Fraudsters have figured out how to break in to online accounts protected by two-factor authentication where the authenticating device is your mobile phone.

They don’t steal the phone; they simply hijack the phone number. This enables them to intercept those one-time verification codes sent to that mobile number by text, email, or phone call.

Armed with their victim’s personal information, such as date of birth and last four digits of their Social Security number — information that is widely available on the dark web — these identity thieves trick the wireless carriers into transferring (or porting) their target’s phone number to a new account or device they control. That’s why this is called the “port-out” scam.

Mobile phone hijacking is on the rise. Reports of this crime to the Federal Trade Commission more than doubled between 2013 and 2016, from 1,038 incidents to 2,658. These complaints “represent only the tip of a much larger iceberg,”

Port-out scammers can take over any account where that smartphone is the verification device, such as bank, cryptocurrency, and email and social media accounts, according to a recent warning from Fraud.org, run by the National Consumers League.

Most victims find out about this when they go to use their cellphone and it won’t work. Unfortunately, by the time they call the carrier and figure out what’s happened, the scammer has already used that hijacked cellphone number to log in to things like their bank account and drain all the funds out of it relatively quickly