As the digital age continues, our susceptibility to various cybersecurity and identity threats grows. SIM swapping — stealing your phone number — is one of the more recent forms of identity theft to crop up.
While a SIM swap scam may not seem like a huge deal — it’s just a phone number, after all — it can be a far bigger deal than you think, especially if you do banking or other sensitive activities online.
We’ll help you understand what a SIM swap is and the effect it can have on you.
A SIM card is the small data card that most cellphones use to connect to a cellular network. A SIM swap scam is when a fraudster purchases a new SIM card and contacts your mobile carrier to ask for the new card to be activated — under the guise you lost or damaged the current card or bought a new phone. They then ask the carrier to use the porting option to move your old number to the new SIM card, giving the bad actor control over your phone number.
Your mobile carrier will likely require the criminal to verify their identity by answering personal questions about you. Unfortunately, through phishing emails, spoof websites, social engineering, data breaches and data mining on social media accounts, the fraudster may have all the personal data they need to answer these questions and complete the process.
Once a criminal has completed a SIM swap attack, there’s a wide range of actions they can take, ranging from monetary to personal attacks.
For example, if you forget your banking password, your bank may use two-factor authentication to verify it’s you before allowing a passcode change. Generally, the second factor in that authentication chain is a text message to your cellphone.
So, if a hacker has your mobile phone number, they can receive the multifactor authentication code from the bank and can gain access to your bank account. They may do the same on other financial accounts, like a cryptocurrency wallet or a 401(k).
A hacker could also use the multifactor authentication system to gain access to marketplaces like eBay or Amazon and make purchases using stored credit cards and bank accounts.
On the non-monetary side of the coin, a scammer could use a text-to-tweet service to post offensive or hurtful messages on your Twitter account, like what happened to Twitter CEO Jack Dorsey, or they could use your phone number to send offensive or illegal SMS text messages or phone calls. They could potentially do the same with an email account.
Sim swapping is a fast-moving form of identity theft that requires immediate action to stop it from doing lasting damage. To help you spot potential SIM swapping activity, watch out for these telltale signs that you may be a victim.
When a criminal successfully pulls off a SIM swap fraud, they deactivate your SIM card and convert your phone number to a new SIM card. This will immediately render your SIM card useless, making it impossible for you to place phone calls or send text messages.
If you notice this issue, immediately contact your carrier to check if it’s a network issue or if your phone number was moved to another SIM card. If it was the latter, explain to your provider that you’re the rightful owner of that phone number and ask them how to get it back.
If you receive notification via email or text message from your cellphone service provider that your phone number has been moved to a new SIM card, you may be a SIM swap fraud victim. Immediately contact your cellphone provider to verify the communication is legitimate. If it’s legit, ask them how to reverse the swap.
Use caution with emails like this, as they could be an elaborate phishing attempt. Never click on any links in a suspicious email. Instead, navigate directly to your cellphone provider website or call the provider to verify the swap occurred and determine how to reverse it.
When calling the provider, always use a phone number you know is for the carrier. You can find this on your carrier’s website or on your monthly bill. SIM swap fraudsters are creative and may use a notification like this to trick you into calling them and giving them the information they need to perform a SIM swap.
While no one can 100% prevent falling victim to scammers, there are a few ways to minimize the risk of being a SIM swap victim.
Hackers and other criminals can be slick, and they know they can use your busy life against you. They do so by calling, emailing or texting under the guise of being your bank, auto lender, cable company or other important institution.
They’ll send you important-sounding emails and texts or call you to warn you of a potential issue with your account. In reality, there’s nothing wrong with your account at all — the scammers are just using this panic moment to phish for your personal information. This may happen over the phone, via text or via an email link that sends you to a spoof website that looks nearly identical to your banking website.
If you ever receive these types of communications, don’t release any information. Instead, immediately disconnect with the person who called you and contact the institution yourself using a phone number you know is correct. You can also log on to your account and check for any notifications there.
Criminals are excellent at scraping information off the internet, such as your full name, address, birthday, kids’ names, important dates and more. They can then use this information to answer security questions and gain access to your cellphone account.
Try to keep this information off public websites, and criminals won’t have access to it. This includes your social networks and forums.
Contact your cellphone provider and ask if you can add PIN or password protection to your account. Adding this password or PIN installs yet another layer of protection a scammer must get through to complete the SIM swap successfully.
Make sure to choose a unique password that no one can guess. Your security is only as strong as your password.
Multifactor authentication (MFA) has played a big role in securing sensitive accounts, but SMS-based MFA is susceptible to SIM swap attacks. Instead of using an SMS MFA, use a device-based app, like Google Authenticator.
These apps don’t tie to your phone number, eliminating a SIM swapper’s access to the codes they need to access your online accounts. The only way they could access it would be to steal your device.
Sometimes all the prevention in the world can’t keep a persistent criminal from pulling off a SIM swap. If you fall victim, here are the steps to take to fight back:
- Immediately contact your cellphone service provider, alert the company of the issue and regain control of your cellphone number.
- Change all your passwords and PINs to ensure the criminal can no longer access your accounts.
- Check all your bank accounts, credit card accounts and marketplaces for fraudulent money movement and purchases. Dispute any fraudulent charges through your bank or credit card.
- Pull all three credit reports — Equifax, TransUnion and Experian — and check for any new accounts the scammer may have opened in your name. Dispute any new accounts or charges through the credit bureau.
- Place a credit freeze on all three credit bureaus to prevent the scammer from using any information they may still have to open new accounts.
- Open an identity theft case through the FTC if the scammer has sensitive information, including your credit card or bank account information, or Social Security number. Then place an extended fraud alert on all three credit bureaus.
Our lives are becoming more digital with each passing day, giving criminals more opportunities to steal our data. A SIM swap is one of the more elaborate cybersecurity threats, as it involves multiple steps to be successful.
But once the criminal completes it, they have access to your cellphone number and can hijack SMS-based MFA. This can give the scammer admittance to your social media accounts, bank accounts, email and more.
However, you can protect yourself by taking a few simple steps, including:
- Not giving out your personal data to unverified people via phone, SMS or email.
- Keeping the personal information you post online to a minimum.
- Protecting your cellphone account with a PIN or password.
- Using device-based authentication apps.
With these security measures in place and careful monitoring of your accounts, you have a better chance of preventing scammers from carrying out a SIM swap. If they manage to get through your preventative measures, rest assured that you can take actions to regain control over your cellphone.