What is SIM swapping? SIM swap fraud explained and how to help protect yourself
August 15, 2022
SIM swap fraud occurs when scammers take advantage of a weakness in two-factor authentication and verification and use your phone number to access your accounts.
SIM swapping happens when scammers contact your mobile phone’s carrier and trick them into activating a SIM card that the fraudsters have. Once this occurs, the scammers have control over your phone number. Anyone calling or texting this number will contact the scammers’ device, not your smartphone.
This is known as SIM swap fraud, and it means scammers could potentially enter your username and password when logging onto your bank’s website. The bank will then send a code by text — two-factor authentication — to your smartphone number, a code that you’ll then have to enter to access your online account. The problem? After a SIM swap, that number now goes to the smartphone or other device possessed by scammers. They can then use that code to enter your bank account.
Fortunately, you can protect yourself against SIM swapping. It’s all about preventing scammers from finding out what logins and passwords you use to access your online bank or credit card accounts. And it helps, too, to look out for the most common warning signs of a SIM swap scam.
What is a SIM card?
To understand SIM swapping, you must first understand what a SIM card is.
Also known as a subscriber identity module, a SIM card is a small card that contains a chip. For your smartphone to work, you must insert a SIM card into it. This lets you make or receive calls and send texts.
The SIM card in your phone holds plenty of information. This includes data indicating that you have permission to make calls and send texts. Without the SIM card, you could only use your smartphone for activities such as accessing the web on a Wi-Fi network or taking photos.
How SIM swapping works
A SIM swap scam happens when criminals take over control of your phone by tricking your carrier to connect your phone number to a SIM card in their possession. These scammers basically take over control of your mobile phone’s number.
To steal your number, scammers start by gathering as much personal information on you as they can find and then engaging in social engineering.
First, the scammers call your mobile carrier, impersonating you and claiming to have lost or damaged their — really your — SIM card. They then ask the customer service representative to activate a new SIM card in the fraudster’s possession. This ports your telephone number to the criminal’s device, which contains the scammer’s own SIM card. Once your carrier completes this request, all phone calls and texts that are supposed to go to you will instead go to the scammer’s device.
How are fraudsters able to answer the security questions your mobile carrier asks? How can they provide any personal information your smartphone provider’s customer-service rep asks when trying to determine if it’s you on the other end of the phone?
That’s where the data scammers have collected on you through phishing emails, malware, or social media research becomes useful.
Scammers might send you an email claiming to be from your smartphone provider. This email might say that you need to click on a link to keep your account open. When you do, you’re taken to a new page that asks you to provide personal information, including your name, birthdate, and passwords. Maybe the page even asks for your Social Security number. Once you fill this out and click “Send,” you’ve given the scammers access to the information they need to trick your mobile phone carrier into a SIM swap scam.
Other scammers trick you into clicking on email links that fill your computer with malware that records your keystrokes, including any passwords or security question answers you type. Again, this provides the fraudsters with the information they need to pull of a successful SIM swap.
Fraudsters might also buy your personal and financial information on the dark web. This, too, would arm these con artists with the information they need to successfully work their scam.
Once scammers provide your smartphone providers with the information they gotten from you or the dark web, they use it to convince your provider to switch your number to a new SIM card.
These criminals then gain access to and control over your cellphone number, something that fraudsters can use to access your phone communications with banks and other organizations, in particular, your text messages. They can then receive any codes or password resets sent to that phone via call or text for any of your accounts. And that’s it: They’re in.
How do they get your money? They might set up a second bank account in your name at your bank, where, because you’re already a customer, there might be less robust security checks. Transfers between those accounts in your name might not sound any alarms.
Social media’s role in SIM swap fraud
Scammers can use your social media profiles to gather information on you that may help them impersonate you when they’re trying to close a SIM swap scam.
Say your mother’s maiden name or your high school mascot are answers to your security questions. A fraudster might be able to discover that information within your Facebook profile.
But there is some good news here: Social media also can alert you to being victimized.
Consider the high-profile example of a SIM swap scam against Twitter CEO Jack Dorsey. Dorsey’s Twitter account was hacked when fraudsters gained control over his phone number. The scammers behind this went on to tweet offensive messages from Dorsey’s Twitter handle for the 15 minutes it took to regain control of his account.
How did the hackers get access to Dorsey’s phone number? They somehow convinced Dorsey’s phone carrier to essentially swap SIM cards, assigning Dorsey’s phone number to their SIM card and phone. They then used Cloudhopper’s text-to-tweet service to send their messages through Twitter.
SIM swap scams on the rise
According to the FBI, scammers are turning more often to SIM swap scams. The bureau reported that in 2021, the FBI received 1,611 reports of SIM swaps. The losses in these crimes topped $68 million.
From January of 2018 through December of 2020, the FBI received just 320 SIM swap complaints, with the victims of these crimes losing about $12 million.
A recent example of this scam? In January of 2022, a Tampa resident found that he could no longer log into his account with Coinbase, a site that allows consumers to trade cryptocurrency. According to story from WFTS in Tampa Bay, the man then discovered that he could no longer make phone calls or send texts with his smartphone.
