- ACMA
- SIM Swap
- Telco News
- MFA Fraud
- Scam Alert
ACMA fined SpinTel $59,400 after scammers exploited an MFA vulnerability ten times in early 2025, with affected customers losing over $45,000.
ACMA Penalises SpinTel and Warns Yomojo Over Mobile Fraud Failures
The Australian Communications and Media Authority has issued enforcement action against two Australian telecommunications providers for breaches of mobile number fraud protections. According to ACMA's May 7 statement, SpinTel was fined $59,400 after investigators found that scammers exploited a vulnerability in the company's systems to harvest multi-factor authentication codes on ten separate occasions between February and March 2025. Affected customers reportedly lost more than $45,000 as a result.
Alongside the financial penalty, SpinTel has entered into an 18-month court-enforceable undertaking requiring an independent review of its security posture. A second provider, Yomojo, received a formal warning after the regulator determined the company had failed to publish required guidance directing customers on how to report mobile number porting fraud to law enforcement.
How the MFA Code Harvesting Worked
The reporting indicates that scammers were able to access multi-factor authentication codes flowing through SpinTel's systems, giving them a direct route into customer accounts protected by SMS-based verification. Once intercepted, these codes can be used to authorise transactions, reset passwords, or bypass identity checks across banking, government, and health portals.
ACMA member Samantha Yorke described the consequences in stark terms, noting that losing thousands of dollars in seconds can be devastating and have lasting impacts. She added that once a scammer gains access to a mobile service, the victim becomes exposed across banking apps, health records, and other personal information.
The Yomojo case centres on a different obligation. Australian telcos are legally required to publish clear instructions advising customers what steps to take if they suspect their number has been ported without consent. The regulator found Yomojo had not made this guidance available on its website.
Sixth Enforcement Action in Twelve Months
Yorke confirmed this is the sixth enforcement announcement in the past year tied to ACMA's consumer protection push around mobile fraud. The pattern points to recurring weaknesses across the Australian telco sector, with multiple providers found to have system vulnerabilities or compliance gaps that place customers at preventable risk.
Mobile number porting fraud and SIM swap attacks remain an active concern for Australian consumers. When a scammer takes control of a phone number, the impact extends well beyond missed calls. Banking notifications, government login codes, and password reset messages all route through the compromised service, giving the attacker a window to drain accounts or impersonate the victim across multiple services.
What Australians Should Do
If your mobile service suddenly stops working without explanation, treat it as a possible porting attack and act quickly:
- Contact your telco immediately using a different phone or web chat to confirm whether your number has been transferred
- Log into banking and email accounts from a trusted device and check for unauthorised activity or recent password changes
- Enable additional account protections offered by your telco, including porting authorisation PINs and identity verification holds
- Report any financial loss to your bank straight away and request transaction reversal where possible
- Do not share MFA codes with anyone who calls or messages claiming to be from your telco, bank, or a government agency
For ongoing protection, consider replacing SMS-based MFA with an authenticator app on accounts that support it, particularly for banking, myGov, and primary email.
How to Report and Check Suspicious Numbers
Scamwatch remains the central reporting channel for phone-based scams in Australia and accepts reports at scamwatch.gov.au. Suspicious SMS messages can be forwarded free of charge to 0429 999 888, which feeds into the national database used by ACMA and telcos to identify fraud patterns. ReportCyber handles cases involving financial loss or identity compromise, and Services Australia operates a dedicated Scams and Identity Theft Helpdesk for myGov-related incidents.
If you have received a call or text from a number you do not recognise, checking community reports on Reverseau can help establish whether other contributors have flagged it as a scam, robocall, or impersonation attempt. The more Australians who contribute reports, the faster emerging tactics like the SpinTel MFA harvesting pattern can be surfaced and shared with others receiving the same calls.