SIM Swapping Scam

Subscriber Identity Module (SIM) cards contain all the information your mobile device needs to connect to a cellular network. Cybercriminals employ SIM swapping scams, also known as “SIM hijacking attacks,” to access your cell phone number and obtain your personal and financial information.

Scammers are trying to intercept the unique access codes (two-factor authentication codes) that banks and other companies send to verify your identity when logging into an online account. Their ultimate goal is to use your cell phone to access your information to steal your money.

How Does the Scam Work?

Fraudsters learn about you through data breaches by researching your social media profiles, via phishing scams, vishing scams, smishing scams and the dark web. They use this information to impersonate you and trick your mobile carrier into switching your SIM card with theirs.

When your mobile carrier activates the criminal’s SIM card, your phone number will be transferred to the criminal’s device. In other instances, criminals try and steal your physical SIM cards. In either situation, you’ll suddenly be unable to communicate using your mobile phone, including making phone calls, sending/receiving text messages or accessing your accounts. Essentially, all communication with your number will be directed to and controlled by the criminal.

Recognize the Signs of an Attack

• Sudden loss of cell service – you can’t make phone calls or send/receive text messages.
• You’re unable to use any apps on your phone.
• You receive security alerts indicating that your settings have changed, which you did not authorize.
• Unusual login activity for any of your online accounts (e.g., email, financial, phone, social media, etc.).

Protect Yourself

• Use unique passwords or passphrases. Using hard-to-guess, distinct passwords for each of your accounts will make it harder for fraudsters to gain access to your information.
• Don’t respond to unsolicited messages, particularly those with an unusually high sense of urgency. Typically, phone providers will not contact you requesting any sensitive information — be sure to check with your carrier to confirm their policy.
• Utilize non-text messaging two-factor authentication methods when possible. Authentication apps, biometrics or hardware tokens are preferable because fraudsters can’t digitally access them.
• Set up a SIM PIN. When enabled, this unique code is required each time your mobile device is restarted. This adds an additional layer of protection in the event of a lost or stolen cell phone. You can access the feature within settings on your phone or contact your phone manufacturer (Apple, Samsung, Google, etc.) for assistance.
• Limit what you share online. Refrain from discussing your financial assets and personal details (date of birth, first car, mother’s maiden name, anniversary) on social media. The less you can make yourself a target for fraudsters, the better.
• Contact your mobile provider to learn what protections they offer. The major carriers typically allow you to enable extra security measures to safeguard your number and account.
• Download your provider’s mobile app. These apps can be a quick way to receive security alerts and check for unusual account activity.

What if You are a Victim?

• Contact your phone carrier immediately. Use your landline, a friend’s or relative’s phone.
• Immediately change all your passwords, starting with your bank account password!
• Regularly check your bank accounts for unusual activity and inform your bank.
• In case of a fraud, contact the bank immediately to have your account blocked and avoid further fraud.
• Register for regular SMS as well as e-mail alerts for your banking transactions. (This way, even if your SIM is de-activated, you shall continue to receive the alerts via your email).
• Place a fraud alert with the three credit bureaus: Equifax, Experian and TransUnion.
• Monitor your credit reports: Visit AnnualCreditReport.com.
• Report it to the FTC at https://www.identitytheft.gov/ and report it to the FBI's Internet Crime Complaint Center at www.ic3.gov.

Where to Learn More

• https://www.ic3.gov/Media/Y2022/PSA220208
• https://www.fcc.gov/consumers/guides/cell-phone-fraud

What are Two-Factor Authentication Codes?

To prevent unauthorized access to your accounts, sites usually require you to sign in with a username and password. This process verifies who you are and is known as authentication. The credential you give to log in — your password, in this example — is a type of authentication factor. Authentication factors fall into three categories:

• Something you know, like a password, a PIN, or the answer to a security question.
• Something you have, like a one-time verification passcode you get by text, email, or from an authenticator app; or a security key.
• Something you are, like your fingerprint, your face, or your retina.

Accounts with two-factor authentication require you to enter a credential from two of the three categories to log in.

Two Factors Are Better Than One

Using only one factor — say, something you know, like a password — to log in to your account is like having one lock on your front door. And not a very secure one.

Using two-factor authentication is like using two locks on your door — and is much more secure. Even if a hacker knows your username and password, they can’t log in to your account without the second credential or authentication factor.

Miscellaneous Definitions

Phishing: the fraudulent practice of sending emails or other messages purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers.

Vishing: the fraudulent practice of making phone calls or leaving voice messages purporting to be from reputable companies in order to induce individuals to reveal personal information, such as bank details and credit card numbers. “Many victims of vishing are people who are not tech-savvy”.

Smishing: the fraudulent practice of sending text messages purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords or credit card numbers.