SIM Swapping Scams: How to Protect Your Phone and Identity

Your cell phone number is an important piece of identifying information. It ties your name to your online accounts, and lets friends, family, and coworkers call and text you. Imagine what would happen if someone stole your phone number and suddenly had access to all this info. Scary, right? Even scarier than text scams . Unfortunately, unsuspecting people get their phone numbers stolen all the time. It’s a well-known scam called SIM swapping, and if you’re not careful, it could easily happen to you. SIM swapping , also known as SIM jacking, is a scam that takes advantage of cell phone companies’ ability to port phone numbers to a new SIM card without needing the physical SIM card. They offer this service to customers who have lost their phone or SIM card and want to keep their original phone number. A scammer calls your cell phone provider and pretends to be you to convince a service rep to port your phone number to a new SIM card (a SIM that the thief has access to). Once the scammer has a SIM with your number on it, they can receive all incoming texts and calls that were intended for you. How does the thief pretend to be you? They typically gather information about you beforehand, through the use of phishing emails or social engineering. Sometimes, scammers even use tools like face swap apps in their schemes, leveraging these technologies to create convincing fake identities. Scammers can also buy your info directly from organized criminals. After data breaches, a lot of your private information can be available for purchase on the dark web. Once someone successfully ports your phone number to their SIM card, they have the potential to access all of your online accounts. Most services ask you to use two-factor authentication (2FA) with an SMS sent to your phone number to log in. They also rely on 2FA when you forget your password and want to reset it. A scammer can easily take advantage of this feature to log into your accounts. How can you tell if you’ve been SIM swapped? Look for the following signs: If you notice these signs, you are likely a victim of SIM swapping. You should take action right away to prevent further damage. Once you realize you’ve been SIM jacked, your first instinct might be to panic. Don’t do that. Instead, keep yourself calm and follow these steps. 1. Call your cell phone provider You will have to use someone else’s phone or call from Google Hangouts/Voice, Skype, or another internet-based calling service that does not require a number. Explain that your phone number has been ported to a SIM you do not control and try to give a time estimate of when it happened. Then, ask your phone company: Here are the numbers of popular mobile phone carriers: 2. Lock or freeze all of your accounts Call your bank and ask to temporarily freeze your accounts. Then, make a list of which accounts to secure first. Work your way down the list and put a hold on any account with potentially sensitive information. The scammer may have already changed your passwords, so if you can freeze accounts by calling rather than logging in, do so. 3. Disable 2FA and beef up security For any account that you can still log into, change the settings and disable 2FA. Remove all recovery emails or phone numbers as well. Then, change your passwords. Take screenshots of everything you do, before you do it and after. You want an excessive amount of records to give to law enforcement if needed. For each account, replace the 2FA phone number with one the attacker does not have access to. Also, enable as many security features and notifications as are possible. Take screenshots of all accounts that are connected (like if you use Facebook to log in) and then remove them all. 4. Secure financial info Enable special security features available with your bank or other services that hold money or cryptocurrency for you (such as PayPal). Unlink any bank accounts, withdrawal addresses, and credit cards. Remove confirmed devices and log out of all active sessions as well. 5. Go back and review your accounts Once you’ve stopped the bleeding a bit, go back through your accounts and look for any extra info you didn’t see the first time. Search for clues that the scammer accessed your account or changed anything. Pull activity logs from each account as well. 6. Follow up with the phone company Call your phone company again to see if they have an update on your case or more information to give you. Also, discuss options to secure your account so that you’re not a victim of SIM swapping again. 7. Report it By reporting your SIM swapping incident, you can help prevent it from happening to other people in the future. Typically, the local police won’t be able to do much, so instead, report it to the IC3 if you’re in the US. Suffering from a SIM swapping attack can be an ordeal. If you want to avoid it, you can take some steps to make yourself more secure: A successful SIM swap can derail your online and offline security very quickly. It’s scary when it happens to you, but if you act quickly, you can still salvage the situation. You can also take steps to avoid it by being careful about your online activities and using strong passwords. Want to learn more about SIM swapping? Listen to our Easy Prey podcast episode with Haseeb Awan about SIM swapping scams.