Skip to main content

Consumer Alert: Mobile carriers are shutting down their 3G networks. If you have an older cell phone, you may not be able to call or text. The FCC has advice about what to do.

If your cell phone is your go-to device for checking your email, paying your bills, or posting to social media, you’re not alone. So imagine that your cell phone suddenly stops working: no data, no text messages, no phone calls. Then picture getting an unexpected notification from your cellular provider that your SIM card has been activated on a new device. What’s going on? These could be signs that a scammer has pulled a SIM card swap to hijack your cell phone number.


So how do scammers pull off a SIM card swap like this? They may call your cell phone service provider and say your phone was lost or damaged. Then they ask the provider to activate a new SIM card connected to your phone number on a new phone — a phone they own. If your provider believes the bogus story and activates the new SIM card, the scammer — not you — will get all your text messages, calls, and data on the new phone.


The scammer — who now has control of your number — could open new cellular accounts in your name or buy new phones using your information.


Or they could log in to your accounts that use text messages as a form of multi-factor authentication. How? Because they’ll get a text message with the verification code they need to log in.

Multi-factor authentication (MFA) can provide extra account protection by requiring two or more credentials to log in. Besides your password, you’ll need a second credential to verify your identity. That could be something you have — like a passcode you get via text message, a security key, or an authentication app. Or something you are — like a scan of your fingerprint, your retina, or your face.

Armed with your log in credentials, the scammer could log in to your bank account and steal your money, or take over your email or social media accounts. And they could change the passwords and lock you out of your accounts.


Here’s what you can do to protect yourself from a SIM card swap attack:

  • Don’t reply to calls, emails, or text messages that request personal information. These could be phishing attempts by scammers looking to get personal information to access your cellular, bank, credit or other accounts. If you get a request for your account or personal information, contact the company using a phone number or website you know is real.
  • Limit the personal information you share online. If possible, avoid posting your full name, address, or phone number on public sites. An identity thief could find that information and use it to answer the security questions required to verify your identity and log in to your accounts.
  • Set up a PIN or password on your cellular account. This could help protect your account from unauthorized changes. Check your provider’s website for information on how to do this.
  • Consider using stronger authentication on accounts with sensitive personal or financial information. If you do use MFA, keep in mind that text message verification may not stop a SIM card swap. If you’re concerned about SIM card swapping, use an authentication app or a security key.

If you’re the target of a SIM swap scam

  • Contact your cellular service provider immediately to take back control of your phone number. After you re-gain access to your phone number, change your account passwords.
  • Check your credit card, bank, and other financial accounts for unauthorized charges or changes. If you see any, report them to the company or institution.


If you think a scammer has your information — like your Social Security, credit card, or bank account number — go to IdentityTheft.gov to see the specific steps to take.


Find out what else you can do to protect the personal information on your phone and how to keep your personal information secure online.

It is your choice whether to submit a comment. If you do, you must create a user name, or we will not post your comment. The Federal Trade Commission Act authorizes this information collection for purposes of managing online comments. Comments and user names are part of the Federal Trade Commission’s (FTC) public records system, and user names also are part of the FTC’s computer user records system. We may routinely use these records as described in the FTC’s Privacy Act system notices. For more information on how the FTC handles information that we collect, please read our privacy policy.

The purpose of this blog and its comments section is to inform readers about Federal Trade Commission activity, and share information to help them avoid, report, and recover from fraud, scams, and bad business practices. Your thoughts, ideas, and concerns are welcome, and we encourage comments. But keep in mind, this is a moderated blog. We review all comments before they are posted, and we won’t post comments that don’t comply with our commenting policy. We expect commenters to treat each other and the blog writers with respect.

  • We won’t post off-topic comments, repeated identical comments, or comments that include sales pitches or promotions.
  • We won’t post comments that include vulgar messages, personal attacks by name, or offensive terms that target specific people or groups.
  • We won’t post threats, defamatory statements, or suggestions or encouragement of illegal activity.
  • We won’t post comments that include personal information, like Social Security numbers, account numbers, home addresses, and email addresses. To file a detailed report about a scam, go to ReportFraud.ftc.gov.

We don't edit comments to remove objectionable content, so please ensure that your comment contains none of the above. The comments posted on this blog become part of the public domain. To protect your privacy and the privacy of other people, please do not include personal information. Opinions in comments that appear in this blog belong to the individuals who expressed them. They do not belong to or represent views of the Federal Trade Commission.

