Before you give up or recycle a mobile phone number, there are critical security steps you must take. Missing them can expose your accounts, banking, and identity to serious risk.
Mobile numbers get recycled more often than people realise. Whether you are closing a business, replacing an old SIM, switching carriers, or simply handing a number back, the moment that number leaves your control it can be reassigned to someone else - sometimes within weeks. That new owner can then receive your SMS messages, including two-factor authentication (2FA) codes, password reset links, and bank verification texts.
The consequences can range from embarrassing to catastrophic. Here is what to do before you release a number.
Why This Is a Serious Security Issue
Australian telcos reassign mobile numbers that have been inactive or ported away. The ACMA does not mandate a minimum holding period before reassignment, which means there is no guaranteed buffer between when you give up a number and when a stranger starts receiving texts sent to it.
If any account tied to that number sends an SMS verification code - banking, email, social media, government portals, business tools - the new owner receives it. Combined with your name (which may appear on incoming texts or caller ID history), this creates a meaningful identity risk.
This is not hypothetical. Account takeovers via recycled SIMs are documented globally, including in Australia.
Step 1: Audit Every Account That Uses the Number for 2FA
Start a list. Go through every account that has your mobile number recorded - not just the ones where you actively use SMS 2FA, but any account where the number exists as a recovery option.
Common categories to check:
- Banking and financial services - every bank account, credit card, superannuation portal, investment platform, and lending account
- Email accounts - Gmail, Outlook, Yahoo, and any business email accounts
- Social media - Facebook, Instagram, LinkedIn, X, TikTok
- Government portals - myGov, ATO online, Medicare, ServiceVic
- Business tools - Xero, MYOB, Shopify, your Microsoft 365 or Google Workspace admin account
- Cloud storage - Dropbox, Google Drive, iCloud
- E-commerce - eBay, Amazon, any shopping accounts with saved payment methods
- Password managers - if your password manager uses SMS as a recovery option
For each account, update the recovery or 2FA phone number to your new number before you release the old one. Do not delete it and leave nothing - always replace it with valid contact details.
Step 2: Switch 2FA to an Authenticator App
This is an excellent opportunity to upgrade your security posture. SMS-based 2FA is the weakest form of two-factor authentication. It is vulnerable to SIM swapping, number recycling, and interception. Authenticator apps - Microsoft Authenticator, Google Authenticator, Authy - generate codes on your device and are not tied to your phone number at all.
For every account that supports app-based authenticator codes, switch now. It takes about two minutes per account and is substantially more secure.
For accounts that only support SMS, make sure you update to your new number before releasing the old one.
Step 3: Check Email Accounts for Linked Forwarding
Some people set up email forwarding rules or account recovery options years ago and have forgotten about them. Log into each email account and check:
- Recovery phone number - update this
- Recovery email address - while you are there, verify this is still valid
- Forwarding rules - make sure no forwarding is set up to an old or unknown address
For Microsoft 365 business accounts, your IT administrator can audit these settings across your organisation.
Step 4: Notify Key Contacts
If you use the number for business, send a notification to clients, suppliers, and key contacts before the number changes. This is courteous and practical - calls and texts to an old number do not just disappear, they go to whoever has the number next.
For business numbers, update:
- Your email signature
- Your website contact page
- Your Google Business Profile
- Any printed materials, letterheads, or business cards
- Directory listings (Yellow Pages, True Local, industry associations)
- Your Outlook or Teams contact card
Step 5: Review Banking Security Settings
Banks are a priority. Most Australian banks allow a mobile number as a recovery mechanism, a notification channel, and a 2FA method - sometimes all three simultaneously. Log into each account and:
- Update the registered mobile number to your new one
- Check that SMS payment alerts are going to the correct number
- Review whether the number is used as a secondary identifier for phone banking
If you have a business banking relationship, contact your bank directly rather than relying solely on the online portal - some commercial banking records need to be updated by a banker.
Step 6: Check App-Based Services That Store the Number
Many apps store your phone number for account recovery without actively using it for 2FA. Check the account settings (usually under Security or Profile) in apps you use regularly, including ride-share, food delivery, travel booking, and any subscription services.
Before the Port or Cancellation
Do all of this before you port your number away or cancel the service. Once the number is gone, your ability to receive verification codes on that number is gone with it - and you may find yourself locked out of accounts you need to update.
If you have already released a number without completing these steps, act immediately. Contact your bank by phone, use backup codes for any accounts that provided them at setup, and work through account recovery processes while you still can.
For Businesses Managing Staff Phones
If staff in your business use company-allocated mobile numbers for work 2FA, you need a policy for what happens when they leave or are reallocated a number. Numbers used for business account 2FA should never be personal numbers - they should be under your business’s control so you can update them independently of staff changes.
If you need help auditing your business’s account security or implementing proper 2FA policies, contact CX IT Services. We help Melbourne businesses manage identity security without the complexity.
