SIM swap scam: What it is, and how to protect yourself

A subscriber identity module (SIM) swap is usually legitimate when your current mobile phone number is transferred to a new SIM card. This may be a convenient procedure if you lose your phone, your SIM card gets damaged, or your new phone requires a different size SIM card. The mobile service providers may process SIM swapping in a few simple steps, ensuring you keep your original phone number.

However, this process can be exploited by hackers and used for malicious purposes. Such a scenario is called a SIM swap scam or SIM swap attack. In these instances, a criminal impersonates a legitimate user and convinces the mobile service provider to transfer a phone number onto a SIM card that the fraudster controls.

Besides having your mobile number on their SIM card and receiving your calls and text messages, which may include your sensitive data, they can use SMS-based two-factor authentication, restore passwords, and gain access to your online accounts.

Although SIM swap attacks are relatively easy to carry out, some robust methods, such as authentication apps or hardware security tokens for two-step verification, may help you increase your SIM security significantly.

SIM swapping, a type of identity theft, may sound like something from a spy movie, but it is very real and may cause trouble for individuals and organizations. We will dissect how these attacks happen and what you can do to fortify your personal information.

1. Information gathering. The cybercriminal first collects your personal information, which is relatively easy to access thanks to social media and public databases. It might include your name, address, date of birth, and even your Social Security number. That birthday selfie with a cake might be what the fraudsters are looking for.
2. Impersonation. Armed with your personal information, the criminal calls your mobile carrier and demonstrates their best acting skills to impersonate you. They usually create a fake story about a lost or damaged SIM and use the gathered information to pass security checks.
3. Request a SIM swap. The mobile carrier, believing they’re helping the customer, deactivates your legitimate SIM and transfers your number to a new SIM card controlled by an attacker.
4. Taking control of your number. The criminal now controls your phone number, meaning they can receive your phone calls and SMS messages.
5. Bypassing two-factor authentication. Your phone number is not only for calls and text messages. Many online services use your number for two-factor authentication (2FA). The fraudster then requests password resets for your accounts and receives verification codes via SMS.
6. Account takeover. As soon as the attacker gets the verification codes, you’re doomed. They’ve got access to your online life. They can now control your email, social media and even drain your bank or cryptocurrency accounts.

As threatening as it sounds, you have ways to prevent SIM swapping fraud and protect your social media accounts containing personal info and the money in your bank or credit card accounts. But first, let’s discuss how to spot SIM swapping.

The signs of a SIM swap attack can be subtle, but if you stay vigilant, you can catch the attackers. When it comes to your data security, knowledge is your sharpest weapon. Here are the most common signs that you’ve become a victim of SIM swapping:

• Sudden loss of service. One of the first signs you will notice is a sudden loss of mobile service. You’re browsing the web, and the screen displays a “No service” notification. It might be a network glitch, but if the problem persists, it could be a sign that your SIM card has been hacked.
• Unusual messages or notifications. Look out for random text messages and emails about a new SIM activation, password changes, or other changes you didn’t request on your online accounts.
• Can’t access online accounts. If you cannot log in to your online accounts, especially when you are sure the login credentials are correct, it might be a sign that criminals have already changed your passwords, locking you out of your digital assets.
• Unusual phone call activity. Be suspicious if you notice any outgoing phone calls you’ve never made or incoming calls from numbers you’ve never seen before.
• Unfamiliar transactions. If you notice unusual activity in your bank accounts, such as transfers you didn’t authorize or other financial activity you don’t recognize, it’s time to take action.
• Inability to receive 2FA codes. If you cannot receive 2FA codes suddenly, this may be another red flag that you’re a victim of SIM swapping.

Although you cannot always protect yourself from cybercriminals invading your personal digital space, you can always educate yourself and learn how to detect fraudulent activity on your device or in your online accounts.

Now, let’s explore the risks that go hand in hand with SIM swap fraud. Understanding the possible danger of such attacks may help you enable defense mechanisms that are difficult to bypass by fraudsters. Risks include:

• Identity theft. Identity theft is one of the SIM swap scams’ main and most serious risks. Once an attacker controls your phone number, they open the gate to your online world, including phone calls, texts, emails, social media accounts, bank accounts, and subscription services. They can impersonate you, take out loans or credit cards, impact your credit history, or use your identity to conduct fraudulent activity.
• Financial loss. Another goal of the Sim swap fraud is to gain unauthorized access to your financial accounts. As soon as an attacker takes over your phone number, they can use it for account recovery or to bypass 2FA, which can lead to unauthorized financial transactions and loss of funds.
• Privacy invasion. When the attacker carrying out the SIM swap attack succeeds, they can violate your privacy. They can read your messages, browse through your photos, or gain access to your contacts.
• Reputation at risk. Someone controlling your phone number can send messages or emails, post to social media, or even conduct fraud in your name, potentially harming your relationships, professional reputation, or online presence.
• Psychological impact. We can’t forget the psychological burden of the SIM swap scam. It may cause feelings of being violated or vulnerable or those of anxiety, stress, and generally being unsafe in the digital space.

Now that you know the risks of SIM swapping, let’s explore a few smart strategies to protect your phone number against SIM swaps.

• Enable additional security measures. If your mobile carrier offers additional security measures, set them up. They usually provide a unique personal identification number (PIN) or passcode that you have to provide before any changes can be made.
• Beware of phishing attempts. Always be cautious about social engineering techniques that scammers use to get information about you. Watch out for unsolicited requests for personal details, especially when it comes to Social Security numbers or banking credentials. Remember — real service providers will never ask for such information via email or text.
• Use authentication apps. Use app-based 2FA, such as Google Authenticator or Authy. These apps generate codes on your device, which reduces the risk of the process being intercepted by cybercriminals during the authentication process.
• Limit the information that you share online. The fewer personal life details you share online, the harder it is for hackers to impersonate you.

With these strategies, you’re well-equipped to protect your digital assets.

If you suspect that your SIM card has been swapped, immediately contact your mobile carrier. It can verify if a new card has been issued and suspend it. Then change all your account passwords as soon as possible, including those for your email, online banking, and social media accounts.

As soon as you change the passwords, enable app-based 2FA for accounts that offer this feature. If you suspect your financial accounts may have been affected, immediately contact your bank or credit card company. It can monitor and freeze your account in case someone makes unauthorized payments. One more thing you can do is scan your devices for malware seeking to steal your personal details.

And finally, contact your local law enforcement. You might not be the only person targeted, and your report of the cybercrime could help prevent others from falling into the same trap. Other fraud report options vary depending on your country. Many have cybercrime units that handle such incidents. In the USA, for example, you can report SIM swap fraud to the Federal Trade Commission (FTC) on its website. The UK has Action Fraud, the national fraud and cybercrime reporting center, where you can turn to for help. Other countries may have a similar institution dedicated to fraud monitoring and reporting.