Protecting Your Phone from a “Port-Out Scam”

Man on mobile phone

Looking to protect your bank accounts? One of the most common security options is to send one-time codes to your phone. Every time you log in, a new code is texted to you. But what if someone steals your phone number, so they receive your codes instead? Today we’re going to chat about this threat and the steps you can take to protect yourself from these so-called “port-out scams.” 

What is a port-out scam? 

A “port-out scam” doesn’t sound very alarming, but it’s something you never want to happen to you. If you’ve ever switched cell phone providers, you know that you can switch while keeping your existing phone number. Normally, that’s a great convenience – you don’t have to switch phone numbers every time you switch providers!  

However, hackers have figured out how to use this to their advantage. In a “port-out scam,” hackers transfer your phone number to another mobile carrier. That way, they start receiving text messages and phone calls. They can now get access codes that are texted to them if they’re trying to break into an account, such as a bank account or credit card. You may not even realize anything is happening because you will no longer be receiving those texts and alerts.  

How can I protect myself from a port-out scam? 

Prevention is key, and just knowing the right settings to turn on can make a big difference. Here’s where you should start: 

  1. Add a security PIN to your account. For some carriers, you can do this online, for others you’ll need to give them a call. Once you activate the PIN, you’ll be required to provide it before you can port your phone number or activate a new SIM card.  
  2. Make the security PIN unique and random. If your PIN can be easily guessed or has the potential to be leaked from another website, it’s not actually making your account more secure. So, use a random PIN that you won’t use anywhere else. 
  3. Store the information in a password manager. Keeping track of all the PINs, passcodes, and passwords for all of your accounts is hard. Use a trusted password manager like LastPass to store everything in an encrypted vault, where you know you can find it when you need it. 
  4. Watch out for alarmist, take-action-now-or-else messages. When you see these type of messages, understand that they are trying to scare you into doing something impulsive. Instead, pause, look for clues (Do you trust this source? Can you call the company/friend/coworker to verify the contents?) and proceed with caution.  
  5. When in doubt, call or go directly to the website. The safest thing you can do is go directly to the company that claims they need you to do something. Log in to your account and check there. Or, give their customer service a call.  
  6. Use every security option your bank makes available. Turn on the alerts they offer for suspicious account activity. If possible, use app-based two-factor authentication options over SMS-based codes. Even an email can be safer than text-for-PIN authentication. If text-based codes are your only option, still turn them on, but then make sure you’ve done step #1 above. 

Security works in layers. When it comes to your bank account, it’s not just about using a strong password. You need to also think about the email address that you use when logging in (are you protecting your email account?). You need to account for the phone number where you receive one-time codes (are you protecting your phone?). And what about the device where you’re logging in from (are you on a trusted connection? Are you taking basic precautions against malware?)?  

All of these factors work in layers to create a web of security (or insecurity) around your bank account. Once you’ve put the above tips into place, though, you’ll have drastically reduced your risks of a port-out scam happening to you. 

11 Comments

  • Robinoz says:

    In Australia you can’t have two phone numbers the same with different telecom providers. Is this the case in the US? If so, it seems to be a flaw in the system. To get a phone number here, you need to show several forms of identity so that all phones are traceable to the person who registered them.

  • Gail says:

    What is “text messages with a passcode”? i open my phone with a passcode, then click “messages” to text. Is that the passcode you are referring to?

  • A Longtime Lastpass User says:

    Very good advice. I also suggest people get a separate email account just for banking and other sensitive accounts. Then, use that email, instead of using SMS text messaging, for 2-factor authentication.

  • Larry says:

    Hey Leah! You didn’t answer Ken’s question! I have the same question.

    • Leah Bachmann says:

      You’re right, thanks! “Porting your number” means transferring your phone number from one provider/device to another one.

  • Ken Bednar says:

    What does “port your phone number” mean? Never heard of it. “SMS-based codes” is lingo for text messages with a pass code. Please use common terms. Most of your users are lay persons not working in the tech field.

    • Leah Bachmann says:

      Thanks for the feedback Ken. We will keep this in mind for future posts.

    • Leah Bachmann says:

      Hi again Ken,
      Also, to answer your initial question. “Porting your number” means transferring your phone number from one provider/device to another one. Thanks again for the feedback!

    • David de Beer says:

      Actually, for most Europeans ‘SMS based codes’ would be the comprehensible, very clear phrase, whereas the suggested text might raise questions.