Protecting Your Phone from a “Port-Out Scam”

Originally Published on Blog.Lastpass.com on April 27, 2018 By Amber

Photo of a businessman using mobile phone in the city

Looking to protect your bank accounts? One of the most common security options is to send one-time codes to your phone. Every time you log in, a new code is texted to you. But what if someone steals your phone number, so they receive your codes instead? Today we’re going to chat about this threat and the steps you can take to protect yourself from these so-called “port-out scams.”

What is a port-out scam?

A “port-out scam” doesn’t sound very alarming, but it’s something you never want to happen to you. If you’ve ever switched cell phone providers, you know that you can switch while keeping your existing phone number. Normally, that’s a great convenience – you don’t have to switch phone numbers every time you switch providers!

However, hackers have figured out how to use this to their advantage. In a “port-out scam,” hackers transfer your phone number to another mobile carrier. That way, they start receiving text messages and phone calls. They can now get access codes that are texted to them if they’re trying to break into an account, such as a bank account or credit card. You may not even realize anything is happening because you will no longer be receiving those texts and alerts.

How can I protect myself from a port-out scam?

Prevention is key, and just knowing the right settings to turn on can make a big difference. Here’s where you should start:

  1. Add a security PIN to your account. For some carriers, you can do this online, for others you’ll need to give them a call. Once you activate the PIN, you’ll be required to provide it before you can port your phone number or activate a new SIM card.
  2. Make the security PIN unique and random. If your PIN can be easily guessed or has the potential to be leaked from another website, it’s not actually making your account more secure. So, use a random PIN that you won’t use anywhere else.
  3. Store the information in a password manager. Keeping track of all the PINs, passcodes, and passwords for all of your accounts is hard. Use a trusted password manager like LastPass to store everything in an encrypted vault, where you know you can find it when you need it.
  4. Watch out for alarmist, take-action-now-or-else messages. When you see these type of messages, understand that they are trying to scare you into doing something impulsive. Instead, pause, look for clues (Do you trust this source? Can you call the company/friend/coworker to verify the contents?) and proceed with caution.
  5. When in doubt, call or go directly to the website. The safest thing you can do is go directly to the company that claims they need you to do something. Log in to your account and check there. Or, give their customer service a call.
  6. Use every security option your bank makes available. Turn on the alerts they offer for suspicious account activity. If possible, use app-based two-factor authentication options over SMS-based codes. Even an email can be safer than text-for-PIN authentication. If text-based codes are your only option, still turn them on, but then make sure you’ve done step #1 above.

Security works in layers. When it comes to your bank account, it’s not just about using a strong password. You need to also think about the email address that you use when logging in (are you protecting your email account?). You need to account for the phone number where you receive one-time codes (are you protecting your phone?). And what about the device where you’re logging in from (are you on a trusted connection? Are you taking basic precautions against malware?)?

All of these factors work in layers to create a web of security (or insecurity) around your bank account. Once you’ve put the above tips into place, though, you’ll have drastically reduced your risks of a port-out scam happening to you.