You are here

SIM Swap Scams: How to Protect Yourself

Share this page

If your cell phone is your go-to device for checking your email, paying your bills, or posting to social media, you’re not alone. So imagine that your cell phone suddenly stops working: no data, no text messages, no phone calls. Then picture getting an unexpected notification from your cellular provider that your SIM card has been activated on a new device. What’s going on? These could be signs that a scammer has pulled a SIM card swap to hijack your cell phone number.

So how do scammers pull off a SIM card swap like this? They may call your cell phone service provider and say your phone was lost or damaged. Then they ask the provider to activate a new SIM card connected to your phone number on a new phone — a phone they own. If your provider believes the bogus story and activates the new SIM card, the scammer — not you — will get all your text messages, calls, and data on the new phone.

The scammer — who now has control of your number — could open new cellular accounts in your name or buy new phones using your information.

Or they could log in to your accounts that use text messages as a form of multi-factor authentication. How? Because they’ll get a text message with the verification code they need to log in.

Multi-factor authentication (MFA) can provide extra account protection by requiring two or more credentials to log in. Besides your password, you’ll need a second credential to verify your identity. That could be something you have — like a passcode you get via text message, a security key, or an authentication app. Or something you are — like a scan of your fingerprint, your retina, or your face.

Armed with your log in credentials, the scammer could log in to your bank account and steal your money, or take over your email or social media accounts. And they could change the passwords and lock you out of your accounts.

Here’s what you can do to protect yourself from a SIM card swap attack:

  • Don’t reply to calls, emails, or text messages that request personal information. These could be phishing attempts by scammers looking to get personal information to access your cellular, bank, credit or other accounts. If you get a request for your account or personal information, contact the company using a phone number or website you know is real.
  • Limit the personal information you share online. If possible, avoid posting your full name, address, or phone number on public sites. An identity thief could find that information and use it to answer the security questions required to verify your identity and log in to your accounts.
  • Set up a PIN or password on your cellular account. This could help protect your account from unauthorized changes. Check your provider’s website for information on how to do this.
  • Consider using stronger authentication on accounts with sensitive personal or financial information. If you do use MFA, keep in mind that text message verification may not stop a SIM card swap. If you’re concerned about SIM card swapping, use an authentication app or a security key.

If you’re the target of a SIM swap scam

  • Contact your cellular service provider immediately to take back control of your phone number. After you re-gain access to your phone number, change your account passwords.
  • Check your credit card, bank, and other financial accounts for unauthorized charges or changes. If you see any, report them to the company or institution.

If you think a scammer has your information — like your Social Security, credit card, or bank account number — go to IdentityTheft.gov to see the specific steps to take.

Find out what else you can do to protect the personal information on your phone and how to keep your personal information secure online.

Comments

This is another reason why landlines shouldn't be discontinued.
God Bless

If a con artist tries to steal my number through a SIM swap, I would hope that my service provider would try to verify my identity by sending an email listed on my account or calling another number listed on my contact. I am hopeful the the service providers would use more caution before swapping SIMs.

What is an authentication app? Can you please be specific regarding banking on-line?

Here is an example of how you might use an authenticator app with your online banking. This comes from a blog by the US Commerce Department's National Institute of Standards and Technology:

If you use multifactor authentication for your online bank account, when you're ready to log on, you will

  1. Type your name and password as usual. Then you will:
  2. Activate an authenticator app, which will generate a one-time code, and enter the code on the next screen.
  3. You're logged in!

Kind of hard to pull off since cell phone providers and their affiliated networks require pin# before they do as much as give out the time of day.

Yes I don’t have to imagine has happened over 6 times in 6 months but yes actually just spent and entire day at apple last week had to completely whips devise lost 1000 photos and 3000 photos and through these 6 months lost the picture that had more value to me than anything of my grandfather and my two daughters who are in heaven now I can never get those back so thanks but I don’t have to imagine it! Imagine how you would feel if it was your children’s photos!

I'm surprised, appalled actually that there is no recourse with the phone provider who violated the customers privacy by establishing ownership of the account. So they're victimized twice. The provider should be required to restore the customer to pre-theft status if the provider is the entity who allowed this travesty.

It's very important that you NOT save your USERNAME/PASSWORD on websites (for easier login the website will say). Also, when making purchases online, NEVER have your payment information linked to automatically make a purchase. Make it so that you MUST enter your USERNAME/PASSWORD to complete the purchase.

Yikes! I've been making that mistake. No problems so far, but your advice will save me frustration, time and money. Thank you.

