The security of a modern bank account often rests on a single, fragile pillar: a mobile phone number. For one Auckland man, that pillar collapsed in less than 15 minutes, leading to a sophisticated identity heist that nearly drained his savings. This case serves as a critical SIM swapping fraud warning for millions who rely on SMS-based verification to protect their financial lives.
Jade Wang, a customer of Kogan Mobile—which operates via the One NZ network—discovered the terrifying speed of digital identity theft on April 24. In a rapid-fire sequence of events, fraudsters hijacked his mobile number, reset his banking credentials, and transferred $19,300 from a joint account at ANZ. While the funds were eventually recovered, the incident exposes a systemic vulnerability in how telecommunications and banking sectors verify identity.
The attack was not a random guess but a targeted strike. Investigations revealed that the perpetrators had already obtained a significant cache of Wang’s personal data, including his full name, email address, and credit card details. With this information, they were able to impersonate him to his mobile provider, convincing them to port his number to a new SIM card under their control.
The Mechanics of a Digital Hijack
Once the fraudsters controlled Wang’s phone number, they held the keys to his digital kingdom. Most banking systems use two-factor authentication (2FA) via SMS to verify password resets or high-value transfers. By hijacking the SIM, the attackers ensured that the security codes intended for Wang were delivered directly to their own devices.
An investigation by ANZ showed that the attackers used Wang’s customer number to trigger a password reset. The verification code was sent to the hijacked mobile number, allowing the criminals to enter the account and initiate two separate transfers totaling $19,300. The theft was only halted when a third payment triggered a red flag at the bank.
The audacity of the scam peaked at 5:38 p.m. That day, when ANZ staff called the registered mobile number to verify the suspicious activity. A fraudster, posing as Wang, answered the call. However, the bank’s security team noted concerns during the conversation and immediately suspended the internet banking access, preventing further losses.
A Race Against the Clock
The most harrowing aspect of the experience for Wang was the perceived lack of time to react. He received a notification from One NZ just before 1:30 p.m. Stating his number had been swapped. He immediately called the provider to report the unauthorized activity, but the process was fraught with friction.
During the call, an operator informed Wang that his number was not registered directly with One NZ (as he was a Kogan Mobile customer). While the operator placed him on hold to seek advice, the call was disconnected. By the time he realized the gravity of the situation, his phone had gone out of service, and the money was gone.
| Time (April 24) | Event |
|---|---|
| 1:30 PM | Wang receives SIM swap notification; attempts to contact One NZ. |
| 1:45 PM | SIM control is fully transferred to fraudsters; Wang’s phone loses service. |
| ~3:00 PM | Fraudsters reset ANZ banking password via SMS code and transfer $19,300. |
| 5:38 PM | ANZ calls the hijacked number; fraudster impersonates Wang; account is frozen. |
“I feel like the window of time was just too short,” Wang said. “There was nothing I could do. Just waiting on the phone call alone took about 10 minutes.”
Strengthening the Perimeter
In response to the incident, One NZ has introduced a system-enforced 15-minute delay on all SIM swaps. This window is intended to give customers a critical opportunity to notice an unauthorized request and stop it before the number is ported. Nicky Preston, a spokesperson for One NZ, stated that the company has also notified the Office of the Privacy Commissioner regarding the breach.
Industry experts warn that This represents part of a broader trend in identity crime. Paul Brislen, chief executive of the Telecommunications Forum, noted that while this specific type of fraud is unusual, scammers are constantly seeking new avenues to bypass security. He highlighted that New Zealand telcos have recently blocked over 23,000 malicious domains and 3 million phishing requests.
To mitigate the risk of a SIM swapping fraud warning becoming a reality for other users, the National Cyber Security Centre and the Privacy Commissioner recommend several layers of defense:
- Move beyond SMS: Use app-based two-factor authentication (such as Google Authenticator or Microsoft Authenticator) instead of SMS codes.
- Data Hygiene: Avoid sharing identifiable details—such as home addresses, phone numbers, or tax IDs—on social media.
- Account Hardening: Use complex, unique passwords and creative answers for account recovery questions that cannot be easily guessed from public records.
- Immediate Action: If you receive an unexpected SIM swap alert, contact your bank immediately to freeze accounts before attempting to resolve the issue with the telco.
Disclaimer: This article is for informational purposes only and does not constitute financial or legal advice. If you suspect you are a victim of fraud, contact your financial institution and local law enforcement immediately.
The case remains an open reminder of the fragility of digital trust. While Wang was “thrilled” to have his $19,300 returned on May 6, the emotional toll and the loss of security remain. The Office of the Privacy Commissioner continues to monitor these breaches as part of a wider effort to strengthen consumer protections against identity theft.
We invite you to share your thoughts on digital security in the comments below or share this guide with others who may be at risk.