Ms. Gray
October 23, 2019
This is another reason why landlines shouldn't be discontinued. God Bless
Service Provid…
October 24, 2019
If a con artist tries to steal my number through a SIM swap, I would hope that my service provider would try to verify my identity by sending an email listed on my account or calling another number listed on my contact. I am hopeful the the service providers would use more caution before swapping SIMs.
krwilliams
December 18, 2019

In reply to by Service Provid…

I just watched the news and some of the providers employees were selling info to the scammers.
MJ
October 23, 2019
What is an authentication app? Can you please be specific regarding banking on-line?
FTC Staff
October 24, 2019

In reply to by MJ

Here is an example of how you might use an authenticator app with your online banking. This comes from a blog by the US Commerce Department's National Institute of Standards and Technology:

If you use multifactor authentication for your online bank account, when you're ready to log on, you will

  1. Type your name and password as usual. Then you will:
  2. Activate an authenticator app, which will generate a one-time code, and enter the code on the next screen.
  3. You're logged in!
Honor
October 24, 2019
Kind of hard to pull off since cell phone providers and their affiliated networks require pin# before they do as much as give out the time of day.
MB
December 07, 2019

In reply to by Honor

Not true . . . they did it to me. I have no idea how they obtained my pin.
rachel
December 19, 2019

In reply to by Honor

I got to this thread after searching for this specific topic. This happened to me just last night. ATT is not sure how it happened, but I lost access to my cell service and therefore Phone Number for 2 hours. The only clue that something was wrong, was the text from ATT stating my account password had been changed. SCARY. Needless to say, I have since changed all my social media and email passwords again. Unfortunately, we will always be two steps behind cyber criminals.
Mike
June 04, 2020

In reply to by Honor

They did it to me as well, without using a pin. The cell phone companies al pretend that this is not an issue. It is! It ruined my life for at least 3 weeks while I went around plugging holes. They got into everything using my sim: email, bank account, credit card even the credit card processing for my business. DO NOT FEEL SAFE WITH A PIN. There are several ways to get around it. Just do a youtube search on sim card hijacking.
Same person on…
October 24, 2019
Yes I don’t have to imagine has happened over 6 times in 6 months but yes actually just spent and entire day at apple last week had to completely whips devise lost 1000 photos and 3000 photos and through these 6 months lost the picture that had more value to me than anything of my grandfather and my two daughters who are in heaven now I can never get those back so thanks but I don’t have to imagine it! Imagine how you would feel if it was your children’s photos!
Luna's Mom
October 24, 2019
I'm surprised, appalled actually that there is no recourse with the phone provider who violated the customers privacy by establishing ownership of the account. So they're victimized twice. The provider should be required to restore the customer to pre-theft status if the provider is the entity who allowed this travesty.
w8ngladee
October 24, 2019
It's very important that you NOT save your USERNAME/PASSWORD on websites (for easier login the website will say). Also, when making purchases online, NEVER have your payment information linked to automatically make a purchase. Make it so that you MUST enter your USERNAME/PASSWORD to complete the purchase.
The Pepster
October 24, 2019

In reply to by w8ngladee

Yikes! I've been making that mistake. No problems so far, but your advice will save me frustration, time and money. Thank you.
fred t.
October 25, 2019

In reply to by w8ngladee

I'd also suggest that your debit/credit card not be stored, your account number, address, etc. In other words, that you actually have to fully log in every time. May be time consuming, but the alternative to "identity theft" is far, far more time consuming. I am still, STILL receiving postal letters which are the equivalent of "Nigerian attorney asking for my assistance"---the only reason it still exists is because IT WORKS. Someone is buying this BS. Don't give away your identity. It's very hard to get back.
redwingfan
May 22, 2020

