So this happened to my colleague at work a few months back. She walked into the office one morning, sat down with her coffee, and within about ten minutes had three missed calls from numbers she didn’t recognise. When she rang one back, the woman on the other end was furious. Apparently she’d been called repeatedly from my colleague’s number and told her bank account had been compromised.
My colleague had been home all morning. She hadn’t called anyone.
It took a while for it to sink in, and honestly watching her try to explain that to increasingly sceptical strangers all day was exhausting for everyone involved. It’s that specific kind of helpless feeling where something bad is happening and it has your name on it and there is absolutely nothing you did to cause it.
If this has happened to you, or you think it might be starting to happen, here’s what’s actually going on and what you can do about it.
First, What’s Actually Happening to Your Number?
What is phone number spoofing?
Spoofing is when a scammer sends calls or texts that show up on someone else’s screen as coming from your number, even though they’re calling from somewhere completely different. They haven’t broken into your phone. They’re just using your number as a disguise, like putting on a mask before they rob the bank. Very low-budget supervillain behaviour, really.
It’s technically legal in Australia when used legitimately. Companies do it all the time so their calls display a single callback number rather than a random overseas one. When scammers do it to defraud people, that’s where it becomes illegal, and unfortunately that line gets crossed constantly.
What is a SIM swap, and is that what’s happening to me?
A SIM swap is a different and considerably more alarming situation. This is when a scammer contacts your mobile carrier, pretends to be you with enough of your personal details to be convincing, and gets them to transfer your number to a SIM card the scammer controls. From that point on, your calls and texts go to them. That includes the SMS verification codes that protect your banking apps, your email, your myGov account, everything.
Scamwatch and the ACMA put out a joint warning about this recently because it’s becoming more common. Anyone can be targeted, but if you’ve ever been caught up in a data breach, your risk is higher because scammers may already have enough of your details to pull it off.
The two situations feel very different. With spoofing, your phone still works fine and you’re mostly dealing with confused or angry callbacks. With a SIM swap, you’ll suddenly lose signal for no obvious reason, stop receiving texts, or find yourself locked out of accounts you definitely haven’t touched. If it’s the second one, you need to move quickly.
What to Do Right Now
Call your mobile carrier first
Don’t do anything else first. Ring Telstra, Optus, Vodafone, or whoever you’re with, and explain what’s happening. If you’re being spoofed they may not be able to stop it outright, but they can flag your account and walk you through your options. If you suspect a SIM swap, they can lock your account down and reverse the transfer before more damage is done.
One thing that matters here: do not use a phone number from any suspicious message or email to make this call. Go directly to your carrier’s official website and use the contact number listed there. I know that sounds like obvious advice, but when you’re panicking it’s genuinely easy to grab the first number you see.
Change your passwords, even if you think nothing has been accessed
I’m aware we all have the same password we’ve been using since 2003 with a capital letter and an exclamation mark bolted on the end. This is the moment to finally deal with that. Start with the accounts that matter most: banking, email, myGov. Use something different for each one.
While you’re in there, look at how your two-factor authentication is set up. If it’s sending codes via SMS, switch to an app-based authenticator like Google Authenticator or Authy where you can. SMS codes are exactly what scammers are after in a SIM swap, so removing that dependency is genuinely worth the ten minutes it takes.
Give your contacts a heads up
If you think people in your phone have received calls from your number, a quick message goes a long way. Something like “if you got a weird call from my number lately, please ignore it, my number’s been used in a scam” is all you need. You can do a group chat blast and get it done in one go. Fair warning: your mum will still call you individually three times to make sure you’re okay, but at least she won’t wire money to anyone.
Who to Actually Contact in Australia
This is the part that trips people up because there are several different places you’re supposed to report to and it’s not obvious which one does what.
Scamwatch
This is your first reporting stop. Scamwatch is run by the ACCC’s National Anti-Scam Centre and you can report online at scamwatch.gov.au. The information you submit helps warn other Australians and feeds into their efforts to actually disrupt scam networks. It takes maybe five minutes and it does genuinely matter.
ReportCyber
If you’ve lost money or had your accounts broken into, you’ll also want to lodge a report through ReportCyber, which is the Australian Federal Police’s cybercrime reporting tool. This is the one that can potentially lead to an actual investigation.
The ACMA
The Australian Communications and Media Authority handles complaints specifically about caller ID spoofing. You can reach them through acma.gov.au. Telcos are legally required to work with the ACMA to block scam calls, and your complaint contributes to that process.
IDCARE
This one is underrated and I’d really encourage you to use it. IDCARE is a free national support service for identity theft and cyber incidents, and they are genuinely helpful in a way that a government hotline often isn’t. You call them on 1800 595 160 and they help you build a personalised plan for your specific situation rather than just pointing you at a webpage. When you’re stressed and not sure what you’ve missed, having someone walk you through it is actually really useful.
If any of your financial accounts were involved, contact your bank directly using the number on the back of your card or their official website. Not any number given to you in a call or message.
How to Make It Harder for This to Happen Again
Can I actually stop my number from being spoofed?
Honestly, full prevention is difficult because spoofing doesn’t require access to your phone at all. The good news is that Australian telcos have been blocking spoofed calls at the network level for years. Since December 2020 they’ve collectively blocked over 2.2 billion scam calls and more than 788 million scam SMS messages. That is a number so large it’s almost hard to be impressed by it.
What you can do on your end is enable spam filtering on your phone. Android has a “Filter spam calls” option built in that works pretty well. iPhone’s built-in filtering is fairly limited by comparison, so a lot of iOS users end up using a third-party app like Truecaller, which also lets you look up unfamiliar numbers before you ring them back.
Registering your number on the Do Not Call Register is also worth doing, though it’s worth understanding that it won’t stop scammers. What it does is reduce legitimate telemarketing calls, which at least thins out some of the noise.
How do I protect myself against a SIM swap specifically?
Add a PIN or passphrase to your mobile account if you haven’t already. Most Australian carriers let you set this up, and it means anyone trying to make changes to your account will need to provide that code. It’s a small thing that creates a genuine hurdle.
Also, be a bit thoughtful about where your personal details live online. Scammers often piece together enough information from old data breaches and public social media to convincingly impersonate someone. The less you have sitting around publicly, the less material they have to work with.
One Last Thing
Finding out your number has been used in a scam is the kind of thing that makes you want to throw your phone into Port Phillip Bay and move somewhere with no reception. I completely understand that impulse. It feels genuinely violating even when, technically, nothing has been taken from you directly.
But there’s a clear path through it. Report it, lock things down, update your security, keep an eye on your accounts over the next few weeks, and don’t engage with anyone offering to “help you recover” your money or accounts after the fact, because that’s almost always a follow-up scam. The Australian government has put $180 million into the National Anti-Scam Centre and there are real people working on this problem. You’re not on your own.
You’ve just got a few calls to make.
Useful links:
- Scamwatch — report scams and sign up for alerts
- ReportCyber — report cybercrime to the AFP
- IDCARE — free identity recovery support, call 1800 595 160
- ACMA — report caller ID spoofing
- Do Not Call Register — opt out of telemarketing