The IT Nerd

Recently a friend of my wife’s was doomscrolling on her phone and suddenly her phone went into SOS mode. Meaning it had no service. Confused by this she hopped into her car and drove to her local Bell store. The Bell employees had a look and determined that something weird was going on. Specifically her phone number was linked onto a Bell account that had the numbers of 20 other people on it. The Bell employee then went into action to get “the fraud department” involved. But while that was going on, someone was trying to use her credit card to buy some high value items. As in $14,000 worth of items. She would later find out about this when the Bell employee told her to phone her bank to see if her credit cards and bank accounts okay. When she made that call, that’s when she got that bad news. He bank told her that what likely happened was that before the purchase went through, Visa who was the credit card company in question would have sent her phone a two factor authentication code to authorize the purchase. Fortunately for her, her bank seeing clear evidence of fraud reversed the charges. But she had to be issued brand new credit cards and a new bank account to boot.

Welcome to the modern reality of the SIM swap attack.

So let’s go down the rabbit hole of what a SIM swap attack is and why it is one of the most common ways that people get hacked, if you want to call it that. SIM stands for Subscriber Identity Module. That’s telco speak for the chip that goes inside your phone to allow you to get cell phone service. Your cell phone number is associated with that SIM and what the threat actor is going to try and do is to either trick a telco employee into moving your number to a SIM that they control, or have an accomplice inside the telco who will help them move your number to a SIM that they control. This is an example of the latter. And this is an example of a Freedom Mobile customer who fell victim to the former.

And before those of you who might have an eSIM which is an electronic SIM that is sent over the air, or via a QR code, or via an app to a special chip inside your cell phone says that you can’t get pwned in this manner. You can absolutely be pwned in this manner. eSIM’s are simply non-physical SIM’s. The attack method is still the same.

These attacks are either highly targeted, or opportunistic. The former involves the threat actor learning a whole lot about you to not only to figure out if you are a target worth their time, but to know how to quickly take over the accounts that they are interested in. In terms of the latter, I have begun to hear of situations where a target is sent a text message that purports to be a telco, and the victim is sent to a phishing website that gathers enough information about the victim to allow the attack to proceed. Here’s an example of another Freedom Mobile customer who fell for this.

So in short, a SIM swap attack is a means for a threat actor to take control of your number to get access to two factor authentication codes that allow the threat actor to take control of anything from social media accounts, to bank accounts, to crypto wallets. That’s because two factor authentication codes are often sent by text message. And since the threat actor is unlikely to get direct access to your phone, taking over your SIM is the next best option.

The question is, what can you do to protect yourself? Sadly, there’s very little that you can do to stop this from happening. The reality is that telcos need to come up with far better security to stop SIM swap attacks from being executed. The fact that insiders who work for a telco can help to execute a SIM swap, or someone can simply walk into a telco store and execute a SIM swap with enough information about you along with fake ID in most if not all cases reflects poorly on telcos and their ability to protect their customers. Now I’ve highlighted Bell and Freedom Mobile in this story. But all telcos need to step up their game here because they are all not doing enough to stop SIM swaps from happening.

Having said that, you can mitigate the dangers that SIM swaps pose. Instead of using text message based two factor authentication, you can use an app-based authentication program, like Google Authenticator. For another level of security, you can choose to purchase a physical authenticator token, like the YubiKey or Google Titan Key. All of this assumes that the online accounts support these options of course. But by doing any or all of these means that if a SIM swap happens, the threat actors get nothing.

You should also check to see if your online accounts directly support sending authentication codes via an app on your phone. For example my bank allows me to send two factor authentication codes via their app and not via text message. That makes accessing my bank account way more secure because again, a threat actor gets nothing if a SIM swap happens.

Finally, if your telco has the option to add a PIN or personal identification number to your account, do it. And pick one that isn’t associated with anything like a phone number or a license plate number for example. And if possible see if your telco has the option to set your PIN yourself. That way a rogue telco employee can’t use it against you.

So what happens if you are a victim of a SIM swap? As in you notice that your phone is in SOS mode meaning that it has no service. Time is of the essence if you are a victim. This is what you need to do in order:

• First, call your bank and credit card companies and request a freeze on your accounts. This will prevent the attacker from using your funds for fraudulent purchases.
• Try to “get ahead” of the attackers by moving as many accounts as possible to a new, un-tainted email account. Unlink your old phone number, and use strong (and completely new) passwords. For any accounts you’re unable to get to in time, contact customer service.
• Call the police and file a report. This is a crime and it needs to be reported without fail.
• Contact credit bureaus and request a freeze on your credit. Or at least credit monitoring.
• Contact the telco in question, preferably in person and get them to not only reverse the swap, but to investigate how it happened. Though from what I have heard, telcos often don’t want to properly investigate SIM swap incidents. And if they do, they tend not to want to talk about it.

