say, send me an email instead. [00:28:39] Alex

Quilici: Usually they'll send me an email and there's usually the third option, at least now more and more, which is use an authentication app, like Microsoft Authenticator or

Google Authenticator. And to me, that's the preferred solution, even if it's sort of the biggest pain. [00:28:53] Bob: But if you don't want to use an authenticator app, and

by the way, I agree with you, I think, I don't actually think that they're that much of a pain nowadays. But, you know, not, I'm just interested in, in, if you're, send

it to your email, there's a couple of good things about that. One is Someone who's hacked your SIM wouldn't get it, right? And the other is the problem this poor fella had

was, so all these messages were coming saying, if this isn't you, call us. Well, his phone doesn't work. [00:29:16] Alex Quilici: Exactly, right? That's the problem. So, you

know, email's not a great solution, but if you're worried about SIM swapping, at least it's going to a different place. [00:29:25] Bob: So again, I'd strongly recommend

you take a few moments and place a SIM swap lock on your mobile phone account. You'll be just a little safer in a world where cell phones Are often the key that opens up your entire

digital life. For the perfect scam, I'm Bob Sullivan. (MUSIC SEGUE) [00:29:48] Bob: If you have been targeted by a scam or fraud, you are not alone. Call the AARP Fraud Watch Network

Helpline at 877-908-3360. Their trained fraud specialists can provide you with free support and guidance on what to do next. Our email address at The Perfect Scam is:

[email protected], and we want to hear from you. If you've been the victim of a scam or you know someone who has, and you'd like us to tell their story, write to us.

That address again is: [email protected]. Thank you to our team of scambusters; Associate Producer, Annalea Embree; Researcher, Becky Dodson; Executive Producer, Julie Getz; and

our Audio Engineer and Sound Designer, Julio Gonzalez. Be sure to find us on Apple Podcasts, Spotify, or wherever you listen to podcasts. For AARP's The Perfect Scam, I'm Bob

Sullivan. (MUSIC OUTRO) _END OF TRANSCRIPT_