Tally logo

SIM Swapping: How to Protect Your Phone Against an Attack

A SIM swap is more than just someone stealing your phone number.

Author Justin Cupler
Contributing Writer at Tally
June 4, 2021

As the digital age continues, our susceptibility to various cybersecurity and identity threats grows. SIM swapping — stealing your phone number — is one of the more recent forms of identity theft to crop up. 

While a SIM swap scam may not seem like a huge deal — it’s just a phone number, after all — it can be a far bigger deal than you think, especially if you do banking or other sensitive activities online. 

We’ll help you understand what a SIM swap is and the effect it can have on you. 

SIM Swapping Defined

A SIM card is the small data card that most cellphones use to connect to a cellular network. A SIM swap scam is when a fraudster purchases a new SIM card and contacts your mobile carrier to ask for the new card to be activated — under the guise you lost or damaged the current card or bought a new phone. They then ask the carrier to use the porting option to move your old number to the new SIM card, giving the bad actor control over your phone number

Your mobile carrier will likely require the criminal to verify their identity by answering personal questions about you. Unfortunately, through phishing emails, spoof websites, social engineering, data breaches and data mining on social media accounts, the fraudster may have all the personal data they need to answer these questions and complete the process. 

How Criminals Can Use a SIM Swap

Once a criminal has completed a SIM swap attack, there’s a wide range of actions they can take, ranging from monetary to personal attacks. 

For example, if you forget your banking password, your bank may use two-factor authentication to verify it’s you before allowing a passcode change. Generally, the second factor in that authentication chain is a text message to your cellphone

So, if a hacker has your mobile phone number, they can receive the multifactor authentication code from the bank and can gain access to your bank account. They may do the same on other financial accounts, like a cryptocurrency wallet or a 401(k).  

A hacker could also use the multifactor authentication system to gain access to marketplaces like eBay or Amazon and make purchases using stored credit cards and bank accounts.  

On the non-monetary side of the coin, a scammer could use a text-to-tweet service to post offensive or hurtful messages on your Twitter account, like what happened to Twitter CEO Jack Dorsey, or they could use your phone number to send offensive or illegal SMS text messages or phone calls. They could potentially do the same with an email account

Signs You’re a Victim of SIM Swapping

SIM swap: A masked hacker sits behind a laptop and talks on a cellphone

Sim swapping is a fast-moving form of identity theft that requires immediate action to stop it from doing lasting damage. To help you spot potential SIM swapping activity, watch out for these telltale signs that you may be a victim. 

Can’t send text messages or make phone calls

When a criminal successfully pulls off a SIM swap fraud, they deactivate your SIM card and convert your phone number to a new SIM card. This will immediately render your SIM card useless, making it impossible for you to place phone calls or send text messages.

If you notice this issue, immediately contact your carrier to check if it’s a network issue or if your phone number was moved to another SIM card. If it was the latter, explain to your provider that you’re the rightful owner of that phone number and ask them how to get it back. 

Notification from provider

If you receive notification via email or text message from your cellphone service provider that your phone number has been moved to a new SIM card, you may be a SIM swap fraud victim. Immediately contact your cellphone provider to verify the communication is legitimate. If it’s legit, ask them how to reverse the swap. 

Tally

Use caution with emails like this, as they could be an elaborate phishing attempt. Never click on any links in a suspicious email. Instead, navigate directly to your cellphone provider website or call the provider to verify the swap occurred and determine how to reverse it. 

When calling the provider, always use a phone number you know is for the carrier. You can find this on your carrier’s website or on your monthly bill. SIM swap fraudsters are creative and may use a notification like this to trick you into calling them and giving them the information they need to perform a SIM swap. 

Tips To Avoid Being a SIM Swapping Victim

While no one can 100% prevent falling victim to scammers, there are a few ways to minimize the risk of being a SIM swap victim. 

Don’t give out personal information via phone, text or email

A man talks on a cellphone and takes notes

Hackers and other criminals can be slick, and they know they can use your busy life against you. They do so by calling, emailing or texting under the guise of being your bank, auto lender, cable company or other important institution.

They’ll send you important-sounding emails and texts or call you to warn you of a potential issue with your account. In reality, there’s nothing wrong with your account at all — the scammers are just using this panic moment to phish for your personal information. This may happen over the phone, via text or via an email link that sends you to a spoof website that looks nearly identical to your banking website.

If you ever receive these types of communications, don’t release any information. Instead, immediately disconnect with the person who called you and contact the institution yourself using a phone number you know is correct. You can also log on to your account and check for any notifications there. 

Keep your online footprint small

Criminals are excellent at scraping information off the internet, such as your full name, address, birthday, kids’ names, important dates and more. They can then use this information to answer security questions and gain access to your cellphone account. 

Try to keep this information off public websites, and criminals won’t have access to it. This includes your social networks and forums.

Password- or PIN-protect your cellphone account 

Contact your cellphone provider and ask if you can add PIN or password protection to your account. Adding this password or PIN installs yet another layer of protection a scammer must get through to complete the SIM swap successfully. 

Make sure to choose a unique password that no one can guess. Your security is only as strong as your password. 

Use authentication apps attached to your device

Multifactor authentication (MFA) has played a big role in securing sensitive accounts, but SMS-based MFA is susceptible to SIM swap attacks. Instead of using an SMS MFA, use a device-based app, like Google Authenticator

These apps don’t tie to your phone number, eliminating a SIM swapper’s access to the codes they need to access your online accounts. The only way they could access it would be to steal your device. 

Actions To Take If You’re a SIM Swap Victim

Sometimes all the prevention in the world can’t keep a persistent criminal from pulling off a SIM swap. If you fall victim, here are the steps to take to fight back: 

  1. Immediately contact your cellphone service provider, alert the company of the issue and regain control of your cellphone number. 
  2. Change all your passwords and PINs to ensure the criminal can no longer access your accounts.
  3. Check all your bank accounts, credit card accounts and marketplaces for fraudulent money movement and purchases. Dispute any fraudulent charges through your bank or credit card
  4. Pull all three credit reports — Equifax, TransUnion and Experian — and check for any new accounts the scammer may have opened in your name. Dispute any new accounts or charges through the credit bureau. 
  5. Place a credit freeze on all three credit bureaus to prevent the scammer from using any information they may still have to open new accounts.
  6. Open an identity theft case through the FTC if the scammer has sensitive information, including your credit card or bank account information, or Social Security number. Then place an extended fraud alert on all three credit bureaus. 

Protect Yourself from a SIM Swap Attack

A smiling man uses a cellphone

Our lives are becoming more digital with each passing day, giving criminals more opportunities to steal our data. A SIM swap is one of the more elaborate cybersecurity threats, as it involves multiple steps to be successful. 

But once the criminal completes it, they have access to your cellphone number and can hijack SMS-based MFA. This can give the scammer admittance to your social media accounts, bank accounts, email and more. 

However, you can protect yourself by taking a few simple steps, including: 

  • Not giving out your personal data to unverified people via phone, SMS or email.
  • Keeping the personal information you post online to a minimum.
  • Protecting your cellphone account with a PIN or password.
  • Using device-based authentication apps.

With these security measures in place and careful monitoring of your accounts, you have a better chance of preventing scammers from carrying out a SIM swap. If they manage to get through your preventative measures, rest assured that you can take actions to regain control over your cellphone.