I'd also suggest that your debit/credit card not be stored, your account number, address, etc. In other words, that you actually have to fully log in every time. May be time consuming, but the alternative to "identity theft" is far, far more time consuming.

I am still, STILL receiving postal letters which are the equivalent of "Nigerian attorney asking for my assistance"---the only reason it still exists is because IT WORKS. Someone is buying this BS.

Don't give away your identity. It's very hard to get back.

I can completely see this happening...and yes our cell providers have a protocol set up to "try" and prevent theft of our cell number, however, if we have a significant other who is a narcissist, they already have found our personal information (i.e. social security #, date of birth, driver license #, passwords, intimate information). Identity thieves & narcissists (i.e. ex-boyfriend/girlfriend, ex-spouse, ex-roommates, even family members or co-workers, etc.) are all people who could have had access to everything relating to our lives.

Please don't fool yourself into thinking that it can't/won't happen to you. These people have no conscience, and often times they will find a decoy, maybe even their next victim, who will pretend to be you and bingo they now have a new credit card (mailed to a p.o. box), access to your bank account (to make purchases online and have sent to a "drop-box" or a "Will-Call"). But you say "Wait! they need a photo ID/Driver License to be able to make some transactions", Ah, Identity thieves are smart, they plan ahead and more than likely have that missing birth certificate you looked everywhere for but never could find. Now they have their decoy (a fall guy/girl) go to the DMV and get a new driver license with their picture (no worries because it's not them/the thief) so they can use & pick-up money or items they will now steal & charge against you. Bingo! they have a New Car! and you are the one left with the loan and no new car! It is scary how easily that person, we thought loved us, can destroy our lives.

Please I implore you, do not fall victim! Trying to get your life back can take years, more money, and will add stress and heartache, and can prevent you from doing the things you want to do, when you want to do them. All of this is preventable, and only you can do it.

Now, to the finger pointers trying to blame the cell providers, it is not their fault you allowed someone access to your personal information. Cell providers have a protocol they MUST follow, and the only way to be granted access to your cell number is having all the right information and access to your email account(s) etc. Once the hoops have been jumped through(the hand full or 2 of personal questions (i.e. likes,favorite teacher,first pets name,etc.), Pins, emails, etc.), then and only then can they give the identity thief access and now possession of your cell phone number, and NO they are NOT at fault and should not be held accountable for your negligence. The responsibility is yours to keep your personal information safeguarded, no one else's, PERIOD.

We all have to learn to be on the defense when it comes to identity theft. I lived in my perfect little bubble for years, fooling myself into thinking I was safe, and that things like identity theft would never happen to me. Don't be me, this can happen to you or anyone you know or love. Be vigilant when it comes to your personal information.

THIS WAS MY SOLUTION:
I chose a safe deposit box to store my: social security card, birth certificate, passport(s), will, deed(s), passwords, etc. I will NEVER let the safe deposit key out of my possession or talk to anyone about it. I will NEVER mention my safe deposit box or take anyone with me when I go to add or remove items from it. This is how I choose to be in control of my personal information, and I will NEVER let anyone be in or around me when I am speaking to someone requiring me to verbally divulge the information to access my account.

There is a slogan from a commercial which began sometime in the 1970's, where Smokey the Bear says, "Only you can prevent forest fires." Using part of his slogan to pertain to today's issue of Identity Theft, we can say "Only you can prevent Identity Theft." Be proactive, research ways to help yourself, family and friends, or co-workers from falling victim to Identity Theft. Don't be afraid to pass along information. I take pictures of the link for the FTC and text them to my family & close friends. I am not an overly "Notorious" texter, tweeter, emailer, facebooker, instagramer, etcer. Many of those "er's" I am not even a member of and probably never will be, but you can be certain, when the FTC sends me a heads-up email, I will definitely pass along the information to my loved ones.

Thank you, FTC, for keeping us in the know, you and your staff are ALL greatly appreciated.

A guy I’ve been talking to asked me to buy him a SIM card and I asked him how would I get to him if he was on a boat, he said I would load it on my phone and transfer to him somehow, I thought that didn’t sound right and have avoided the subject until now.

Thank you very much for your info. related to authentication app. It was very helpful.

Are devices utilizing facial recognition and print scans also vulnerable?

How do I create MFA if the website doesn't offer that as an option? I am dissatisfied with security questions because there are databases with answers to questions that I've seen vendors use.

Just tell the wireless providers to tell their customers to come in and change this info and bring the old phone, new phone and ID. Problem solved

AT&T offer to set a pin along with login name and password. :)

Leave a Comment