By The Most Secure Man Alive | WISECLICK Ambassador
There was a time when you could lose your phone and the worst that happened was you'd miss a few calls.
That time has passed.
A friend rang me a few weeks ago. Calm, but in that particular tone people use when they're trying very hard to be calm. His phone had stopped working at about 9am — no signal, no calls, no texts, just a strangely quiet handset. He'd assumed it was the network. He'd called his telco from a borrowed phone. His telco had told him, very politely, that his number had been transferred to another carrier at his request the night before.
It hadn't been at his request.
By 11am someone had used a code sent to his number to reset the password on his email. By midday they'd reset his banking. By the time he sat down with me to work through what to do, they'd been inside his life for about six hours. He'd lost a small amount of money — small by the standards of these things — and a great deal of sleep.
I find phone numbers fascinating, in the way one might find a key fascinating. People used to carry one key. Now everything in your life unlocks with one number.
This is the post about that.
What's actually happening
There are two things people mean when they say "my phone got hacked," and they're worth telling apart.
The first is a SIM swap. Someone walks into a phone shop, or rings a call centre, or uses a self-service portal, and convinces the telco they are you. The telco issues a new SIM card with your number on it. From that moment, every text and call meant for you arrives on the criminal's device. Yours just goes quiet.
The second is a port-out — the same idea, but the number is moved to a different telco entirely. Slightly different mechanics, identical outcome.
The technicians can argue about which is which. The criminals don't care, and neither will you, when it happens.
Australian telcos have improved port-out protections in recent years — port-outs now often include an SMS authorisation step, though it shouldn't be treated as a guarantee. Some carriers offer PINs you can set on your account, with varying levels of consistency. SIM swap, the within-network version, is the gap that's still being closed. Some carriers will only do a swap in-store with photo ID. Others let you do it with a PIN over the phone. A few prepaid services have, until recently, asked for very little at all.
I tend to assume the lock on my front door is only as good as the locksmith who'll cut a new key. The same is true here.
Why it matters more than people think
Here's the part that catches most small business owners by surprise.
When someone takes over your phone number, they aren't really after the phone number. They're after everything the phone number is allowed to unlock.
Your bank sends a verification code to your number. So does your accounting software. So does your email. So does your superannuation account, your domain registrar, your Facebook business page, your Xero, your Stripe, your Shopify, your customer database. Most of the systems your business runs on use your phone number as the proof that it's really you. Take the number, and you have the proof.
It's an arrangement that made sense in 2010. Things have moved on.
Recent reporting from the Australian Cyber Security Centre puts the average cost of a cyber incident for an Australian small business at around $56,000. SIM-related incidents tend to cluster towards the upper end of that range, because once someone has your number, access to other accounts can escalate quickly.
For sole traders the risk is sharpest. Your phone is your business. It's your contact channel, your authentication, your card reader, your scheduling. When it goes quiet it doesn't just go quiet — your whole operation does.
Some say he keeps two numbers. One for the world. One for the bank. He says he likes a tidy desk.
Three things I do, and recommend
I'll spare you a list of fifteen things. Three is enough.
One. Set a PIN with your telco — and allow more time than you'd think.
Most major Australian carriers offer some form of additional account protection — though how consistently it's exposed and how easy it is to set up varies considerably.
Telstra is generally the most straightforward — an Account Security PIN you can set via the My Telstra app, online, or by phone. Usually quick if you know what to ask for.
Vodafone often requires identity verification for SIM changes, frequently involving photo ID. The friction itself functions as a security layer.
Optus takes more effort in practice. Customer-set protections aren't always clearly surfaced through standard channels, and you may need to be patient — and persistent — to have controls applied. If front-line support can't help, ask to be escalated to the team that handles fraud and account security. Allow more time than you'd expect, and don't accept "no" as the final answer.
The smaller resellers — TPG, Aldimobile, Belong, Boost, amaysim — vary in what they offer and how easy it is to set up. Most have some form of account protection. Call your provider and ask specifically what they offer.
The conversation worth having, whichever telco you're with, is this:
"I want port and SIM swap protection added to my service. Specifically — any SIM swap or port request must be verified against a credential I set, with no override available through standard customer service channels."
That's the specific protection. Anything less is generic account monitoring, which is a different thing entirely.
If you hit a wall, the Telecommunications Industry Ombudsman (TIO) is the formal escalation path for unresolved telco issues — and mentioning them tends to focus the conversation.
Two. Move important multi-factor authentication (MFA) off SMS. The Australian Signals Directorate has been quietly recommending this for years, and the recommendation has only sharpened. SMS-based two-factor authentication was a brilliant first step in 2014. It is now the weakest of the second factors, because it's the one a SIM swap directly defeats. App-based authenticators — Google Authenticator, Microsoft Authenticator, Authy, 1Password's built-in tool, the one your password manager already includes — generate codes on the device itself. A SIM swap doesn't touch them. For the accounts that matter most (banking, email, accounting software, payment processors), switch the second factor from SMS to app. It takes about ten minutes per account.
The codes still arrive every thirty seconds. They just stop arriving on the device a stranger is holding.
Three. Treat your phone number like an unlisted address. Most of us put our mobile number on every form, every signup, every loyalty card and every public website we own. There's a quieter habit worth adopting: a separate number — a Google Voice line, a second SIM, even a cheap prepaid — for accounts where you actually need authentication. Your business landline (or VoIP equivalent) for anything customer-facing. Your private number for the systems that protect your money.
The criminals can't take a number they don't know you have.
What to do if it happens
There's a particular kind of silence a phone makes when its number has been taken from you. It is not the silence of a bad signal. It is somehow more present.
