Security

How Criminals Use Phone Numbers And Dob To Commit Fraud

By David Miller 28 Nov, 2025 145
How Criminals Use Phone Numbers and DOB to Commit Fraud

Financial fraud has traditionally been associated with high-risk or sensitive data such as complete Social Security numbers, driver’s license numbers and full financial account numbers. However, this belief has changed as the methods used by cyber-criminals today do not require the criminal to obtain as detailed or specific information about the target. In fact, the modern day cyber criminal can begin, or in some cases complete, their crime using only a phone number and a date of birth. As such, these are far less sensitive pieces of information that are essential in verifying identity for customers of banks, mobile telephone carriers and FinTech applications, and they are now used in ways that they were not designed to be.

The significance of this fact becomes clear when the consumer's partial personal information is compromised during a data breach, as the aforementioned CoVantage Credit Union data breach. In fact, a criminal can use limited information much more effectively than many consumers are aware of.

Until recently, phone numbers and date of birth were not designed as high-security identifiers, but as more and more people began using the same identifier for everything, including online shopping, there arose a situation whereby users needed a way to verify their identity based on a person’s phone number, email address, or other identifiers, and phone numbers became a primary method for authenticating someone and establishing an identity online. Phone numbers serve as:

  • A method to verify your identity through financial information;
  • A method for resetting your password when you forget it;
  • A method to access your digital wallet;
  • A method for onboarding with a financial company;
  • A method for verifying your identity when you call a customer support representative;
  • A method for two-factor authentication (e.g., receiving an SMS with a code to enter).

As SMS is still widely used by attackers and often intercepted or rerouted, users need to recognize the potential risk associated with receiving financial information via SMS.

2. The DOB is a Shared/Synthesized "Secret" Across Many Institutions

Financial institutions, through various support options on their sites use DOBs as an identifier of an individual’s true identity, even though the DOB is typically among the easiest pieces of information for an attacker to collect or acquire.

When the DOB is used in conjunction with phone numbers it creates the potential for the establishment of keys to pathways which were intended to be much less accessible to attackers.

The Ways That Criminals Use Phone Numbers and DOB To Perpetrate Fraud

SIM-Swap Attacks

One of the most significant threats is known as “SIM swapping,” whereby a perpetrator convinces a cellphone provider to switch the cellphone number associated with a victim’s account to a new SIM card with which the perpetrator has gained access to the original SIM card through deception. In this process the cellphone provider generally requires the following information:

  • Phone number
  • DOB
  • Occasionally home address

Upon successfully persuading the cellphone provider to change the cellphone number associated with the victim’s account to a new SIM card; the perpetrator can use that new SIM card to intercept:

  • One-Time Passwords (OTPs)
  • Banking Account Logins
  • Digital Wallet Authentication
  • Account Recoveries

Consequently, the perpetrator has access to almost all the financial accounts connected to that cellphone number.

Abuse of Password Recovery Features and Requesting Password Resets for Accounts.

A lot of banking apps and financial technology (Fintech) platforms make heavy use of SMS (text message) password reset by allowing individuals to request a reset if they have the phone number tied to the account. An attacker who obtains access to a victim's phone number may use that information to request a password reset. The victim's date of birth (DOB) may also provide enough information to allow them to bypass any secondary authentication measures.

  • Digital Banks
  • Peer-to-peer (P2P) Payment Apps
  • Online Lenders
  • Credit Unions
  • Budgeting and Financial Management Tools.
  • Using Social Engineering to compromise Customer Service Representatives.

Some support personnel can authenticate a caller by using these 3 pieces of information (name, phone number, and DOB). An attacker can impersonate the victim and request changes to their email address, ask for a password reset or temporary access to their account, and approve transactions while never having to guess the victim's actual password.

How to build a complete identity profile.

Phone numbers are often linked with social networking profiles, found in old public databases, and linked to messaging services. When a criminal uses a victim's phone number along with their date of birth, they can:

  • Carry out targeted phishing attacks
  • Check old databases that have had the subscribers' information violate
  • Use database information to construct their identity.

A compromise of your smallest amount of data could ultimately lead to the entire identity being reconstructed for criminal use.

Mitigation of Risk from the CoVantage Incident

When exposed to the internet, names, phone numbers and the date of birth create substantial risk for the individual, as demonstrated by the CoVantage incident, the consumer does not see the risk being posed by the inability to perform full identity verification; they underestimate the capability of attackers who can take small pieces of information and build a complete identity to perpetrate fraud.

The CoVantage incident illustrates that having partial information is enough to begin the fraud journey with:

- Attempts to trick someone into transferring their mobile service (sim-swapping) 
- Phishing campaigns
- Password resets made by someone other than customer
- Attacks against a bank or credit union through social engineering

This also reflects the problem of the industry as a whole continuing to rely on systems of verification that are based on flawed assumptions of what low-risk data means.

How To Protect Yourself As A Consumer:

To minimize your risk:

1. Establish a carrier PIN on your mobile account
2. Move from receiving SMS codes to using Authentication Apps (2FA)
3. Use passkeys when possible.
4. Set account alerts for your financial accounts.
5. Monitor for devices logging into your account that you do not recognize.
6. Don't trust calls or texts that come from numbers you do not recognize.
7. Freeze your files in case of identity theft.

While none of these actions provide 100% protection from all forms of identity theft, by adding these steps you will make it even harder for an attacker to perpetrate identity theft when they only have limited information about you.