SIM swap fraud explained and how to help protect yourself
Your cellphone could provide a way for cybercriminals to access your financial accounts. How? Through your mobile number.
The fraud is known as SIM swapping, and it can be used to take over your financial accounts. SIM swapping relies on phone-based authentication. In a successful SIM swap scam, cybercriminals could hijack your cell phone number and use it to gain access to your sensitive personal data and accounts.
Here’s how it works. You might try to access one of your bank accounts that uses text-based two-factor authentication. That means you begin to access your account by entering your user name and password. Your bank then sends an access code to your cellphone for you to complete the log-in process.
But what if fraudsters are able to change the SIM card connected to your mobile number? That would give them control over that number — and they’d receive the access code to your account.
It’s a good idea to learn about of SIM card swapping. That way you can help protect yourself against this type of fraud — or recognize if you’ve become a victim. Here’s what you need to know.
How do SIM swapping scams work?
A SIM swap scam — also known as SIM splitting, simjacking, sim hijacking, or port-out scamming — is a fraud that occurs when scammers take advantage of a weakness in two-factor authentication and verification in which the second step is a text message (SMS) or call to your mobile phone number.
First, some SIM-card basics. Cellphone subscriber identity module (SIM) cards are the storage for user data in Global System for Mobile (GSM) phones. Without a SIM card, your GSM phone wouldn’t be authorized to use a mobile network.
So having control over your cellphone number would be valuable to fraudsters. To steal your number, scammers start by gathering as much personal information on you as they can get and engaging in a bit of social engineering.
The scammers call your mobile carrier, impersonating you and claiming to have lost or damaged their (your) SIM card. They then ask the customer service representative to activate a new SIM card in the fraudster’s possession. This ports your telephone number to the fraudster’s device containing a different SIM. Or, they may claim that they need help switching to a new phone.
How are fraudsters able to answer your security questions? That’s where the data they’ve collected on you through phishing emails, malware, the dark web, or social media research becomes useful.
Once they gain access to and control over your cellphone number, fraudsters can then access your phone communications with banks and other organizations — in particular, your text messages. They can then receive any codes or password resets sent to that phone via call or text for any of your accounts. And that’s it: They’re in.
How do they get your money? They might set up a second bank account in your name at your bank — where, because you’re already a bank customer, there may be less robust security checks. Transfers between those accounts in your name might not sound any alarms.
Social media and the SIM swap scam
Scammers can use your social media profiles to gather information on you that may help them impersonate you. For example, if your mother’s maiden name or your high school mascot are answers to your security questions, a fraudster may be able to discover that information within your Facebook profile. But social media also can alert you to being victimized.
Consider the high-profile example of a SIM swap scam against Twitter CEO Jack Dorsey. Dorsey’s Twitter account was hacked when fraudsters gained control over his phone number — and went on to tweet offensive messages for the 15 minutes it took to regain control of his account.
How did the hackers get access to his phone number? They somehow convinced Dorsey’s phone carrier to essentially swap SIM cards, assigning Dorsey’s phone number to their SIM card and phone. They then used Cloudhopper’s text-to-tweet service for Twitter.
Signs you may be a victim of SIM swap fraud
It can be challenging to stay ahead of SIM swap scams. It’s important to recognize warning signs, so you can shut down the frausters’ access as quickly as possible.
One warning sign, as seen in Dorsey’s case, is social media activity that isn’t yours. The tweets made to Dorsey’s Twitter account alerted him to the breach.
Here are three other signals you may be a victim of SIM swapping.
- You’re unable to place calls or texts. The first big sign that you could be a victim of SIM swapping is when your phone calls and text messages aren’t going through. This likely means fraudsters have deactivated your SIM and are using your phone number.
- You’re notified of activity elsewhere. You’ll know you’re a victim if your phone provider notifies you that your SIM card or phone number has been activated on another device.
- You’re unable to access accounts. If your login credentials no longer work for accounts like your bank and credit card accounts, you likely have been taken over. Contact your bank and other organizations immediately.
How can you protect yourself from SIM swap scams?
Here are ways you can help protect yourself against becoming a victim of SIM swap fraud.
- Online behavior: Beware of phishing emails and other ways attackers may try to access your personal data to help them convince your bank or cell phone carrier that they are you.
- Account security: Boost your cellphone’s account security with a unique, strong password and strong questions-and-answers (Q&A) that only you know.
- PIN codes: If your phone carrier allows you to set a separate passcode or PIN for your communications, consider doing it. It could provide an additional layer of protection.
- IDs: Don’t build your security and identity authentication solely around your phone number. This includes text messaging (SMS), which is not encrypted.
- Authentication apps: You can use an authentication app such as Google Authenticator, which gives you two-factor authentication but ties to your physical device rather than your phone number.
- Bank and mobile carrier alerts: See if your banks and mobile carrier can combine efforts, sharing their knowledge of SIM swap activity, and implementing user alerts along with additional checks when SIM cards are reissued, for instance.
- Behavioral analysis technology: Banks can use technology that analyzes customer behavior to help them discover compromised devices, warning them not to send SMS passwords.
- Call-backs: Some organizations call customers back to make sure they are who they say they are — and to catch identity thieves.
SIM swapping is one reason why a phone number may not be the best verifier of your identity. It’s a breachable authenticator. Adding additional layers of protection could help keep your accounts — and your identity— safer.
The freedom to connect more securely to Wi-Fi anywhere
With Norton™ Secure VPN, check email, interact on social media and pay bills using public Wi-Fi without worrying about cybercriminals stealing your private information
Try Norton Secure VPN for peace of mind when you connect online
Editorial note: Our articles provide educational information for you. Norton LifeLock offerings may not cover or protect against every type of crime, fraud, or threat we write about. Our goal is to increase awareness about cyber safety. Please review complete Terms during enrollment or setup. Remember that no one can prevent all identity theft or cybercrime, and that LifeLock does not monitor all transactions at all businesses.
Copyright © 2020 NortonLifeLock Inc. All rights reserved. NortonLifeLock, the NortonLifeLock Logo, the Checkmark Logo, Norton, LifeLock, and the LockMan Logo are trademarks or registered trademarks of NortonLifeLock Inc. or its affiliates in the United States and other countries. Firefox is a trademark of Mozilla Foundation. Android, Google Chrome, Google Play and the Google Play logo are trademarks of Google, LLC. Mac, iPhone, iPad, Apple and the Apple logo are trademarks of Apple Inc., registered in the U.S. and other countries. App Store is a service mark of Apple Inc. Alexa and all related logos are trademarks of Amazon.com, Inc. or its affiliates. Microsoft and the Window logo are trademarks of Microsoft Corporation in the U.S. and other countries. The Android robot is reproduced or modified from work created and shared by Google and used according to terms described in the Creative Commons 3.0 Attribution License. Other names may be trademarks of their respective owners.