Have you heard people talking about SIM, but didn’t know what it was? A SIM card (Subscriber Identity Module) looks like the chip on the front of most credit cards, but slightly bigger. This microdevice enables your phone to connect with your cellular provider and carries important information about your account. Without it, your phone won’t make or accept calls.
SIM cards can pop in and out quickly, but a tiny, pointed object might help trigger the release—which means a thief who gets their hands on your phone can also remove that SIM. But that’s not the biggest risk associated with your SIM. Hackers can actually trick your cell carrier into moving your account and phone number to a SIM card they own.
That’s why SIM swap protection is so important. If you’ve ever wondered, “How do SIM swap scams work?”, we’re breaking it down for you so you can be informed—and protect yourself.
How do SIM swap attacks work?
SIM swaps are just the latest in a long line of telephone scams. Porting your phone number to a different SIM card is common if your phone is lost or damaged, or even if you’re traveling internationally. All you have to do is switch the SIM to a new device, and your old phone disconnects from the cellular network. From there, the possibilities for damage or account takeover are endless.
Unauthorized SIM card diversions are so common they’ve earned their own name—SIM swapping. Here’s how the process works:
- A thief calls your carrier asking to get a new SIM.
- They convince the service rep that they’re you, sometimes using a spoofed caller ID showing your name to add some credibility.
- A naïve, hasty, or unseasoned customer support agent then authorizes the requested swap to the address requested by the thief.
- The new SIM is delivered to the thieve’s location, they now have access to your phone number.
- The thief takes over all your accounts that use your phone number for password resets, allowing them to pursue many avenues of identity theft, such as taking, transferring, funds out of your bank accounts, taking out new lines of credit, and selling your Personal Identifying Information online.
As the Federal Trade Commission (FTC) warns, “If your provider believes the bogus story and activates the new SIM card, the scammer—not you—will get all your text messages, calls, and data on the new phone.” That means you’re not only blocked from using your phone or accessing its information, but you could also lose access to accounts that are linked to your phone.
How do hackers do a SIM swap?
After a hacker swaps your SIM card, they get any communications meant for you—including one-time login codes. For example, if you’ve enabled multi-factor (MFA) or two-factor authentication (2FA) for sensitive websites, a crook can get the 2FA password sent to your phone to log in. Then, the thief can complete the second step to log in—which means they have full access to your accounts. Often, their first step is to change your passcode to shut you out. This is how they get their hands on your Personally Identifiable Information (PII).
Data breaches like the recent massive T-Mobile breach leaked buckets of personal information for 53 million applicants and users. All these details boost a scammer’s odds of success—even when faced with security questions they have to answer. Would-be con artists already have the last four numbers on your Social Security card and payment card, or they know where to buy those details. SIM swapping to access all your account information can help them fill in the blanks.
Is SIM swapping illegal?
Yes. Because SIM swapping is a form of identity theft, it’s definitely illegal—but that doesn’t mean it’s easy to track. Because it’s still a new form of fraud, we’re still learning about SIM swap detection and how to prevent it.
If you’ve been a victim of SIM swapping, a partnering attorney may be able to help you make a plan to get the help you need—particularly if you’re able to prosecute the scammer who swapped your SIM.
What is SIM swap detection?
SIM swap detection is exactly as it sounds—having the ability to detect when your SIM has been swapped. Some of the warning signs to look for include if you can’t make or receive calls using your phone, if you can’t log into your important accounts that are linked to your phone, if you see transactions in your accounts that you weren’t responsible for, and if you start getting notifications that someone has been trying to log into your account, or that there has been a login from a new or unknown source.
Because so much of the SIM swap experience is linked to fraud protection, it is important to have a monitoring system in place that can help you spot the signs of a SIM swap and put a lid on any detrimental activity that could be linked to your identity.
You can’t just rely on phone carrier protection
In 2020, a group of Princeton University researchers studied the authentication process of five wireless carriers that offered prepaid plans. Some of the carriers included T-Mobile, Verizon, and AT&T. And what did they discover? All five carriers use insecure authentication challenges that can easily be subverted by attackers.
They also examined 140 popular websites and identified 17 that had questionable security protocols. Princeton’s team notified those 17 companies of their security lapses, but after 60 days passed, just over half of the businesses still hadn’t fixed their vulnerabilities. That list included PayPal, Venmo, AOL and Amazon. Nobody knows if those sites were updated or not.
Recovering from SIM swapping is time-consuming
As one victim of SIM swapping shared, “The only clue that something was wrong was the text from AT&T stating my account password had been changed. SCARY. Needless to say, I have since changed all my social media and email passwords again.”
Another victim described the experience like this: “It ruined my life for at least three weeks while I went around plugging holes. They got into everything using my SIM: email, bank account, credit card, even the credit card processing for my business.”
SIM swaps create a mess that can take weeks to clean up. The surge in recent worldwide data losses keeps feeding the market for new attacks on unsuspecting customers, which means a rise in SIM swaps may be just around the corner.
But time loss isn’t the worst of it. If you’re the victim of a SIM swap, hackers can crack accounts like Amazon or Costco along with your banking information. They can hunt for credit accounts where data has been stored and run up huge bills before they’re caught.
The good news is, any financial losses could be temporary, thanks to federal consumer protection laws. Credit issuers generally don’t hold cardholders liable for unauthorized purchases. Banks often restore stolen funds, but the process can take days or weeks.
Here’s how you can shield yourself from SIM swapping
Here’s some more good news: there are some proactive steps you can take to prevent a SIM swap. These include:
- Limiting the personal information you share online (PII security is key).
- Not using easy-to-guess security questions for verification.
- Choosing more complex methods like 2FA to restrict and protect your accounts.
Perhaps the most crucially helpful option is to sign up for IDShield. IDShield takes an active role in credit monitoring, bank account monitoring, and even monitors members’ phone numbers 24/7. We can also monitor your Social Security number to ensure it’s not for sale on the dark web. If your data turns up anywhere it shouldn’t be, we alert you immediately and work with you to solve the problem. Check out IDShield’s identity theft protection plan.
IDShield is a product of Pre-Paid Legal Services, Inc. d/b/a LegalShield (“LegalShield”). LegalShield provides access to identity theft protection and restoration services. IDShield plans are available at individual or family rates. For complete terms, coverage, and conditions, please see an identity theft plan. This is meant to provide general information and is not intended to provide legal or tax advice, render an opinion, or provide any specific recommendations.