You may have already heard of SIM swapping, which is also called SIM card fraud or SIM hacking. If you’re wondering, “What is a SIM swap scam? Am I at risk?” The answer is YES. SIM fraud is a common scam that lets anyone take over your phone number. It’s very dangerous and you are probably at risk of it without even knowing.
SIM swapping is a type of scam that is becoming widespread. It gives criminals access to your most valuable asset—your privacy! It’s dangerous because it’s difficult to protect against, and it leaves targets wide open to personal data theft.
What’s a SIM card?
Your SIM card is the part of your cell phone that contains the actual phone number data and service.
SIM stands for the “subscriber identity module.” It’s the small chip that lives inside a mobile device and contains the data associated with the phone number. They are used by cellular service providers to individually identify each of us as subscribers and allow us to communicate with their specific mobile networks. A SIM card is what facilitates phone calls, lets users send or receive text messages, and even allows connections to 3G, 4G or even 5G cellular networks.
Think of it this way: if the battery is the brain of your phone, then the SIM card is the heart. And, just like your heart, you don’t want anybody to be handling your SIM carelessly.
In a SIM card swap attack, fraudsters use social engineering to gain access to the SIM of their victims. But it’s not a physical attack, so keeping your phone close at hand won’t protect you. SIM-swapping is also known as a port-out scam. SIM splitting, simjacking, and SIM hacking are other common names for this type of fraud attack.
How does a SIM swap attack happen?
SIM attacks happen when criminals convince mobile phone providers (like AT&T, T-Mobile, Verizon, etc.) to transfer a phone number from one SIM to another. They move the phone number from the SIM of the victim to the SIM on a device in their possession.
The shocking thing about SIM swapping (also called SIM hacking or hijacking) is how easy it is. Scammers perpetuate these attacks by contacting the phone companies and pretending to be the owner of the phone number.
Firstly, the scammers call the customer service help number or email customer support. Then, they convince the customer support representative to move their phone number.
This is all perfectly routine because it’s very common to move phone numbers between SIM cards–if you’ve ever lost or damaged a cell phone beyond repair, you’ve probably had to do it yourself as well! This is called “porting,” which we have previously covered here on the blog.
When initiated by the owner of the phone number in question, phone number porting a very normal process. It typically involves providing documentation, like a recent account statement and personal information, to show that the person initiating the port actually owns the number.
What is abnormal is the lengths these scammers will go to, to defraud their targets. When it’s done illicitly, without the consent of the owner, then it becomes fraud. These SIM scams are sometimes also called “porting scams.”
What do SIM attack fraudsters want?
Once the scammer has access to the victim’s phone number, they can access a treasure trove of personal information.
Financial accounts are the most targeted. Many people use their cell phone numbers to receive verification codes from their banks in order to prove their identity when logging in or resetting a password.
But after a SIM swap, the hacker is actually the person receiving the verification texts or phone calls. First, they request a temporary login code or one-time password (OTP) from the services the victim uses. Then hackers use them to gain access to online accounts like Facebook and Twitter, email log-in, financial accounts, the list is endless.
It’s widespread identity theft, and the scariest thing is, it’s both quick to commit and difficult to prevent.
Once the hackers have control of the phone number, they contact a variety of services with “forgot password” requests. They ask companies like Instagram, Google, or the victim’s financial institution to send a temporary login code or one-time password, via text message.
But the temporary code is actually sent to the hackers, who have taken control of the victim’s phone number.
Is SIM hijacking common?
According to MarketWatch, SIM hijacking is “the fraud the experts fear most.”
SIM card attacks are a recent phenomenon but are becoming increasingly more common. In the last year, a variety of high-profile SIM frauds have made headlines. Twitter CEO Jack Dorsey was the victim of such an attack in September 2019.
Even NPR has reported on the phenomenon and trusted investigative website Snopes has confirmed that SIM fraud is actually an industry-wide problem.
Some fraudsters are only looking to extort victims for their Instagram followers or Twitter account handle. Others want to drain their life savings. Either way, it’s a terrifying practice, and we expect to hear more alarming headlines over the coming month.
How can I stay protected against SIM Swapping?
The top hits for a quick Google search on “What is SIM Swapping” include “SIM swapping scam,” “SIM Swapping arrest” and most alarmingly, “SIM Swapping tutorial”!
In an interview with the New York Times, a T-Mobile spokesperson clarified the position of the traditional telephony industry: “Account takeover fraud is an industry-wide problem. We use a number of safeguards to help protect against this crime and offer customers a variety of options to help them protect their own information.”
How to protect yourself
Here are our tips for staying protected against SIM swap fraud:
- Clean up your digital trail online by deleting old email and social media accounts that are not in use.
- Change your passwords regularly, and do not reuse passwords.
- Never share your banking or other online passwords. Your financial institution will never ask for your passwords over the phone; that’s a scam tactic.
- If you stop receiving calls, texts, or security alerts without reason, then you’ll want to contact your wireless provider immediately.
- Avoid using your phone number for 2-FA (two-factor authentication). Instead, try to use an authentication app to secure your Gmail, Outlook, bank accounts, et cetera.
- Never share personal data such as your phone number, date of birth, or last four digits of your Social Security Number on social media. Easily-guessed security questions could lead to a hacker impersonating you, so protect all your information.
The very best way to stay protected against SIM fraud is to contact your mobile phone carrier and advise them to tighten security on your account. Request them to place a “do not port” note on your account. This should prevent hackers from being able to port-out your phone number. Set up security questions or a PIN (personal identification number), and do not share the answers with anyone.
When you port your number into Hushed, we require documentation from your current provider, including your account number and PIN, plus address and contact information. This is required because we must be completely certain that anyone porting their number into Hushed is the verified owner of the phone number in question. If all service providers were so thorough, maybe there would be fewer SIM-swapping headlines!