SIM swapping is when a cybercriminal impersonates someone in order to convince a mobile carrier to activate a new SIM card. These bad actors use social engineering tactics, claiming “their phone” was supposedly lost, stolen or damaged, when in reality, it was never their phone to begin with. When a cybercriminal successfully SIM swaps, they can more easily steal someone’s identity because they can now receive their text messages and phone calls.
Continue reading to learn more about SIM swapping and the steps you can take to protect yourself from this type of fraud.
What is a SIM Card?
In order to understand SIM swapping, you need to know what a SIM card is. A Subscriber Identity Module (SIM) card is a small card containing a chip that is given to you by your mobile carrier. When inserted into your mobile device, the SIM card gives you the ability to send and receive text messages and phone calls.
How SIM Swapping Works
For SIM swapping to occur, a cybercriminal first gathers as much information about their targeted victim as they can. This makes it easier for them to trick the victim’s mobile carrier using social engineering tactics. Once they have the information, they call the victim’s mobile carrier and tell them they have lost or damaged their phone, which would mean their SIM card has also been lost or damaged.
Cybercriminals will often tell mobile carriers they already have another phone they can use and just need to activate a new SIM card. Once the carrier completes the request to activate a new SIM card, all of the victim’s calls and texts will go to the cybercriminal’s device.
What makes SIM swapping especially dangerous is that cybercriminals can receive phone calls from all sorts of organizations including your bank. When it comes to text messages, they’ll be able to receive password resets and multi-factor authentication codes – meaning they can access any of your accounts without necessarily even having to know your password.
SIM Swapping Statistics
In February 2022, the Federal Bureau of Investigation (FBI) released a public service announcement warning consumers and mobile carriers about an increase in SIM swapping. According to the statement, from January 2018 to December 2020, the FBI’s Internet Crime Complaint Center (IC3) received 320 complaints related to SIM swapping, which resulted in losses of approximately $12 million. In 2021, the number of SIM swapping reports increased to 1,611 – resulting in losses of more than $68 million.
How to Tell If You’ve Been SIM Swapped
Here are a few signs that you may have been SIM-swapped.
You’re unable to make calls or send text messages
The most telling sign that you’ve been SIM swapped is if you suddenly lose access to your phone service. This means you’re unable to receive or make calls and unable to receive or send text messages.
You notice unauthorized transactions on your credit/debit cards
Another sign that you may have been SIM swapped is if after noticing your loss of service, you also notice unusual and unauthorized transactions on your credit or debit cards. Most cybercriminals’ objective when SIM swapping is to steal their victim’s money, so unauthorized transactions are a red flag.
Since cybercriminals now have your phone number, they’re able to bypass your bank account logins by using your phone number as a verification method.
Unauthorized security notifications
If you receive notifications such as your mobile carrier sending your authorization codes you didn’t request, this can be a sign that someone else is requesting them on your behalf. It can also be a sign that someone is in the process of swapping your SIM card.
Another notification you should be on the lookout for is one from your mobile carrier thanking you for activating your new device, particularly if you weren’t the one who requested it.
How to Protect Yourself From SIM Swap Fraud
Now that you know what SIM swapping is, it’s also important to learn how you can keep yourself from falling victim to this type of fraud. Here are a few tips you should follow.
Enable MFA on your accounts
Multi-Factor Authentication (MFA) adds additional security to your account since it requires that you verify your identity with one or more authentication methods before you can successfully log in. If the wrong person were to gain access to your credentials, MFA would prevent them from being able to log in to your account since they wouldn’t be able to verify your identity.
When it comes to MFA, it’s best to choose an authentication method that is not SMS. SMS or text message authentication is easy for a cybercriminal to intercept, and even more so if you are a victim of SIM swapping. While SMS offers convenience, it’s not the best method to keep your accounts secure.
Instead of using SMS as an additional authentication, opt to use an authenticator app. An authenticator app is an application you install on your mobile device that generates Time-Based One-Time Password (TOTP) codes. When you enter the username and password for your account, you’ll have to input the TOTP code provided by your authenticator app before you can log in successfully. The code will be different each time – ensuring that your account stays secure.
If you want an even easier way to verify your identity, some password managers have a feature that enables you to store TOTP codes securely without having to rely on the device where you have your authenticator app installed. This means you’ll be able to access TOTP codes from any device.
Avoid sharing personal information online
Cybercriminals attempting to SIM swap do a lot of research before calling their victim’s mobile carrier. This includes googling them, checking their social media profiles or even sending them phishing emails or text messages that contain malware. By installing malware on their victim’s device, a cybercriminal can find out more information about the victim.
Because cybercriminals do a lot of research beforehand, it’s important that you never share too much personal information about yourself online. This makes it easier for cybercriminals to steal your identity, or in this case, swap your SIM card.
Use strong, unique passwords for each of your accounts
Each of your accounts should have a strong, random and unique password. Strong passwords are what help you secure your accounts, along with having MFA enabled. To make it easier to remember and generate strong passwords, you can use a password manager.
An added advantage to having a password manager is that you’ll be able to autofill logins for your accounts, which takes away the risk of cybercriminals using keylogging software to learn what your usernames and passwords are through the keystrokes you make on your computer.
Check to see if your mobile carrier offers SIM protection
To protect yourself from becoming a victim of SIM fraud, check to see if your mobile carrier offers SIM protection. Some mobile carriers that offer this are:
If your mobile carrier does offer SIM protection, check to see if it’s an added feature or a feature you need to turn on. If your mobile carrier doesn’t offer SIM protection, it’s best to switch to one that does to avoid becoming a victim of SIM swapping.
