Megan Clifford was at work when her phone turned off.
Minutes before her phone stopped working on Jan. 8, Clifford received a text message from her cell phone carrier, T-Mobile, saying her online account password was changed and to call the company if she hadn’t made the request. When she got a T-Mobile representative on the phone about 30 minutes later to tell them she hadn’t made any changes, she was too late. The hackers targeting her had already taken oven her account and transferred her cell phone number to a different carrier.
That was just the beginning of Clifford’s month-long struggle to reclaim her identity. While she was still on the phone with T-Mobile, she said she started getting other email alerts: Money from her Bank of America and Chase accounts was being transferred to a “name I didn’t recognize.” That’s when she realized the magnitude of her problem: Now that someone had her cell phone number, they could get into her bank account and gain access the common apps she had on her phone, including Venmo and iTunes.
“I realized I had to tell T-Mobile I have to call them back because it was more urgent that I lock up my bank account information,” she said.
“You have to change every account, your Spotify — literally everything that’s connected to your phone number,” Clifford said. “It stops working and you can have to call customer service. I had to pay other fees too because I had no bank account, and payments were hitting and I couldn’t pay them. I couldn’t even go to the gym.”
Clifford, who asked that her age, occupation and hometown not be published due to privacy concerns, is just one victim of an ongoing cell phone “porting” scheme — a scam that all of the major wireless carriers are dealing with, according to Brian Krebs, an investigative journalist and cyber security expert. Hackers use this technique to circumvent two-factor authentication, a popular security measure wherein a randomly generated code is texted to users’ phones after they input their password. The problem? Once someone steals your phone number, two-factor authentication can no longer protect you because all of the codes are being sent directly to the hacker.
And while people can practice good password hygiene in an attempt to avoid falling prey to these hackers, personal information can still be jeopardized in other ways, like corporate hacks. In fact, T-Mobile customers may have been more susceptible to the attacks due to a data breach at T-Mobile in 2017 that left many customers’ information vulnerable. That security flaw came on the heels of a previous T-Mobile data breach in September 2015, when credit reporting agency Experian was hacked and “an unauthorized party accessed T-Mobile data housed in an Experian server,” according to T-Mobile’s website.
While exact numbers aren’t available on how widespread the unauthorized porting problem is, AT&T, Sprint, Verizon and T-Mobile together established a Mobile Authentication Task Force in late 2017.
A T-Mobile spokesperson said these are industry-wide issues, but did acknowledge a recent “uptick” in cell phone hijacking. T-Mobile representatives told MONEY that the company initially sent a text message earlier this year to millions of its customers about the ongoing scams, and would resend it to customers “who didn’t take action the first time.” The company declined to discuss any details about customers’ experiences or when it first learned of the porting scams.
A community of cell phone porting fraud victims
Dozens of other T-Mobile customers affected by this kind of hack have joined a Facebook support group Clifford started called Victims of T-Mobile Porting Identity Theft Scam — six of whom shared similar stories with MONEY about the personal fallout they’ve dealt with after having their numbers ported without their consent.
For Clifford, her problems multiplied after she learned her cell phone number had been fraudulently ported. When she first called T-Mobile, the representative she spoke with was unaware of the cell phone hijacking scam she was trying to describe. “They had no clue what was going on, even though it happened to many people and they eventually sent a text message about it,” Clifford said. “They didn’t have any policy or procedure to get it fixed right away.”
In total, she estimates she lost at least $3,500 from the ordeal — the equivalent of more than a month’s salary for the average American, according to the Bureau of Labor Statistics. The stress and loss of time dealing with the ordeal took a toll, too. Clifford, who is pregnant, described the next month as a blur. She spent the first trimester of her pregnancy in an endless cycle of phone calls with banks and T-Mobile between making trips to the local police station to file fraud claims. Many of those calls were about the $6,000 that was fraudulently transferred out of her account — money that Chase told her she could not get back right away because it was a direct-deposit transfer, not a debit- or credit-card transaction. It took 21 days for the bank to return that money. The bank also froze $14,000 in another one of her accounts, which resulted in her incurring interest and late fees on other bills. None of her direct debit transfers worked either, so bills for utilities like water and trash didn’t go through, and Clifford had to pay fees for voided checks, too.
As with Clifford, a common thread throughout victim’s stories is the money was stolen from their bank account using Zelle, a Venmo-like payment app that lets users transfer money instantly, and has recently been adopted by dozens of banks. People who have used Zelle outside of the T-Mobile porting scam have also had money stolen or unauthorized transactions carried on their accounts, in some cases with Zelle refusing to reimburse them, according to personal accounts recounted to MONEY and recent reports from The New York Times. Zelle told MONEY “consumers are never liable for unauthorized activity on their accounts. When fraud is reported, or identified, we take immediate steps with our participant banks to investigate and take action, in order to prevent further abuse.” Chase spokeswoman Elizabeth Seymour said it is “monitoring this closely,” and reimburses customers affected by unauthorized Zelle transactions.
And while Clifford’s money was stolen through Chase and Bank of America accounts, a majority of people in Clifford’s Facebook group whose T-Mobile numbers were hacked had Wells Fargo bank accounts. John Nowicki, a physician and member of Clifford’s Facebook group, said Wells Fargo knew what had happened to his bank account as soon as he walked into his local branch outside of Seattle, Wash. on Jan. 24 to tell them he had been hacked. “It was the bank that told me what happened,” he said. “They said, ‘You don’t happen to have T-Mobile, do you?’ And I said, ‘Yeah.’ So they said, ‘We’ve had this issue where T-Mobile customers have had their number ported and then their money stolen from their bank account.'”
A Wells Fargo representative said the bank is aware of the porting scam and has taken a “number of steps to protect customers,” but could not provide specific details about customer’s experiences or their policies.
Unfortunately, this experience has become commonplace for the millions of Americans who have been affected by these types of corporate hacks. And security experts recently told MONEY there is not much consumers can to do protect their private information — a startling reality as more major companies like Equifax, Uber and Yahoo fall victim to hackers.
Two months after her cell-phone hacking nightmare began, Clifford’s life has mostly returned back to normal. She and her husband had to freeze their credit and set up credit monitoring. She got back the 65,000 points, worth roughly $600, on her credit card. But she never got her cell phone number back. Clifford and other victims say the invasion into their privacy has caused long-term changes in their lives — specifically to how they handle their personal information and the companies who have access to that data.
Ben Malek, who owns his own electronics company based in Tampa, Fla., said after his cell phone number was fraudulently ported out, a credit card was taken out in his name and maxed out in the same day, in addition to money being stolen from both his personal and business bank accounts. He said T-Mobile, which normally sends an email confirming any transactions, ported out his number without notifying him. “Not a single notification,” he said. Just like Clifford, “The only reason I found out is because my phone stopped working.”
His debacle continued to follow a similar pattern as Clifford’s. “I got an email from Wells Fargo saying, ‘Thank you for contacting us. Please rate the representative that helped you over the phone,” he said. “I called them and said no changes were made. I received an email from Amtrak welcoming me to my upcoming trip to Washington, D.C. — I had no trip planned there. I pretty much thought everything was gone that night.”
Like Clifford, he said many of the T-Mobile representatives he spoke to had no idea what he was talking about when he called to resolve the problem. Once they did, the company still offered no monetary credits or apologies.
And ironically, prior to this incident, Malek said his phone number was one of the only things that made him feel secure, specifically because of two-factor authentication.
“It was very troubling for me,” he said. “It’s like you have a security system in your house and then you find out people are able to easily call your security company and say, ‘Hey please don’t let the alarm go off,’ and they say, ‘OK sure no problem.'”