cybersecurity privacy

What scammers can do with just a phone number

Our mobile numbers are often in the public domain, so here’s how to avoid scams and phishing

People don’t treat their phone numbers like secrets in the same way they do passwords. You should assume that your mobile number is in the public domain and you may get calls from people you don’t know – including criminals.

The fundamental danger of someone having your number is that they can phone you up and try to scam you. But information a scammer can find alongside that phone number on the internet can be used against you.

SMS phishing

They can also use your number to find out who your mobile provider is, and they can call you or SMS you pretending to be from them.

The SMS could contain a link to a fake website that harvests your credentials (that they then “stuff” into other websites in the hope you’ve reused your password). Or it could drop a piece of malware onto your phone that slurps up all your activity, including messages, emails, contacts and passwords.

Scams and social engineering

If they use your number to call you they employ a tactic called social engineering – they cleverly persuade you, by divulging other snippets of information they’ve already found about you online, to act promptly to resolve an issue with your bank, for example, and make you so flustered you give them your password.

For example, if a someone phones you, saying they’re calling from your bank and have noticed unusual activity on your credit card, you’re already in a state of some panic. They feed you some information about yourself to make you believe they’re legitimate – perhaps your name, your address, maybe your email address. They may ask you for some details “to confirm that it’s you” to give an air of security. Fairly innocuous details such as your postcode, or your middle name. Then at some point in the call, they’ll ask you for more private information, such as your account number, password or PIN.

How to protect yourself from mobile scams

Of course, many of us need to give out our mobile numbers. Company owned, or even private numbers if we’re self-employed, are essential for our business.

But to combat mobile-based fraud and scams we need to do the following:

  1. Never reuse passwords. Use a password manager to keep track, and use a strong, unique password for every single website.
  2. Add 2FA (2-factor authentication) on every website that offers it.
  3. Use mobile security like Traced to prevent credential harvesting from rogue WiFi, malicious apps and websites.
  4. Never click a link in an SMS or email you weren’t expecting. Always go to your account on the website first, login and look for messages that way. Or, if you’ve got Traced app, we’ll check the link for you to tell you if it’s pointing to a malicious URL.
  5. Be alert for social engineering scams. Never be pressured on the phone to give out passwords – no bank or online account will ever ask you for your password over the phone. If in doubt, hang up, and call the alleged organisation back using a public number from the internet.