Major telco fails to expose alarming rise in SIM swap fraud

On Saturday, Dodo owner Vocus announced a cyber breach which saw hackers gain access to customers’ email accounts and ultimately lead to 34 illegal SIM swaps across its Dodo and iPrimus brands.

The telco first noticed the hacker activity on Friday, suspending services to contain the breach before announcing it publicly the following day. By Sunday, affected customers had regained access to their accounts.

The incident comes amid heightened public focus on cyber security in the telecommunications sector, following the Optus outage which impacted triple-0 calls and recent Qantas hacks threatening millions of Australians’ private data.

What is SIM swapping fraud?

SIM swapping fraud is a form of identity theft where criminals transfer a victim’s mobile phone number to a SIM card in their possession, hijacking the victim’s phone service.

Attackers first gather personal information through data breaches, phishing emails, or by compromising email accounts.

They then contact the victim’s telecommunications provider claiming they need a replacement SIM because their phone was lost or damaged.

If verification processes are inadequate, staff activate a new SIM with the victim’s number, immediately disabling the original SIM.

With control of the phone number, criminals can reset passwords and bypass two-factor authentication on banking apps, cryptocurrency exchanges and email accounts.

IDCare, a not-for-profit supporting victims of cyber scams and identity theft, reports average losses of around $16,000 per victim of SIM swap fraud.

ACMA responses

In 2024, the Australian Communications and Media Authority fined Telstra $1.5m for failing to perform requisite authentication processes in 168,000 “high-risk customer interactions”, including SIM swap requests.

Monash University Software Systems and Cybersecurity Professor Nigel Phair says the repeated failures of major telecommunications companies to implement basic security measures is astonishing.

“It’s organisations that just aren’t doing the basics, and this is reasonably basic cyber security hygiene for their customers,” he said. “I think we have the regulations, we have the laws, they’re all there now. It’s how they get used.”

Professor Phair warned as e-SIMs become increasingly popular, cutting physical store interactions further, more advanced identity verification including facial recognition would be necessary.

Rules failing to keep pace

In 2022, ACMA imposed new rules on telcos requiring multi-factor authentication and calling devices to confirm ownership. When introduced, IDCare says the number of cases “dropped dramatically”, but recent years have seen a staggering increase.

IDCare data shows 453 confirmed cases of SIM swap and phone porting scams in calendar 2024, a 240 per cent increase compared to 2023. The first half of 2025 saw cases rise 25 per cent higher than the second half of 2024.

In response to questions from this masthead, ACMA pointed to data collected from the launch of the new rules until financial year 2023-24, but not beyond.

ACMA’s data shows SIM-swap reports dropped from 670 in 2021-22 to 235 in 2022-23 (a 65 per cent decrease), and dropped further to 180 in 2023-24 (a 23 per cent decrease).

An IDCare spokesperson said: “When ACMA introduced legislation in 2020, the number of cases declined dramatically. However, there has been a significant concerning increase in the last year, suggesting new measures need to be introduced.”

IDCare noted in 90 per cent of cases SIM swaps occur without any prior engagement with the victim, suggesting criminals are using credentials from past data breaches or email compromises.

The organisation recommends “more friction” in telco verification processes, including requiring second authentication from the account holder, ID verification from both losing and gaining carriers (rather than just gaining carriers as the system works currently) and better staff training.

Vocus response to SIM concerns

In response to questions regarding which stores the SIMs were purchased from and if Vocus intends to compensate victims of the hack, a Vocus spokesperson said: “The SIM swaps involved the unauthorised party replacing a customer’s active SIM with a different Dodo SIM purchased from a few third-party retail locations, and the swap was made via Dodo customer service online using the standard industry-wide process for authentication. We have worked with impacted customers to reverse the SIM swaps and we continue to monitor this situation.”

Monash Uni’s Professor Phair said everything in the modern world is so phone-centric it’s shocking more hasn’t been done to regulate telcos similarly to Australia’s banks.

“The banks are very mature,” he said. “And, as an industry, and you’d like to think the telcos would be equally mature.

“The thing is, we live and breathe our whole world on our mobile device. That’s the importance that needs to be parlayed to the sector – you’re lost without it.”

This article first appeared in The Australian as Telco rules failing to prevent surge in costly SIM swap fraud attacks