The SIM Swap Scam

Your mobile phone number may be pivotal for accessing your most important accounts. Many banks, brokers, businesses, and payment service providers rely on text messaging to verify your identity when you access or update your account. Sometimes, a login screen will offer users a choice between text messages or phone calls to verify their identity. While multi-factor authentication is an effective measure to strengthen the security of an account, its strength is weakened when it relies on text messages or mobile phone calls. Specifically, text or call authentication allows for a type of account takeover called SIM swapping.

Such a scam can be devastating. Between January 2018 and December 2020, the FBI Internal Crime Complaint Center (IC3) “received 320 complaints related to SIM swapping incidents with adjusted losses of approximately $12 million” (FBI Internet Crime Complaint Center). In the past year, the situation worsened by about five times. In 2021, the IC3 received 1,611 complaints about SIM swapping incidents with estimated adjusted losses “of more than $68 million” (FBI Internet Crime Complaint Center).

To better understand and protect yourself from the scam, it helps to know what a SIM card is. SIM stands for Subscriber Identity Module or Subscriber Identification Module. A SIM card is a transferable smart card that stores information for identifying and authenticating subscribers. You can think of it as a tool your cell provider uses to link the phone you use to your specific phone number.

In the SIM swap scam, an attacker has a couple of options. They can physically steal a victim’s SIM card or trick the victim’s mobile service provider into porting the victim’s number to the attacker’s phone. Either way, the attacker effectively hijacks the mobile phone number of a victim and gains access to their calls and texts. Typically, without using the SIM swap scam, if an attacker discovers a victim’s password and tries to log in to the account, they are thwarted by multi-factor authentication. However, if the attacker hijacks a victim’s mobile phone number, then the attacker may be able to get through multi-factor authentication.

For example, imagine a person who is enrolled in online banking. His account has a strong password, and every time he logs into the account, a one-time passcode is texted to his phone. Unbeknownst to him, a cybercriminal called his mobile service provider and tricked the representative into porting his phone number to the cybercriminal’s phone. Since this attacker has completed the SIM swap scam, the cybercriminal accesses the victim’s online banking website. They use the victim’s phone number to reset the account’s password and bypass multi-factor authentication. A few hours later, the victim’s life savings of more than $700,000 vanishes. Regrettably, a comparable situation happened to a man in Florida in May 2022 (Behnken).

How to Protect Yourself

• Make sure you have a PIN or password to verify your identity when calling your mobile service provider. If you do not have one yet, ask the representative for any extra security measures you can take to protect your account. See the Additional Resources section for links to the top cell providers’ support pages.
• Enable notifications for important accounts. If you notice changes to your account without making any changes, contact the business immediately.
• Any time you are asked for personal information, either do not provide it or provide no more than what is required. The less personal information there is, the harder it is for a cybercriminal to use it against you.
• If a caller claims to be from a familiar institution or business, hang up and call them using a number you trust.
• Given a choice, opt for multi-factor authentication exclusively via an app (e.g., push notification on WashU 2FA). This method of multi-factor authentication is not vulnerable to the SIM swap scam.

Additional Reading

• Automatically send your device a Duo Push When Authenticating (duo.com)
• Manage Extra Security for Your Wireless Account – Wireless Customer Support (att.com)
• Port-out scam protection | T-Mobile
• Keeping your account safe from fraud FAQs | Verizon
• Have I Been Pwned: Check if your phone or email has been compromised in a data breach

If you are a victim of SIM Swapping

• Contact your mobile carrier immediately to regain control of your phone number.
• Access your online accounts and change your passwords.
• Contact your financial institutions to place an alert on your accounts for suspicious login attempts or transactions.
• Report information concerning all suspicious activity to your local law enforcement agency or your local FBI field office (contact information can be found at ) www.fbi.gov/contact-us/field-offices.)
• Report the activity to the FBI’s Internet Crime Complaint Center at www.ic3.gov.

References

• Behnken, S. (2022, May 11). Pasco county man loses life savings after Crook steals phone number. WFLA. Retrieved May 31, 2022, from https://www.wfla.com/8-on-your-side/better-call-behnken/pasco-county-man-loses-life-savings-after-crook-steals-phone-number/
• FBI Internet Crime Complaint Center. (2022, February 8). Internet crime complaint center (IC3): Criminals increasing sim swap schemes to steal millions of dollars from US public. Internet Crime Complaint Center (IC3) | Criminals Increasing SIM Swap Schemes to Steal Millions of Dollars from US Public. Retrieved May 27, 2022, from https://www.ic3.gov/Media/Y2022/PSA220208