8 min read

Part 2: The 8-Minute Nightmare - What To Do When You Are Sim Swapped in Canada

At 5:45 PM, the spam calls started. By 6:00 PM, the phone was dead and the bank accounts breached. If you see 'No Service,' you have minutes to act. Here is the definitive Canadian battle plan to stop a SIM Swap, lock down your credit, and stop the bleeding.
A smartphone screen displaying an Unregistered SIM error message next to a ticking clock, symbolizing a Canadian SIM swapping attack in progress.
Frustrated, no service, sim-swapped!

By Core Lab Joe, IT & Cybersecurity professional of 20+years.

Picture this: You’re sitting at home at 5:45 PM. Your phone starts buzzing. A call from an unknown number. You ignore it. Then another. And another. Fifty calls later, your phone goes dead. “Unregistered SIM.”

By the time you find a Wi-Fi signal, you’re locked out of your email. You’re locked out of your Telus account. And somewhere, a stranger is using your phone number to impersonate you to the world.

This isn’t a movie script. This is a SIM Swap attack, and it just happened to a Canadian on reddit recently.

The scenario above is a textbook case of a targeted identity takeover. Today, we are going to dissect exactly how this attack worked, why the "Spam Bombing" technique was used, and most importantly—provide the definitive Canadian playbook for stopping the bleeding and reclaiming your digital identity.


The Anatomy of the Attack🎯

A breakdown of how a live attack occurs. This is from a recent attack on a fellow Canadian who reported it over reddit in Jan 2026. It reveals a sophisticated, multi-stage attack:

  1. The Spam Bombing (The Distraction): Those 50 calls weren't random. They were a smoke screen. The attackers knew that if Telus sent you a "Did you request a SIM change?" text, you might see it. By flooding your phone with calls, they ensured you were too distracted to notice the one notification that mattered.
  2. The Social Engineering (The Swap): The attacker called Telus pretending to be the victim. They didn't just guess; they had the "Golden Trio" of Canadian identity theft: Full Name + DOB + Last 3 of SIN. Technically a SIN# isn't supposed to be used for ID verification but companies often ask for it, to verify your credit score.
  3. The Pivot: With control of the phone number, they used SMS 2-Factor Authentication (2FA) to reset the Hotmail password, giving them the "Skeleton Key" to the victim's digital life.
It only took 8 minutes. Recovering from it will take longer, but here is how you do it.
8 Minute Account Takeover
8 Minute Account Takeover

THE CANADIAN "SIM SWAP" BATTLE PLAN

If this happens to you, panic is your enemy. Speed is your ally. Here is the step-by-step execution guide. Remember the Data Pipeline we discussed in [Part 1]? This is where that leaked SIN and DOB become a weapon.

Phase 1: Containment (The Golden Hour)

1. Kill the Line (Again) You need to re-report the fraud to your carrier immediately to ensure the attacker’s SIM is dead.

  • For Telus/Koodo/Bell/Rogers: Ask specifically for their Fraud Department. Do not let a frontline agent handle this.
  • Ask for: "Port Protection" or a "No-Port" note to be placed on your file immediately.

2. Secure the Skeleton Key (Email) Your email is the most critical asset. Use a secure device (not the compromised phone) to reset your email password.

  • Crucial Step: Force a "Sign out of all devices" in your email security settings. The attacker may still be logged in even after you change the password.

3. The Financial Freeze Assume they have tried to access your banking apps using "Forgot Password" via SMS.

  • Call your bank’s fraud line immediately.
  • Tell them: "I am a victim of a SIM Swap identity theft."
  • Ask them to place a temporary freeze or "verbal password" requirement on your accounts.

Phase 2: The Official Canadian Reporting Protocol (The Battle Card)

In Canada, we have a fragmented system for reporting cybercrime. Here is the official hierarchy of who you need to contact to protect your credit and SIN. I have compiled the direct fraud lines for you below. Print this out or screenshot it.

🇨🇦 Identity Fraud Contact List - List of Canadian fraud contact numbers including Equifax TransUnion and CAFC.

AgencyPurposeDirect Fraud NumberAction Required
Equifax CanadaCredit Protection1-800-465-7166Ask to place an "Identity Fraud Alert" on your credit file.
TransUnion CanadaCredit Protection1-800-663-9980Ask to place a "Potential Fraud Alert" on your file.
Service CanadaSIN Protection1-866-274-6627Report that your SIN was used fraudulently. They will flag your file for tax fraud.
Canadian Anti-Fraud CentreFederal Record1-888-495-8501File a report to generate a reference number for insurance/banks.
Local PoliceLegal RecordNon-Emergency LineFile a report to get a Case Number. Essential for disputing bank charges.