In reply to by w8ngladee

The sites have to store the password, generally in encrypted form, so they are not easily used by hackers without some sort of decryption. If you mean the checkbox that says remember login info, that's saved on the local computer. Password managers are very helpful for keeping track of passwords, especially complex passwords that are hard to guess and make no sense. Although I'm sure they aren't 100% secure, they do help a lot.
dEE dEE our fa…
October 24, 2019
I can completely see this happening...and yes our cell providers have a protocol set up to "try" and prevent theft of our cell number, however, if we have a significant other who is a narcissist, they already have found our personal information (i.e. social security #, date of birth, driver license #, passwords, intimate information). Identity thieves & narcissists (i.e. ex-boyfriend/girlfriend, ex-spouse, ex-roommates, even family members or co-workers, etc.) are all people who could have had access to everything relating to our lives. Please don't fool yourself into thinking that it can't/won't happen to you. These people have no conscience, and often times they will find a decoy, maybe even their next victim, who will pretend to be you and bingo they now have a new credit card (mailed to a p.o. box), access to your bank account (to make purchases online and have sent to a "drop-box" or a "Will-Call"). But you say "Wait! they need a photo ID/Driver License to be able to make some transactions", Ah, Identity thieves are smart, they plan ahead and more than likely have that missing birth certificate you looked everywhere for but never could find. Now they have their decoy (a fall guy/girl) go to the DMV and get a new driver license with their picture (no worries because it's not them/the thief) so they can use & pick-up money or items they will now steal & charge against you. Bingo! they have a New Car! and you are the one left with the loan and no new car! It is scary how easily that person, we thought loved us, can destroy our lives. Please I implore you, do not fall victim! Trying to get your life back can take years, more money, and will add stress and heartache, and can prevent you from doing the things you want to do, when you want to do them. All of this is preventable, and only you can do it. Now, to the finger pointers trying to blame the cell providers, it is not their fault you allowed someone access to your personal information. Cell providers have a protocol they MUST follow, and the only way to be granted access to your cell number is having all the right information and access to your email account(s) etc. Once the hoops have been jumped through(the hand full or 2 of personal questions (i.e. likes,favorite teacher,first pets name,etc.), Pins, emails, etc.), then and only then can they give the identity thief access and now possession of your cell phone number, and NO they are NOT at fault and should not be held accountable for your negligence. The responsibility is yours to keep your personal information safeguarded, no one else's, PERIOD. We all have to learn to be on the defense when it comes to identity theft. I lived in my perfect little bubble for years, fooling myself into thinking I was safe, and that things like identity theft would never happen to me. Don't be me, this can happen to you or anyone you know or love. Be vigilant when it comes to your personal information. THIS WAS MY SOLUTION: I chose a safe deposit box to store my: social security card, birth certificate, passport(s), will, deed(s), passwords, etc. I will NEVER let the safe deposit key out of my possession or talk to anyone about it. I will NEVER mention my safe deposit box or take anyone with me when I go to add or remove items from it. This is how I choose to be in control of my personal information, and I will NEVER let anyone be in or around me when I am speaking to someone requiring me to verbally divulge the information to access my account. There is a slogan from a commercial which began sometime in the 1970's, where Smokey the Bear says, "Only you can prevent forest fires." Using part of his slogan to pertain to today's issue of Identity Theft, we can say "Only you can prevent Identity Theft." Be proactive, research ways to help yourself, family and friends, or co-workers from falling victim to Identity Theft. Don't be afraid to pass along information. I take pictures of the link for the FTC and text them to my family & close friends. I am not an overly "Notorious" texter, tweeter, emailer, facebooker, instagramer, etcer. Many of those "er's" I am not even a member of and probably never will be, but you can be certain, when the FTC sends me a heads-up email, I will definitely pass along the information to my loved ones. Thank you, FTC, for keeping us in the know, you and your staff are ALL greatly appreciated.
UrFaveGrlKat
February 09, 2021

In reply to by dEE dEE our fa…

You're a blessing in disguise. Thank you for informing us of the evil in the world when we cant see because were blindfolded with trying to be an understanding newlywed and ignoring the obvious just so one day can be good.
DrBubbasBFF
October 24, 2019
A guy I’ve been talking to asked me to buy him a SIM card and I asked him how would I get to him if he was on a boat, he said I would load it on my phone and transfer to him somehow, I thought that didn’t sound right and have avoided the subject until now.
MJ
October 25, 2019
Thank you very much for your info. related to authentication app. It was very helpful.
AMR912
November 01, 2019
Are devices utilizing facial recognition and print scans also vulnerable?
What you don't…
November 02, 2019
How do I create MFA if the website doesn't offer that as an option? I am dissatisfied with security questions because there are databases with answers to questions that I've seen vendors use.
CJ
November 04, 2019
Just tell the wireless providers to tell their customers to come in and change this info and bring the old phone, new phone and ID. Problem solved
Nando
November 07, 2019
AT&T offer to set a pin along with login name and password. :)
JonathamM
January 15, 2020
Since customer service from mobile phone companies is so typically poor, it's easy to imagine them falling for things like this.
Dolores P
March 10, 2020
I use a PIN and my fingerprint as a backup in case I forget my pin. It saves me time and remembering passwords as well as adding a level of security.
Muskan@12
November 30, 2020
Simsim customer care number9832141375☎️ Any refund please calling number 24 replacement
Muskan@12
November 30, 2020
Simsim customer care number9832141375☎️ Any refund please calling number 24 replacement please calling
Muskan@12
November 30, 2020
Simsim customer care number9832141375☎️ Any refund please calling number 24 replacement mmm
Kid
February 11, 2021
We always get spam calls on our landline and most say they are Amazon we always hang up our ones about our warranty and on cell phone if we don’t recognize the number we hang up
Ranskyei
April 10, 2021
I lost my sms contact which my 2FA code pass through and now I can get access to my account
KennethAcult
May 22, 2021
This information is true
Sean M
September 06, 2021
Hi, I was recently hacked (SIM swap) and my cryptocurrency exchange was robbed. Is there anything I should do or need to know to deal with this situation? Please help