Finally, I should also note that some homeowner’s insurance policies include protection for identity theft. But that only means something if you’ve filed a police report. So you should look into that.

As I mentioned earlier, all telcos need to step up here and make these sorts of attacks less viable. But until telcos take meaningful action on SIM swap attacks, you need to take action to protect yourself from being a victim.

On the eve of Valentine’s Day, researchers at Comparitech, Chainalysis and Bitfender are highlighting the staggering losses to romance baiting or pig butchering observed.

Comparitech estimated that almost 60,000 US romance seekers fell victim to these scams in 2024, resulting in heartbreaking losses of approximately $697 million ($11,616/victim!).

More concerning is an AARP survey that estimated that 4% of Americans have fallen victim to these scams, equating to over 13 million individuals, which is about 3.6% of those officially reported. Researchers estimate the cumulative financial damage from romance scams could exceed $535 billion. 

Chloé Messdaghi, Founder founder of SustainCyber has this comment:

  “These romance scams and pig butchering operations are getting more aggressive and harder to spot. Scammers are weaponizing AI to create fake profiles, deepfake videos, and run chatbot-driven conversations that feel real—they know how to tap into emotions fast. 

   “We can’t keep placing the burden solely on individuals to ‘watch for red flags’ when those flags are increasingly invisible. Platforms need to step up with stronger fraud detection and identity verification, and financial institutions should be doing more to catch suspicious transaction patterns before people lose everything. This is a collective problem that requires a collective response—tech, finance, and policy all need to work together to protect people from being manipulated and financially gutted.”

Since a major part of what I do is scam related, I’ll offer up this story that I did earlier this week. While it’s not the whole solution, it’s a start in terms of protection from these scams.

A reader of this blog sent me a screenshot of a text message scam that he just received:

Now this is an easy to spot scam for the following reasons:

1. The text message states “We’ve detected unusual activity on your BMO client card starting with 551029.” The thing is, more recent BMO client cards start with that number. There’s nothing unique about that, which means that this text message is being sent to thousands of people and the threat actors are hoping to get 1% to fall for it because they’re not paying attention to a detail like that. For the record, BMO along with any other bank would use the last 4 digits of your credit or debit card in a situation like this. Assuming that they would send you a text message like this. More on this in a moment.
2. The website that is mentioned isn’t “bmo.com” or something like that. This is clearly a website that has been set up to phish your banking details so that they can steal your money. And it goes without saying that you should not click on the link.
3. BMO, nor any other bank would alert you to fraud via a text message. That never, ever happens.

I’m not going to go down the rabbit hole in terms of looking at the website or anything like that. Because we already know that this is a scam and should be avoided. Thus if you get a text message like this, delete it and move on with your day.

Yesterday I got a panic call from a client who received a very scary email from someone who wanted Bitcoin or else they were some embarrassing videos would be released. This is of course the classic extortion phishing scam. But this one has a twist that makes it very scary. I have reprinted it verbatim with personal information redacted:

