Chun Ai Deng considers herself a careful banking customer. So when she noticed a transaction on her Chase debit card for $3,809 at Best Buy, a store she’d never visited, she knew something was wrong.
Deng immediately contacted Chase to report the fraudulent charge. She was confident that the bank would swiftly reverse the bogus payments. Little did she know she was about to embark on a frustrating four-month journey to reclaim her money.
Chase swiftly denied Deng’s claim. The bank insisted the transaction was authorized, citing a record of authorization via a text message sent to Deng’s phone. But Deng had a solid alibi: She says someone stole her identity.
Deng’s case raises some important questions:
- What’s SIM swapping and how do I prevent it?
- How can I prove someone stole my identity?
- What can I do if the company refuses to provide documentation of a crime?
But first, let’s have a look at Deng’s case.
How did her identity get stolen?
Deng immediately contacted her phone carrier, Lyca Mobile, and discovered that her number had been ported out without her consent just three days before the fraudulent Best Buy purchase.
This unauthorized SIM swap meant that anyone with Deng’s phone number could receive her calls and messages, including any one-time passcodes or authorizations sent by her bank.
“I found out about this transaction when I called Chase about some email alerts sent by Chase regarding a request for a replacement Chase Sapphire Reserve credit card, which I did not apply for, and a $2,000 Zelle payment sent from my account to someone that I did not recognize,” she says.
But Chase hadn’t emailed her about the Best Buy transaction.
“While Chase returned me the Zelle payment, the unauthorized debit card transaction of $3,809 with Best Buy was declined,” she says.
What’s SIM swapping and how do I prevent it?
SIM swapping is a growing problem, and it can happen without you even realizing it. This sneaky tactic allows cybercriminals to take control of your phone number, which they can then use to access your online accounts.
Here’s how it works: a scammer gathers personal information about you, and tricks your mobile carrier into transferring your number to a SIM card they control. Suddenly, all your calls and texts are rerouted to them.
How can you protect yourself?
- Use strong and unique passwords. Make sure your passwords are complex and unique for each account. You might want to use a password manager to keep track of them.
- Enable two-factor authentication (2FA). Opt for authentication apps instead of SMS-based codes. Apps like Google Authenticator provide an extra layer of security that isn’t vulnerable to SIM swaps.
- Set up account PINs. Many carriers allow you to create a separate PIN for your account. This adds an additional layer of verification when making changes.
- Monitor your accounts. Keep an eye on your phone and bank statements for any unusual activity. If you notice your phone suddenly loses service or starts acting weird, act fast.
- Limit personal information sharing. Be cautious about what you post online. Scammers often use social engineering techniques to gather information needed to impersonate you.
- Switch to eSIM. If your device supports it, eSIMs are less susceptible to theft since they’re embedded in the device and can’t be physically swapped. (eSIMs aren’t entirely invulnerable to SIM swapping, but it’s harder to pull off a SIM swap with an eSIM.)
These steps can significantly reduce the risk of falling victim to SIM swapping and safeguard your personal information.
How can you prove someone stole your identity?
Proving you’ve had your ID stolen is a paperwork-intensive task.
Document everything. In cases of identity theft or account hacking, providing detailed documentation is key. Start by filing a police report, which creates a formal record of the crime.
Contact your bank. Report the fraud, making note of the date, time, and representative you spoke with.
File a complaint with the FTC. You can do that at IdentityTheft.gov, which will guide you through steps to recover from identity theft and provide you with an identity theft report and a recovery plan.
Contact one or all of the three major credit bureaus (Experian, Equifax, TransUnion). Place a fraud alert on your credit reports, which will make it harder for thieves to open new accounts in your name.
MOST IMPORTANT: Maintain detailed records of all correspondence. That includes emails, letters, phone call logs, and any supporting documentation like police reports or credit card statements. This paper trail can be invaluable when dealing with companies or pursuing legal action.
An unfortunate twist makes this case harder to crack
Deng furnished Chase with proof that someone had stolen her ID, but it wasn’t enough. Chase also demanded evidence that Deng’s phone service had been interrupted at the time of the transaction and required documentation of her contract ownership of the phone number.
That proved difficult. Deng was on a prepaid phone plan from Lyca Mobile. Prepaid plans don’t typically involve signed contracts, making it impossible for Deng to meet Chase’s demands.
Adding insult to injury, Lyca Mobile refused to provide a formal letter or report confirming the unauthorized port-out, stating that their email correspondence confirming the port-out was sufficient.
Deng found herself stuck between a bank that refused to acknowledge her claim without specific documentation and a phone company unwilling to provide that documentation.
Next stop: the Consumer Financial Protection Bureau (CFPB), where Deng filed a complaint. She submitted all the evidence she had: a police report, the Lyca Mobile email chain, a reference number from the Federal Trade Commission (FTC) for identity theft, and documentation of a fraud alert filed with credit reporting agencies.
Chase still refused to help her. The bank sent a letter reiterating its initial stance. It pointed to the text message authorization as proof of a legitimate transaction. Chase also refused to accept Lyca Mobile’s email correspondence as sufficient evidence, claiming it didn’t meet its requirements for proof of interrupted phone service.
What can I do if the company refuses to provide documentation?
If a company refuses to provide documentation, there are several steps you can take.
Start by escalating the issue to a supervisor or manager within the company. I list the names, phone numbers and email addresses on our company contact page. We list the Lyca Mobile executive contacts on the site.
Don’t forget to make your requests in writing — and keep copies for your records.
If an internal escalation fails, consider filing a complaint with the appropriate regulatory agency. The CFPB handles complaints about financial institutions, while the FCC handles complaints about telecommunications companies.
In some instances, public pressure can be effective. Share your story on social media or reach out to consumer advocacy groups or news outlets for assistance. Our advocacy team is always happy to help, of course.
Bottom line: A business must furnish you with proof of a crime, and with a little persistence, you should be able to get it.
But what about Deng’s case?
I asked Chase to take another look at Deng’s case. It seemed strange that they would reverse her Zelle transaction but would not address a fraudulent purchase from Best Buy. It appeared as if the decision had been made by an algorithm rather than a person — a common problem these days.
A few days later, our team got some good news.
“I wanted to provide you with an update on my case,” she wrote in an email. “The Chase executive office did a second review of my documents, reversed his decision, and returned the money to my bank account. Without you and your organization’s help, I may never have gotten Chase to look at my supporting documents seriously. Thank you for everything!”
