The scam isn't new, but cases are skyrocketing: The FBI says that victims lost $68 million to this SIM-card based scam in 2021, compared to just $12 million in the three-year period between 2018 and 2020.
Here's what to know about SIM-swapping and how to protect yourself.
The scam has a few steps. First, a scammer acquires personal details about the victim either by impersonating telecom company employees through phishing emails or phone calls, or by buying the information on the dark web, where stolen personal information is traded or sold by organized criminals.
This data isn't hard to find, either. With countless company data breaches over the years, millions of Americans have some of their personal information on the dark web, from their Social Security number to their date of birth.
Next, the scammer calls the victim's phone service provider. Using the victim's stolen personal information, the scammer will report the victim's SIM card as lost or stolen. While many telecoms try to prevent identity fraud through the use of a secret personal identification number, or PIN, often the scammer is able to convince the phone provider that they simply forgot their PIN and need a new one, too.
If the impersonation works, the scammer will ask the phone provider to transfer the victim's phone number over to a new SIM card and device. In some cases, employees of the phone provider have been in on the scam.
Since many banking and social media apps rely on texts or calls to reset passwords, the scammer is then able to access the victim's accounts through password reset requests. From there, the scammer can do things like steal funds from the victim's bank accounts and sell access to those accounts to criminals on the black market.
In the case of former Twitter CEO Jack Dorsey, a scammer was able to hack his phone and access Twitter's text-to-tweet service which allowed users to tweet without logging into Twitter. The hacker was later arrested and the service was discontinued for security reasons.
To prevent SIM card swapping, you'll need to be vigilant about the information you share and how passwords are stored. The FBI recommends the following precautions:
- If you're contacted by someone claiming to be from a telecom company, don't volunteer personal information, like your PIN or phone number. Instead, verify the call by dialing the customer service line of your mobile carrier.
- Avoid posting personal information online, such as your phone number or address. This can include photos shared on social media, too. A good example of this would be to avoid posting a picture of your vaccination card, which includes your date of birth.
- Use a variety of passwords to access online accounts and change them often.
- Embrace strong multi-factor authentication methods such as biometrics, physical security tokens or standalone authentication applications to access online accounts.
- Don't store passwords, usernames or other information for easy login on mobile device applications.
- Don't advertise information about financial assets, including ownership or investment of cryptocurrency, on social media websites and forums.
If your phone has been cut off and you think you might be a victim to a SIM swap, immediately notify your phone provider and change the passwords to your online accounts. You can report the scam to the FBI's Internet Crime Complaint Center at www.ic3.gov.
Sign up now: Get smarter about your money and career with our weekly newsletter