Crooks (also known as fraudsters, scammers, and hackers) keep coming up with inventive methods for stealing your personal information—and then your money. And now that we manage many of the activities in our lives on smartphones, including accessing our financial accounts, our mobile phones are increasingly becoming the preferred electronic target for fraudsters who want to harm us.
One type of phone attack fraudsters use is SIM card swapping, and it's based on social engineering and identity fraud. When a fraudster contacts you for a false reason and attempts to trick you into giving up sensitive personal information—usually information that can be used to access your financial and other accounts—this trickery is known as social engineering. They can then use this information to impersonate you and get access to your accounts; this is identity fraud.
Remind Me, What's a SIM Card?
Before we get into what SIM card swapping is, let's have a brief reminder about what a SIM card is. A SIM (Subscriber Identity Module) card is a very small memory chip that is inserted into your smartphone through a thin slot on the top or side of the phone, and the phone generally can't connect to a cellular network without it. The SIM card stores information to detail exactly who you are; usually a SIM card has a 17-digit code that specifies its country code of origin, the cellphone network carrier (the telecommunications company for your cellular service) that it is registered to and operates on, and a unique user ID. So, the SIM card stores some sensitive data about you and your phone service, data that needs to remain secure.
What is SIM Card Swapping?
Now back to SIM card swapping; what is it? Here is what happens before you become a victim of a SIM card swap. First, the fraudster may obtain some information about you, such as an address and cellphone number—maybe from breaking into your email account, checking the mail in your mailbox, or getting information from your social media accounts. Then they make a call to your cellular service provider. On the call, they will impersonate you and request a replacement SIM card, usually with the reason that they want to upgrade to a new device, or that the old card is damaged or the phone is lost or stolen. If they are lucky, and they can convince the cellphone service provider's customer support agent that they are really you, then the company will send them the SIM. The fraudster will have the company send the SIM card to a different address than your home address, either because the hacker has told them that you've just moved, or that you are staying for an extended period at a different address with relatives or friends.
With SIM card in hand, the fraudster can steal your phone number and use it in their own phone; some cellphones can hold two SIM cards, so they could have your SIM card and theirs on the same device. The first symptom of the SIM card theft is that you may get a surprise notification from your service provider that your SIM card is now active on a new phone, and then your authentic SIM card will be completely deactivated by your cellular service provider; your card will be dead.
The next effect of the theft is worse, since the fraudster now controls much of your digital life, including phone calls, text messages, two-factor authentication requests sent to your phone such as Online Banking login requests, and your web browser with your passwords for your accounts. Fortunately, if you secured your email with a password, then it might still be protected. But this broad access to your phone may then give the fraudster enough personal details to get control of your bank accounts, email, and other types of sensitive accounts and, possibly, lock you out of them.
If you think that you may be a victim of SIM card swapping, you should quickly, but carefully, review all your credit card, credit union, bank, mortgage, and other financial accounts for charges or account changes that you didn't make or just don't remember. If you see anything that looks suspicious or no longer have access to the online application, report it immediately to the company that holds the account.
How Can I Guard Against SIM Card Swapping?
One of the best ways to guard against SIM card swapping it to set a lock on your SIM card from within your phone; it's not difficult to do, but it does require a little effort. Each SIM card has a Personal Identification Number, which is often printed on the plastic sheet holding the card. If you have that PIN number, you can then go into your phone's Settings and set up a lock on your SIM card. If you don't know where to find the SIM card lock option in Settings, you should be able to use the Search function in Settings to find it. If you don't have your SIM card's PIN, then you can visit one of your cellular operator's stores and get assistance from a customer service agent.
Other things you can do to help protect your personal information and identity—that can then guard against SIM card swapping—could include:
- Secure the location of your cell phone and avoid laying it down in public places.
- Be on the lookout for phishing, smishing and vishing attacks.
- Be vigilant for spoofed phone calls.
- Harden your email account against an attack.
- Make sure your application usernames and passwords contain a mixture of letters, numbers and special characters.
- Consider using cell phone security features like fingerprint or facial recognition.
- Secure your home network.
More information on protecting yourself from SIM card swapping is available from the U.S. Federal Trade Commission, and you might want to check out what it has to say.