What do Twitter CEO Jack Dorsey and pop star Selena Gomez have in common? Aside from being household names, both celebrities are victims of SIM swapping, a nefarious type of cell phone fraud that’s on the rise.
A SIM card is that little rectangular chip, or integrated circuit, inside your phone which stores your phone number and other details identifying and verifying the mobile device as yours. While “SIM swapping” and “SIM jacking” sound like crimes in which someone removes your SIM card and replaces it with their own, that’s not what this type of attack involves.
“SIM swapping is the name for the crime where someone convinces your phone carrier to transfer your SIM to a phone controlled by the criminal,” explains Steven Weisman, law professor at Bentley University and author of the book Identity Theft Alert. “Through SIM swaps, criminals can the reset passwords of online accounts and request authentication codes be sent to their phones, which will render many extra security measures useless.”
In other words, in a SIM swap attack, a scammer remotely hijacks your phone number and sets it up on another device to steal your mobile identity. The ramifications of this can go far beyond simply putting your phone out of commission. In the worst-case scenario, controlling your SIM card gives the thief access to all of your personal accounts.
How is this possible? By now, you may have become accustomed to using two-factor authentication to log in to sensitive web services like financial and health care accounts. When you reset a password or log in from a new device, you often get a text message providing a PIN that’s needed to complete your request. Imagine all of those text messages going to a thief instead of you. With your SIM, the attacker would be able to access every account that’s tied to your phone number.
SIM swapping is becoming a big deal: Annual complaints and total losses nationwide have been steadily increasing over the past five years. The FBI’s Internet Crime Complaint Center uncovered a group of cyber scammers who single-handedly targeted hundreds of victims and made off with $40 million in stolen funds through such attacks.
A thief doesn't need your physical SIM card to take control of your phone number.
How Attackers Get to Your SIM
What makes SIM swapping so heinous is that an attacker can get started with just your name and phone number. The attack generally begins with a fraudster calling your cell phone carrier and asking to switch to another device, usually claiming the original phone has been lost. Cell phone carriers don’t just make these changes at the drop of a hat, of course. You have to prove you’re you. But it’s often easy for attackers to get a hold of sufficient “proof.” Information such as the last four digits of your Social Security number and your mother’s maiden name can often be uncovered online through web searches or posts you’ve made to your social media accounts. (SSNs can also be obtained on the Dark Web for as little as one dollar each.) If thieves can piece together enough of your personal information to convince a wireless customer service operator that they’re you, the change will likely go through.
Once your phone number has been stolen, thieves can run riot on your life. SIM swap attackers have used hijacked numbers to post offensive messages to victims’ social media accounts (such as with Dorsey and Gomez), reset the passwords to online accounts and lock the victim out, and, most damaging of all, completely obliviate victims’ finances. One victim, entrepreneur Michael Terpin, lost $24 million in bitcoin and other cryptocurrencies due to the fraud. It took him more than a year of civil litigation to recover the money.
How to Protect Your Phone Number
The first step toward preventing a SIM swap is to protect your phone number as you would a credit card number. Think twice before giving it out, and never post it publicly online. Beyond that, consider maintaining a second number exclusively for sensitive communications, such as accounts tied to your password reset codes. You don’t need another phone to have a second number: Services like Google Voice or Burner let you create a cheap or free secondary number that you access online.
For security’s sake, some online services are now moving away from using phone numbers as a means of resetting passwords and providing multi-factor authentication PINs. So-called “token-based security” services like Duo and Google’s Advanced Protection give users a shifting one-time code that’s provided through an app or through a physical security key—a small device that plugs into your computer or phone—instead of a text message to verify your identity. This means that an attacker cannot access those accounts with your phone number alone.
Stop a SIM swapping before it starts with good online practices.
How to Prevent a SIM Swap
Let’s be honest: It’s extremely difficult to protect your phone number, especially if you’ve been using it for years. Your best bet is to focus on preventing a SIM swap.
To that end, take advantage of whatever additional security measures your cell phone carrier offers. The specifics vary among providers, but AT&T, Verizon, and T-Mobile/Sprint all let you specify an account or customer PIN that provides another layer of security. This PIN can be set up online.
Once you’ve done so, you won’t be able to make changes to your account without providing the PIN. This makes hijacking your account tougher.
“The more steps a SIM thief needs to go through, the more time you’ll have to get your number back before they take anything,” says personal finance writer Adam Fortuna.
But note that while a PIN offers a solid level of extra protection, if an attacker is working with an insider at your carrier, it can easily be bypassed. The good news is that inside jobs like this seem rare.
To further protect yourself, change the phone number associated with your existing accounts to a separate, secondary one as outlined above. Set social media accounts to private, and update your usernames and passwords so they are unique across all of your accounts.
What to Do If You’re a Victim of a SIM Swapping Attack
Victims of SIM swaps often find out they’ve been attacked when their phone abruptly stops working. If you ever receive a message (via email or text) that your SIM has been changed, call your carrier immediately to halt the transfer. Acting fast is crucial: Once an attacker begins changing passwords to your email or financial accounts, the cleanup can be onerous, and financial losses may be irreversible.
If you are the victim of a SIM swap, your first priority is to get control of your phone number.
- Call your carrier immediately to regain control of your phone number.
- Log out any existing logins of your email account and immediately reset your password. Google and others allow you to see all concurrent logins and end the sessions remotely.
- Once your email is safe, start resetting the passwords for your other highly used services such as Apple ID and/or Google accounts, banks, e-payment services, and cryptocurrency accounts, which are frequent targets.
- File a police report.
- Alert your financial institutions and one of the three credit agencies—Equifax, Experian, or TransUnion—that you are actively being attacked and at further risk of fraud.
If an account has been compromised, you will need to call the company’s customer service department to recover it. You’ll typically be asked for specific information about the account—such as the date you created it, the affiliated email address(es), and details about recent activity—in order to verify you are who you claim to be.