[NAME REDACTED], I suggest you read this message carefully. Take a moment to chill, breathe, and analyze it thoroughly. We’re talking about something serious here, and I ain’t playing games. You don’t know anything about me whereas I know you and right now, you are thinking how, right? I know that calling [PHONE NUMBER REDACTED] or knocking [ADDRESS REDACTED] would be a convenient way to contact you in case you don’t take action. Don’t even try to escape from this, I know where your family lives and you have no idea what all I can do in [CITY REDACTED]. You’ve been treading on thin ice with your browsing habits, clicking through those girlie videos and clicking on links, stumbling upon some not-so-safe sites. I placed a Malware on one such website & you visited it to have fun (if you know what I mean). And when you got busy accessing that website, my malware gave me total control over your device and your smartphone started out working as a RDP (Remote Protocol). I can look at everything on your display, switch on your camera to record you, and you wouldn’t even notice. Oh! you guessed it right, I have recorded you and I’ve got access to all your contacts, and social media accounts too. Been keeping tabs on your pathetic existence for a while now. It’s simply your misfortune that I saw your misdemeanor. I put in more days than I should’ve looking into your life. Extracted quite a bit of juicy info from your system. and I’ve seen it all. Yeah, Yeah, I’ve got footage of you doing filthy things in your house (nice setup, by the way). I then developed videos and screenshots where on one side of the screen, there’s the videos you were watching, and on the other part, it is your vacant face. With just a single click, I can send this filth to all of your contacts. Your confusion is clear, but don’t expect sympathy. Genuinely, I’m ready to wipe the slate clean, and allow you to get on with your life and forget you ever existed. I will give you two alternatives now. First Option is to turn a blind eye to my email. Y ou should know what is going to happen if you take this path. Y our video will get sent to your contacts. The video was lit, and I can’t even fathom the embarrasement you’ll face when your colleagues, friends, and fam see it. But hey, that’s life, ain’t it? Don’t be playing the victim here. Second wise option is to pay me, and be confidential about it. We will name it my “privacy fee”. Let’s discuss what happens if you choose this path. Your filthy secret remains your secret. I’ll wipe everything clean once you come through with the payment. You will make the payment by Bitcoin only. Pay attention, I’m telling you straight: ‘We gotta make a deal’. I want you to know I’m coming at you with good intentions. I’m a person of integrity. Amount to be paid: $ 2000 BTC ADDRESS: [BITCOIN WALLET ADDRESS REDACTED] (Copy it carefully) Once you pay up, you’ll sleep like a baby. I keep my word. And of course: You got one day to sort this out and I will only accept Bitcoins (I’ve a unique pixel in this email message, and now I know that you have read this mail). Once my system will catch that full Bitcoin payment, it’ll wipe out all the dirt I got on you. Don’t even think about replying to this or negotiating, it’s pointless. The email and wallet are custom-made for you, untraceable. If I suspect that you’ve shared or discussed this email with anyone else or online, the shitty video will instantly start getting sent to your contacts. And don’t even think about turning off your phone or resetting it to factory settings. It’s pointless. I don’t make mistakes, [NAME REDACTED]. Honestly, those online tips about covering your camera aren’t as useless as they seem. I am waiting for my payment.

This was sent in the form of a PDF. And that was likely done to evade spam filters which would look for keywords in the body of the email in order to filter out emails like this one. A PDF solves that problem for the threat actor as it is an attachment that at best is scanned to confirm that it isn’t malware, but isn’t scanned for keywords that would indicate that it is a scam.

What makes this specific scam email unique is that the threat actor is using the name, address, and phone number of the recipient. That’s something that I haven’t seen before, and I am sure that it would freak out anyone who receives such an email. The thing is that it isn’t hard to come up with this sort of information. Two methods that come to mind are a data leak of some sort where a threat actor gets their hands on this information to use it in a scam like this. Or via Open Source Intelligence which is the use of publicly available information. Threat actors can use this information to go after a target. In this case, I’m thinking that this came from a data leak. The sort of people who do these sorts of scams need to get thousands or tens of thousands of emails out there hoping that 1% fall for it which in turn results in a payday for the threat actor. Thus they don’t have time to use Open Source Intelligence to pick and choose their victims. This is strictly a numbers game for them. By the way, you can find out if your address has been part of a data breach by going to haveibeenpwned.com and typing in your email address.

As for the rest of the email, it has the usual traits of a extortion phishing email:

• The email claims that the threat actor has installed malware that has recorded you doing “naughty” things. Fun fact, anybody who was capable of creating malware of that sort would be working for a nation state employed to go after high value targets such as politicians and sensitive industries. They would not be trying to get Bitcoin from anyone that they send an email to. So the threat actor is lying about that.
• The threat actor claims that if you pay them, they will know about it and instantly delete everything. This is also false. Bitcoin transactions are anonymous. So there’s no way the threat actor would know who paid them. As an aside, I checked the Bitcoin wallet that was in the email and there was no Bitcoin in it. So at the time of writing, nobody has fallen for this. Yet.
• Next up is the purported use of the webcam to record the victim. It is possible to remotely take over a webcam in a laptop. So if you’re the least bit paranoid about that, cover yours with tape. Or you can disable it entirely. Ditto for the microphone as well.

Finally, I will leave you with two pieces of advice. If you’re the least bit concerned about whether your system is compromised, consult a computer professional and have them check things over. It would also be a good idea to make sure your anti-virus is up to date and fully functioning as well.

And my final piece of advice is that under no circumstances should you pay up. It only encourages the scumbag threat actors, which in turn creates more victims. Thus don’t pay them. Ever.

A few minutes ago, I got a scam email that didn’t get filtered out by the junk mail filter on my email server. I’ll get to that in a minute, but first here’s the email:

Now this looks very convincing. There are some giveaways that this is a scam. If you look at the top of the email you will see this text: “Hello, noreply5@ToddHolmesCo. onmicrosoft. com”. That suggests that it is being mass emailed. On top of that, it appears that it was sent by PayPal Mexico as evidenced by this.

