Mobile Number Business Risk in 2026

One mobile number for your business, banking, and myGov? That’s a bigger risk than most founders realise. Here’s why separating personal and business communication matters in 2026.
SIPcity Editorial Staff
Smartphone on a dark surface displaying a turquoise call icon, illustrating the personal mobile number business risk for Australian founders.

One mobile number. Your business calls, your banking codes, your myGov access, your customer records. Scammers know this. The ACMA said so in April. And if you are running your business from a personal mobile, the personal mobile number business risk you are carrying is larger than most founders realise.

This is not about looking unprofessional. That argument has been made. This is about something more specific: in 2026, the personal mobile number has become the most load-bearing asset in a small business, and it is sitting on consumer infrastructure that regulators are actively warning Australians is under attack.

The call I am watching founders not make is the one where they separate what belongs to the business from what belongs to them personally. That line has never mattered more than it does right now.

The ACMA Warning Founders Missed

On 7 April 2026, the Australian Communications and Media Authority (ACMA) and the National Anti-Scam Centre issued a joint public warning about mobile number fraud. The warning was direct. Scammers are taking control of personal mobile numbers, or making unauthorised changes to phone accounts, then using that access to reach everything attached to the number: bank accounts, myGov, subscription services, and rewards programs.

The following month, the ACMA took enforcement action against two Australian telcos for violations of the mobile number fraud rules. SpinTel was fined $59,400 after an investigation found scammers had exploited a vulnerability in its systems to harvest multi-factor authentication codes on ten separate occasions between February and March 2025, resulting in customer losses of more than $45,000. In December 2025, Southern Phone had paid a $2,500,560 penalty after 20 consumers reported combined losses of at least $393,000. In each case, the ACMA confirmed that consumers reported unauthorised access to their email, banking, and government service accounts after their mobile numbers were taken over through unauthorised ports.

This is not a hypothetical risk. It is a documented pattern with a recent enforcement record. And it lands differently for a founder running their business from a personal mobile than it does for a consumer who uses their mobile for personal calls only.

Why founders carry more risk than they realise

A personal mobile number used for business is not just a phone number. It is on the business website, on invoices, on Google, on email signatures, and in the hands of every customer, supplier, and contractor the business has dealt with. It is also, almost certainly, the number attached to the founder’s banking app, their myGov account, and every platform that uses SMS for two-factor authentication.

That concentration of exposure on a single consumer asset is the structural problem. When a scammer gains control of that number, they do not just get business calls. They get a key that opens most of the founder’s financial and government accounts simultaneously. The business and the person become the same target.

The Ownership Problem Nobody Mentions

Beyond the fraud risk, there is a quieter problem that plays out inside businesses every day. The personal mobile number business risk is not only external. It is also internal.

When a staff member who handles customer calls leaves the business, their personal mobile number leaves with them. If customers have been calling that number directly, and they often have, the business loses those calls the day the person walks out. There is no redirect. No transfer. No system to catch what was flowing through that number. Just a gap, with customers on the other side of it who may not try again.

The same problem applies to the founder’s own number. The number appearing on the website, on Google listings, on invoices, on marketing materials, is tied to a personal mobile plan. It does not belong to the business as an asset. It belongs to one person. If that person changes carriers, loses access to the number for any reason, or simply decides they want a new phone number, the front door of the business disappears with it.

What the Privacy Act adds to the picture

The Office of the Australian Information Commissioner (OAIC) governs how Australian businesses handle personal information under the Privacy Act 1988. A founder’s personal mobile number, once it enters customer records, staff conversations, supplier messages, and marketing databases, starts functioning as business data handled on personal infrastructure.

The Privacy Act currently covers organisations with an annual turnover above $3 million, though a second wave of reforms currently under active development addresses the small business exemption directly. Growing businesses that handle customer personal information on personal devices, without clear separation, are building habits now that will create compliance problems later.

The practical issue is simpler than the legal one. When business communication runs through personal devices, there is no clean record. No shared call log. No retrievable SMS history across the team. Nothing that belongs to the business when a dispute arises, an audit runs, or a customer questions what was agreed on a call six months ago.

One Number Is Doing Too Much

The personal mobile number business risk in 2026 is a concentration risk. The same number customers call is the recovery key for the founder’s banking app. It’s also the same number that appears on the website is the one that receives the SMS code when someone tries to reset the business email password. The same number that staff ring after hours is the one scammers need to access myGov.

This is not how sound infrastructure is supposed to work. Separation of functions matters precisely because concentration creates a single point of failure that touches everything at once. A business number handles business communication. A personal number handles personal life. When they are the same number, an attack on either is an attack on both.

The Australian Bureau of Statistics counted 2,729,648 actively trading businesses in Australia at 30 June 2025. That is a market full of founders carrying this exact exposure, most of them unaware the ACMA issued a national warning about the number sitting in their pocket six weeks ago.

What Separating Them Actually Looks Like

A cloud-based business phone system, known as a Cloud PBX, gives the business a “virtual mobile number” that belongs to the business. Not to the founder. Not to a staff member. To the company. That mobile number appears on the website, on invoices, on Google, on marketing. The personal mobile goes back to being a personal phone.

The separation does several things at once. It removes the personal number from public-facing business infrastructure, which shrinks the fraud attack surface immediately. Separation gives the business a number that persists through staff changes, carrier changes, and ownership changes. And, it creates a call log and communication record that belongs to the business, not to any individual’s handset.

With SIPcity’s Cloud PBX features, calls route through an auto attendant, queue, simultaneous ring, or forwarding rules. Staff answer as the business regardless of which device they use. When they call a customer back, the business number appears on the customer’s screen, not a personal mobile. Shared SMS through SIPcity’s Shared Mobile Inbox means customer text conversations live in a shared team inbox rather than on individual personal phones. When someone leaves, the conversation stays.

When to Make the Move

The best time to separate business and personal communication is before a customer has trained themselves to call a personal number directly. Before a staff member leaves with a number customers recognise. Before a scammer targets the number carrying both your business identity and your banking access.

The signs are usually straightforward. If your business number appears anywhere publicly, it should not be a personal mobile. If more than one person in the business handles customer calls, personal mobiles cannot support that cleanly. And, if your personal number is the recovery contact for your business banking or your business email, it is doing a job it was never designed for.

If you already have a number customers know, number porting transfers it across to a business phone system without disrupting anyone who has it saved. SIPcity’s specialist porting team manages this end to end, including cases where a number is bundled with an internet service and needs to be separated first.

The ACMA warning from April 2026 was aimed at consumers. But every founder running their business from a personal mobile is both the consumer and the business in that warning. The number in their pocket is the attack surface for both. Separating them is not a feature upgrade. It is the most straightforward risk reduction a growing Australian business can make in 2026.

If you want to understand what a proper business phone setup looks like for your stage of growth, we are straightforward to talk to. Reach us by phone on 1800 150 686, or chat with us here on our website, or drop a contact at sipcity.com.au/contact-us. No lock-in contracts. You know where we are.