NEW YORK (AP) — SIM swapping is a growing form of identity theft that goes beyond hacking into your email and social media accounts: In this case, criminals take control of your phone number, so your calls and text messages go to them instead of you.
Protections such as two-factor authentication texts that consumers have enabled to secure access to their financial accounts could aid attackers and lock out owners.
Experts say these scams will only continue to increase and become more sophisticated, and data shows a growing trend: The FBI Internet Crime Complaint Center reports that SIM swapping complaints increased by more than 400% from 2018 to 2021, with associated personal losses estimated at more than $68 million.
Rachel Toback, CEO of online security company Social Proof Security, said that figure is probably a significant underestimate because the majority of identity theft cases go unreported.
How does this system work?
Criminals use victims' personal information (such as phone numbers, addresses, dates of birth, and Social Security numbers) obtained through data breaches, leaks, dark web purchases, phishing scams, etc. to impersonate themselves when the victim contacts their mobile carrier.
The criminals will claim that your original phone and SIM card was damaged, lost, or accidentally sold, and will ask you to associate the number with a new SIM or eSIM card that they own. Once this is done, the phone number belongs to the criminals, and you will no longer be able to receive text messages or calls to verify your account.
According to cybersecurity experts, prevention is the best protection. The tips and habits that security experts say can help prevent SIM swapping have long been recommended for overall online security. They include:
Improve your password habits
If your credentials are exposed in a cyber breach, hackers could use the stolen passwords to try to get into other services and gather the personal data they need to perform a SIM swap.
If you use the same or similar login details across multiple websites or online accounts, be sure to change them. If criminals steal a password from one service, they can try it on your other accounts and easily get into them all. If you find it difficult to remember different credentials, consider using a password manager.
Also, use a strong password that includes letters, numbers, and symbols. The longer the password, the better; some experts say it should be 16 characters.
Multi-factor authentication without text
Add biometric or multi-factor authentication apps or devices that don't use text messages. These methods often use alternative login methods and encryption that aren't tied to your mobile phone identity, making them harder for criminals to gain access.
AT&T also recommends contacting your carrier to set up a unique passcode to prevent any significant account changes, like porting your phone number to another carrier. Your carrier may already have other safeguards in place to prevent SIM swaps, so it's worth asking.
Beware of phishing scams (especially in the workplace)
Criminals can use email and text messages to try to trick you into giving up personal or financial information, or put your workplace at risk for attack, and this can be very effective.
In its annual “State of the Phish” report, cybersecurity company Proofpoint concluded that human error is still the cause of the majority of data breaches worldwide.
If you receive a message or email that you suspect is phishing, report it. Most popular email platforms have a button or feature for reporting phishing attempts. If you're at work, follow the advice of your company's information security team.
What to do if you are a victim
All major US carriers run web pages advising victims how to report SIM fraud.
But an Associated Press reporter who recently experienced such an attack advises that victims should work diligently with their carriers to resolve the issue. Filing a complaint with the Federal Trade Commission, the Internet Crime Complaint Center or your state's attorney general could speed up recovery efforts.
If your card number has been stolen, contact your bank or credit card company, explain that your card has been exposed to fraud, and ask them to alert you to any suspicious activity.
You can also notify the credit bureaus, which include the three major companies: Equifax, Experian, and TransUnion. These agencies can freeze your credit, which will limit access to your credit report, make it harder to open new accounts, issue fraud alerts, and add a warning to your credit report encouraging lenders to contact you before lending you money.