SIM-swapping, a rising form of identity theft, is extending beyond simple hacks into email or social media accounts, targeting your phone number instead. When criminals execute a SIM-swap, any calls or texts intended for you are redirected to them. This facilitates unauthorized access to financial accounts by leveraging two-factor authentication texts, effectively locking out the rightful owners. Experts warn that SIM-swapping scams will only grow more frequent and sophisticated. The FBI’s Internet Crime Complaint Center has recorded a surge in SIM-swapping complaints, with personal losses exceeding $68 million. Rachel Tobac, CEO of SocialProof Security, suggests this figure is likely an underestimate, given the low reporting rates of identity theft.
How SIM-Swapping Works
Criminals exploit personal information such as phone numbers, addresses, birthdays, and Social Security numbers, sourced from data breaches, leaks, dark web purchases, or phishing scams. They impersonate victims in communications with mobile carriers, claiming that their original SIM card was damaged, lost, or sold accidentally. The criminals then ask for the number to be transferred to a new SIM or eSIM card they control. Once completed, the phone number and any verification messages or calls linked to it fall into the hands of the criminals.
Prevention Strategies
Better Password Habits
Improving password practices is crucial. If cyber-stealers obtain your password from one service, they might use it to access other accounts. Avoid reusing passwords across multiple sites, and update them regularly. Use strong passwords comprising letters, numbers, and symbols. For those who struggle to remember multiple credentials, consider using a password manager. Ideally, passwords should be at least 16 characters long.
Multifactor Authentication Without Texts
Integrate biometrics or multifactor authentication apps that do not rely on text messaging. These methods utilize separate login mechanisms and encryption, making it harder for fraudsters to gain access. AT&T advises customers to contact their carriers to set up unique passcodes to prevent unauthorized account changes, such as porting phone numbers.
Phishing Awareness
Be vigilant against phishing schemes, particularly at work. Cybercriminals often use deceitful emails or texts to extract personal and financial information or to infiltrate work environments. According to Proofpoint's State of the Phish report, human errors are at the core of most data breaches worldwide. If you encounter a phishing attempt, report it using the tools available on most email platforms. At work, follow your company's information security guidelines.
Steps to Take If You're a Victim
All major U.S. carriers provide online resources for reporting SIM fraud. Diligence is key; victims must actively work with their carriers to resolve the issue. Filing complaints with law enforcement agencies, the Federal Trade Commission (FTC), or state attorneys general may accelerate recovery. If your card payment numbers were compromised, notify your bank or credit card company immediately to monitor for suspicious activity. Inform credit agencies, including Equifax, Experian, and TransUnion. They can implement a credit freeze, restricting access to your credit report and making it difficult to open new accounts, or issue a fraud alert, prompting lenders to verify your identity before approving credit.