If you suspect it's happening — your phone has gone unexpectedly dead, you're getting password reset emails you didn't request, your bank rings to ask about a transaction you didn't make — move quickly, calmly, and in this order:
- From any other working phone or computer, ring your telco and tell them the number has been compromised. Ask for an immediate freeze and a SIM reissue with photo ID required.
- From the same other device, change the passwords on your most sensitive accounts — email first, then banking, then anything financial. Use long unique passwords; your password manager already has them or can generate them.
- Switch every important MFA from SMS to an authenticator app, while you're already in there.
- Call your bank directly on the number printed on your card, not any number a stranger has just texted you. Tell them what's happened. Ask them to flag the account and reverse what they can.
- Report the incident to ReportCyber at cyber.gov.au — and to IDCARE on 1800 595 160. IDCARE is free, government-funded, and remarkably calm. They've done this many times.
The first hour is the only hour where speed beats almost everything else. After that, it's procedure. The procedure is well-trodden, and you are not the first person to walk it.
The bigger picture
A phone number used to be just a phone number. Now it's a key — perhaps the master key — to the digital version of your business.
That isn't a story to be alarmed by. It's a story to be aware of. The fix is small and entirely within your control: set the PIN, move the MFA, keep the number quiet.
I find these things genuinely satisfying to handle, in the way one might enjoy putting a particularly stubborn jar lid back on properly. A small action. A specific outcome. The world, very slightly, more secure than it was.
These are not complicated. They simply go unattended by most people.
Most breaches are not sophisticated. They're simply unattended.
Frequently asked questions
What's the difference between a SIM swap and a port-out scam?
A SIM swap moves your phone number to a new SIM card with the same telco. A port-out moves it to a different telco entirely. The mechanics differ slightly — port-outs now often include an SMS authorisation step that SIM swaps don't always trigger — but from your point of view the consequence is identical: your phone goes quiet, and someone else starts receiving the codes that protect your accounts.
How do I set an account PIN with my Australian telco?
Most major Australian carriers offer some form of additional account protection — though how consistently it's surfaced and how easy it is to set up varies considerably.
Telstra is generally the most straightforward — an Account Security PIN you can set via the My Telstra app, online, or by phone.
Optus takes more effort in practice. Customer-set protections aren't always clearly surfaced through standard channels — you may need to be patient and persistent, and ask to be escalated to the team that handles fraud and account security if front-line support can't help. Allow more time than you'd expect.
Vodafone often requires identity verification for SIM changes, frequently involving photo ID — which functions as the security check.
TPG and the smaller resellers vary considerably — call your provider directly and ask: "How do I add a requirement that any SIM swap or port request must be verified against a credential I set, with no override available through standard customer service channels?" The answer they give will tell you a lot about the carrier.
Is SMS two-factor authentication really that weak?
SMS-based two-factor was a strong first step when it was introduced. It's no longer the strongest. The Australian Signals Directorate recommends app-based authenticators for accounts that matter — banking, email, accounting software, payment processors. SMS is still better than nothing. But on accounts you genuinely cannot afford to lose, an authenticator app is the better choice. The reason is simple: a SIM swap directly defeats SMS-based codes. It cannot defeat a code generated on the device in your hand.
What's the best authenticator app to use?
Honestly, any of the major ones. Google Authenticator, Microsoft Authenticator, Authy, and 1Password's built-in tool are all genuinely good. If your password manager already includes an authenticator (most do), use that one — fewer apps to keep track of. The most important thing is that you actually use it, and that you back up your recovery codes somewhere safe so you don't lock yourself out if you change phones.
Can my business landline be hijacked the same way?
Less easily, but not impossibly. VoIP business numbers can be ported between providers using similar processes. The risk is lower because business landlines aren't typically used for personal banking MFA. But if your business uses a softphone or VoIP service, it's worth applying the same logic: set strong account passwords, use a PIN where the provider supports one, and keep the recovery email separate from the account itself.
What should I do in the first hour if my phone goes dead and I think I've been targeted?
The five-step procedure earlier in this post, in order. Ring your telco from another phone. Change the passwords on your email, banking, and financial accounts from another device. Switch important MFA from SMS to an app. Ring your bank directly using the number on your card. Report it to ReportCyber and IDCARE. The order matters — the telco call comes first because every minute the criminal has the number is a minute they can use it.
Will my bank cover losses from a SIM swap fraud?
It depends on the bank, the circumstances, and how quickly the fraud is reported. Australian banks have improved considerably on this — most major banks will work with you in good faith if you report quickly and have taken reasonable security precautions on your end. The faster you report, the better the outcome tends to be. IDCARE can help you navigate the conversation; they've done it many times.
How does ASD's Essential 8 protect against this?
The Essential 8 is the Australian government's cybersecurity checklist for every business. Several of the eight controls directly reduce SIM swap risk: multi-factor authentication (especially app-based, not SMS-based), restricted admin privileges, and good password practices. The Essential 8 Gap Assessment tells you exactly where your business stands across all eight, and which gaps to close first. 20–30 minutes depending on the individual. $149. Plain English. No sales call afterwards — just your score and what to do with it.
Want to know how the rest of your security stacks up?
The Essential 8 Gap Assessment shows you exactly where your business stands — across all eight controls, in plain English.
20 minutes. No tech knowledge needed. $149.
Already a member? If you need a hand with anything, submit a helpdesk request and we'll get it sorted.
Stay protected, my friends.
— The Most Secure Man Alive
Leave a comment
This site is protected by hCaptcha and the hCaptcha Privacy Policy and Terms of Service apply.