Scammers stole the man's phone number, intercepting his two-factor authentication code. The scammers then used this code to access his Coinbase account, emptying it of about $15,000 worth of cryptocurrency.
Something similar happened with another victim last year, as reported by CNET. According to the story, fraudsters used the victim’s two-factor authentication code, after stealing his phone number, to access his Coinbase account, using it to buy $25,000 worth of Bitcoin.
Signs that you’re the victim of a SIM swap
It’s important to recognize the warning signs of a SIM swap. Doing so can help you shut down fraudsters’ access to your phone – and all the texts and calls it receives — quickly, hopefully before they cause too much damage.
One warning sign, as seen in Dorsey’s case, is social media activity that isn’t yours. The tweets made to Dorsey’s Twitter account alerted him to the breach.
But here are four other key signs that you might be a victim of SIM swapping.
1. You can’t make calls or send texts
Getting errors when trying to send texts or make calls? The first sign that you could be a victim of SIM swapping is when your phone calls and text messages aren’t going through. This likely means fraudsters have deactivated your SIM card and are using your phone number.
2. You’re notified of activity elsewhere
You’ll know you’re a victim if your phone provider notifies you that your SIM card or phone number has been activated on another device.
3. You’re unable to access accounts
If your login credentials no longer work for accounts like your bank and credit card accounts, it’s likely that scammers have changed your passwords and usernames, maybe after having taken over your phone number. Contact your bank and other organizations immediately to let them know.
4. You find transactions you don’t remember making
If you’re checking your online credit card statement and you notice several transactions that you don’t remember making, you might be the victim of a SIM swap scam. This is a sign that criminals have accessed your credit card number and used it to make unauthorized purchases. They might have done this by first stealing your phone number and using the information sent to it to access your account.
How can you protect against SIM swap scams?
Fortunately, there are ways in which you, and your service providers, can help protect against becoming a victim of SIM swap fraud.
- Online behavior: Beware of phishing emails and other ways attackers may try to access your personal data to help them convince your bank or cell phone carrier that they are you. Don’t click on links in email messages from people you don’t know. And remember, your bank, cable provider, credit card company, or other service providers won’t ask for your personal or financial information through an email message.
- Account security: Boost your cellphone’s account security with a unique, strong password and strong security questions and answers that only you know.
- PIN codes: If your phone carrier allows you to set a separate passcode or PIN for your communications, consider doing it. It could provide an additional layer of protection.
- IDs: Don’t build your security and identity authentication solely around your phone number. This includes text messaging (SMS), which is not encrypted.
- Authentication apps: You can use an authentication app such as Google Authenticator, which gives you two-factor authentication but ties to your physical device rather than your phone number.
- Bank and mobile carrier alerts: See if your banks and mobile carrier can combine efforts, sharing their knowledge of SIM swap activity, and implementing user alerts along with additional checks when SIM cards are reissued, for instance.
- Behavioral analysis technology: Banks can use technology that analyzes customer behavior to help them discover compromised devices, warning them not to send SMS passwords.
- Call-backs: Some organizations call customers back to make sure they are who they say they are — and to catch identity thieves.
SIM swapping is one reason why a phone number may not be the best verifier of your identity. It’s a breachable authenticator. Adding additional layers of protection could help keep your accounts — and your identity — safer.
Of course, SIM swapping is just one avenue to identity theft. If you’re concerned about identity theft due to a lost driver’s license or other identification, it’s smart to consider a trusted identity theft protection service like LifeLock Ultimate Plus.
Try Norton 360 FREE 30-Day Trial* - Includes Norton Secure VPN
30 days of FREE* comprehensive antivirus, device security and online privacy with Norton Secure VPN.
Join today. Cancel anytime.
Editorial note: Our articles provide educational information for you. NortonLifeLock offerings may not cover or protect against every type of crime, fraud, or threat we write about. Our goal is to increase awareness about cyber safety. Please review complete Terms during enrollment or setup. Remember that no one can prevent all identity theft or cybercrime, and that LifeLock does not monitor all transactions at all businesses.
Copyright © 2022 NortonLifeLock Inc. All rights reserved. NortonLifeLock, the NortonLifeLock Logo, the Checkmark Logo, Norton, LifeLock, and the LockMan Logo are trademarks or registered trademarks of NortonLifeLock Inc. or its affiliates in the United States and other countries. Firefox is a trademark of Mozilla Foundation. Android, Google Chrome, Google Play and the Google Play logo are trademarks of Google, LLC. Mac, iPhone, iPad, Apple and the Apple logo are trademarks of Apple Inc., registered in the U.S. and other countries. App Store is a service mark of Apple Inc. Alexa and all related logos are trademarks of Amazon.com, Inc. or its affiliates. Microsoft and the Window logo are trademarks of Microsoft Corporation in the U.S. and other countries. The Android robot is reproduced or modified from work created and shared by Google and used according to terms described in the Creative Commons 3.0 Attribution License. Other names may be trademarks of their respective owners.