Last month, my husband noticed that a debit order from his cellphone service provider had gone off from his bank account.

He checked his credit record and saw that a new contract had been taken out two months before.

Someone had used his personal information and bank details to take out a cellphone contract in his name.

His information was most likely part of a data leak from a credit bureau, or it was leaked by a bank official. And yet the onus was on my husband to prove that he had not taken out the contract.

The starting point was having the debit order reversed by his bank, at a cost of R47. He then placed a permanent stop which cost a further R80.

His cellular provider required an affidavit and three specimens of his signature. He needed to inform the credit bureaus, and because someone clearly has all his personal information, he took the extra step of registering for Protective Registration through the South African Fraud Prevention Services. This will alert credit providers that his ID has been compromised.

The credit bureaus offer a service where you receive an immediate alert on any credit record query. Unsurprisingly, they charge for this service, even though the credit bureaus themselves are often to blame when it comes to data breaches.

Cellphone contracts, particularly those that include a phone, are popular with fraudsters. This is especially so when contracts are taken out via online channels.

In some cases, a dealership will issue the same contract for the same rand amount. The phone is delivered to a building, where the fraudster waits outside.

The courier, who is supposed to check the identification document of the person taking out the contract, does not do so.

Cellular providers generally don’t require proof of bank accounts for online applications. They only verify that the account is valid.

Given that customers invariably want same-day shipment, debit order verification is sometimes completed only after delivery.

This raises another question. Why don’t cellphone companies use the DebiCheck system, which was created to authenticate debit orders?

There are two options available for debit orders: an EFT debit order or a DebiCheck debit order. The service provider, in this case the cellphone company, decides which option to use.

DebiCheck debit orders require a customer to authorise the debit order with the bank directly. The debit order would reflect as a DebiCheck debit order with the corresponding mandate information. The EFT debit order system is not an authenticated debit order system.

While being a victim of ID theft is extremely frustrating, cellphone companies are ultimately losing out.

They will need to take extra steps to improve their security processes, such as using biometric authentication via the South African Fraud Prevention Services.

In the meantime, if you do become a victim of ID theft, the first thing you should do is inform your bank and stop the debit order. Contact your service provider and provide the required paperwork to cancel the contract.

You will also need to inform the credit bureaus, and register for Protective Registration at safps.org.za.

All of this admin is frustrating and time-consuming, so book some time out of your diary – you will need it!