What further confirms this is looking at the headers, this was actually sent by PayPal Mexico. But there’s more. There’s a link that says “Pay now” which to my surprise actually goes to PayPal:

So what this looks like to me is that the threat actors behind this scam are trying to get you in one of two ways. If you aren’t paying attention and you actually pay this, the threat actors win. But if you call them to dispute this, you fall into the “refund scam” trap where the threat actors will weave a story that will prompt you to give access to your computer to the scammers so that they can steal your money. Thus again they win. I have to admit that this is crafty.

To confirm this, I have forwarded the email along with the headers to PayPal for investigation. If they confirm that my observations are accurate, then this is a pretty scary development as it illustrates that scammers are evolving. The other thing that I have done is posted this on a number of scambait forums so that the scambait community can go after these people and disrupt their activities.

More info as it comes.

One thing that I always cover when I speak to community groups about avoiding scams is to not trust the results that search engines provide. Simply put, scammers can use a variety of techniques to put themselves ahead of legitimate phones numbers and websites on Google. That in turn makes it far more likely that someone will engage with that ad and fall for a scam because they are leveraging the fact that humans tend to click on the first or second search result when they look for something.

Here’s an example of that that I found on Reddit yesterday:

Now I wasn’t able to replicate this search result with implies that the ad might have been taken down. You’ll note that I said ad in the previous sentence as this is an advertisement that is designed to pop up when certain keywords are used. In this case, “Bell Internet Customer Service”. This isn’t a new technique that scammers use to prey on the unsuspecting. But it is the first time I have seen it in association with a Canadian telco like Bell. Now you’re likely wondering how I know that this is an ad. For starters it says “sponsored” right above the words “5G mobile”. And if you see that word, that isn’t a search result that you can rely upon. Ever.

So what happens when you go to 5gmobilebell.ca? You go to this website:

In terms of look and feel, this isn’t even in the same star system as Bell’s website. So while it is possible that someone might get fooled and fall for this, I would imagine that their success rate would be pretty low. That’s further reinforced by this:

Clearly these losers used a template to build this website and couldn’t even fill out even the most basic details of the template. But again, that likely won’t stop someone from falling for it and calling the number.

As for calling the number to find out what the scam is, I tried calling but didn’t get an answer. But a few minutes later I got a call back from a US number which was clearly spoofed as Bell which is a Canadian telco would never call you from a US number. I couldn’t be bothered to answer the call as the effort level that was put in by these scammers is pathetically low. So I turned this information over to the scambait community to see if they can have some fun with these losers. Having said that, this could easily have been far more dangerous because they started this scam with the technique of buying ads to ensure that their scam pops up at the top of Google’s search results which is known for being successful at separating people from their money. That means that you need to be aware of this so that you don’t end up being one of those people who are separated from their money by a scammer.

Just this morning after taking a look at this scam, I came across a text message scam that is in Canada. It starts with this text message:

Some random observations here:

• This was sent as an iMessage. That means the sender can potentially see if you’ve read this or not. Though they want you to reply with a “Y” so that they are sure that the number that they sent it to is live or not.
• The fact that this is an iMessage also makes it very easy to deal with. Simply click “Report Junk” and you’re done with it as it will delete it from the messages app on iPhone and Apple will presumably handle everything else. I recommend that this is the course of action that anyone who gets this message should take.
• It’s being sent a country code which is +63 which is the Philippines. Which means that this message was not being sent by “Canadian Customs.” Which by the way is called the Canada Border Services Agency. Clearly the threat actor isn’t aware of that.
• Canada doesn’t have ZIP codes. We have postal codes. Another sign that this is a scam. And another sign that the threat actors don’t have a clue about Canada.

Now unlike the scam that I covered earlier today which went away and came back, I wasn’t able to investigate this one as it appears that someone has redirected it to the real Canada Post website. So nobody who gets this message will fall for this scam. But the thing is, this scam is operating in other places. While researching this, I came across a Reddit thread that has this:

Different phone number. Slightly different text. But it comes from the same country and it’s clearly the same scam. Just with a US spin to it. The person who posted this to Reddit replied with an insult that I will not translate. But that was a dumb move as the threat actors now know that this number is live. Which means even if Apple blocks the number that this message was sent from, the threat actors will simply send stuff from another number. But what this illustrates is the fact that these threat actors are acting on a large scale to see if they can get a payday. Thus regardless of where you are, you need to keep your wits about you so that you don’t become a victim of a scam like this.