I made a wallet-sized printable PDF "cheat sheet" for my Canadian readers. Download it, print it, and put it in your fire safe.👇

1. Local Police (Non-Emergency Line)

  • Why: You need a Case Number.
  • Reality Check: The police likely won't dispatch an officer to "track the signal." However, banks and insurance companies often require a police file number to reverse fraudulent charges.
  • Action: Call your local non-emergency line (e.g., TPS, OPP, RCMP detachment). State clearly: "I am a victim of Identity Fraud involving a SIM Swap."

2. Canadian Anti-Fraud Centre (CAFC)

  • Why: This creates a federal record. The CAFC shares intelligence with the RCMP's National Cybercrime Coordination Centre (NC3) to track organized crime rings operating inside Canadian carriers.
  • Action: File a report online via the Fraud Reporting System or call 1-888-495-8501.
Language selection - Canadian Anti-Fraud Centre / Sélection de la langue - Centre antifraude du Canada
The Canadian Anti-Fraud Centre (CAFC) collects information on fraud and identity theft. We provide information on past and current scams affecting Canadians. / Le Centre antifraude du Canada (CAFC) recueille de l’information sur la fraude et le vol d’identité. Il fournit des renseignements sur les fraudes passées et courantes touchant les Canadiens.

3. Credit Bureaus (The Financial Shield)

  • Why: If the attacker has your SIM, they likely have the personal data needed to open credit cards in your name.
  • Action: Contact both major bureaus to place an "Identity Fraud Alert" on your file.
    • Equifax Canada: 1-800-465-7166
    • TransUnion Canada: 1-800-663-9980

4. Managing the SIN (Social Insurance Number)

  • The Reality: Service Canada rarely issues new SINs unless there is proof of ongoing misuse (like someone working a job under your name).
  • Official Advice: Contact Service Canada (1-866-274-6627). They will not issue a new number immediately, but they can place a flag on your file that alerts them if anyone tries to apply for EI or other benefits in your name.

Phase 3: Hardening (Never Again)

The harsh reality is that SMS is broken. It was never designed for security.

1. Divorce your Phone Number from your Security

Stop SMS 2FA, Start App MFA!
Stop SMS 2FA, Start App MFA!
  • Official Guidance: The Canadian Centre for Cyber Security (Get Cyber Safe) explicitly recommends moving away from SMS-based authentication where possible.
  • The Fix: Switch to Authenticator Apps like Google Authenticator, Aegis, or Raivo. These generate codes locally on your device and cannot be intercepted by a SIM swap.

2. Enable "Port Protection/Port Block/Transfer Block" Most Canadian carriers now offer a feature called Port Protection or Transfer Block.

  • This prevents your number from being ported to another carrier without you physically visiting a store or providing a secondary PIN. Demand this feature be enabled.

3. The "Secret" PIN Call your mobile provider and ask to set a "Verbal PIN" or "Voice Password" that is required before any changes can be made to your account. Do not use your birth year or the last 4 digits of your phone number.

A Note on the "Insider Threats"

It's entirely possible that an employee of a company like Telus or Bell, could have malicious intent or be helping hackers. This is extremely unlikely, and 9.9/10 it's just social engineering (hacking the people, not the tech!. Keep in mind that "Social Engineering" is a massive industry. Professional attackers call support lines hundreds of times a day. They scream, they cry, they play audio of "crying babies" in the background to stress the agent out. They use the data they bought about you (SIN, DOB) to bully the minimum-wage support agent into bypassing protocol.

Whether it was a rogue employee or a tricked one, the result is the same: We must stop trusting our phone numbers as a form of ID.

Stay safe, stay paranoid.


Bonus Resource: The "Quick Copy" Notification Template

Victims often struggle with what to say to banks to make them take the situation seriously. Copy and paste this to establish an immediate record.

Subject: URGENT: Formal Notification of Identity Theft & SIM Swap Attack – Acct [Your Account Number]

To Whom It May Concern:

I am writing to formally notify your institution that I am currently the victim of a confirmed “SIM Swap” attack, which occurred on [Date].

Due to the nature of this attack, the perpetrators have gained control of my primary mobile phone number.

I am requesting the following immediate actions:

  1. Place a "High-Risk Fraud Alert" on my accounts immediately.
  2. Do NOT authenticate me via SMS/Text Message for any reason.
  3. Note that I have already filed reports with Local Police (Case Number: [Insert Number]) and the Canadian Anti-Fraud Centre.

Sincerely,

[Your Full Legal Name]


The Reddit thread along with a personal family friend's story who inspired this series.

Victim of cyber breach
by u/Retired_elec_eng in PersonalFinanceCanada

The Pivot: Once they have your phone, they go for your inbox. Learn how to stop the "Domino Effect" in [Part 3: What to do when your Email is Hacked.]