The Rise of SIM Swapping
According to the FBI, last year there were five times the number of reported SIM swapping incidents than in the prior three years combined (2018-2020), and there is no expectation that this surge will subside anytime soon.
What is SIM swapping? This crime occurs when a bad actor transfers a victim’s cell phone number to another device without consent and typically attempts to access the victim’s bank or virtual currency accounts. Most commonly, criminals will reach out directly to a mobile carrier, impersonating their target. Employing social engineering techniques, they will convince the representative that the old SIM card has been lost, destroyed, or accidentally sold with an old phone and they need a new SIM card to be activated for the phone number. Although the mobile carrier employee will most likely request some verification, the bad actor may be able to use personal information they have acquired to “prove” their identity as the victim. This information is often easily available for purchase on data reseller websites or posted on the dark web as a result of a data breach. Other methods of completing the swap rely on an insider threat where bad actors pay the mobile carrier representative to complete the request.
Once the bad actor completes the SIM swap, they have successfully gained the ability to pose as the victim via text messages and phone calls, allowing them to respond to many multi-factor authentication requests – including those for “Forgot Password” and “Account Recovery.” The criminal can then change the victim’s passwords to their online accounts, including those for financial institutions, allowing them to login and lock the victim out.
What to Do and How to Prevent SIM Swapping
If you start seeing emails or texts about account changes, receiving alerts regarding suspicious bank activity, or unexpectedly lose cell phone service, you may be a victim of a SIM swapping scam. Immediately respond to all security alerts and change the passwords to your important accounts, opting to log yourself out of all other devices, if possible. Contact your mobile carrier to regain control of your number as soon as possible and place an alert on your bank accounts for suspicious transactions or login attempts.
Follow these precautions to avoid becoming a SIM swapping victim:
Do not use SMS-based two-factor authentication to protect an online account if there is a stronger option available. Authenticator apps, physical security keys, and biometric identifiers, such as fingerprint or face readers, are all considered safer methods.
Reset the PIN number associated with your mobile account to a strong, complex string of characters – do not use birthdays, social security numbers, or addresses.
Never provide your password, mobile PIN, social security number, or payment information over the phone to an unsolicited caller; always call the customer service line of your mobile carrier directly to verify any unusual requests.
Contact your mobile carrier to understand what optional services they may offer for additional protection on your account.
Consider enrolling in a Personal Information Removal (PIR) program to reduce exposure by removing personal information from data reseller websites.