What is SIM Swapping and How Do You Prevent It?

What if I told you someone could steal your phone, even while it’s still in your hand?

According to the FBI, SIM swap scams have exploded in popularity over the last few years, totaling over $86 million dollars in 2021 alone.

But what is SIM swapping? This post will explain what it is, how it works, and how to prevent SIM swapping.

What is a SIM card?

The best way to understand what a SIM card does is to think of it as a permission slip.

A SIM card is a penny-sized electronic chip that gives your phone permission to receive and make calls and text messages from your provider. The “SIM” in SIM card stands for Subscriber Identity Module.

Without a SIM card, you can still use your phone to access the web through Wi-Fi, take photos, use most of your apps, etc. But you won’t be able to make calls or send texts.

Is There a Legitimate Purpose of SIM Swapping?

Yes, SIM swapping itself is not illegal.

SIM swapping is how your phone company transfers your old number to a new phone. If you’ve ever purchased a new phone and kept your old number, then you performed a SIM swap without even knowing it.

Knowing the process of how to legitimately swap a SIM is important, as this same process will be used by the scammer. It usually goes like this:

1. You contact your mobile carrier either by visiting a store or calling customer support.
2. You’re asked right away to verify your identity. This includes personal information like your full name, phone number, address and so on.
3. You are then asked to explain the reason for swapping the SIM. This is usually a device upgrade, a lost or damaged phone/SIM card or some other legitimate reason.
4. You then need to fill out a few forms or other documentation. If you’re doing this over the phone, you may have to visit a store.
5. Once you have the new SIM card, you simply need to activate it by following a few on-screen prompts.

What is the SIM Swapping Scam?

A SIM swap scam is when someone else pretends to be you, contacts a mobile service provider, then swaps your SIM information onto a new card that’s in their possession.

The scammer will usually concoct a reason why they don’t have access to “their” phone (meaning your phone), like lying about losing it.

Once they swap the SIM information, you can no longer make calls or text messages, but more importantly, they gain access to your email, bank accounts, and crypto-wallets by getting past two-factor authentication.

About 80% of attempted SIM swaps are pulled off successfully, according to Princeton University.

How the SIM Swapping Scam Works

This scam can be complicated or easy, depending on how skilled or how lucky the scammer is.

Step 1: The Scammer Gathers Your Information

In order to get access to your SIM information, the scammer first needs to get past the worker at the store or on the phone. To get past the worker, the scammer knows that they need your personal information. They can get this information in many different ways:

Phishing Emails

A phishing email is designed to get personal information from you, either by you being tricked into providing it, or by downloading malware to your computer. These emails can land in your inbox in many different forms.

For example, a phishing email may be disguised as an email from your cell phone provider telling you that you need to click a link to keep your account active.

Clicking that link will send you to a fake page where you enter your birthdate, social security number, passwords, etc. Or, clicking that link fills your computer with malware that’s capable of recording your keystrokes. Perfect for figuring out your passwords or security question answers.

Social Media

How much information do you have on your social media accounts?

For example, if one of the security questions that the scammer needs is “What was the name of your High School,” the answer may be a quick Facebook search away.

The Dark Web

It’s been estimated that the dark web is 400 to 500 times larger than the regular internet. Not everyone’s information is on the Dark Web, but there’s a good chance that your information already is, thanks to the vast amount of data breaches per year.

Not only that, but it only costs a scammer between $500 to $1,000 to purchase everything they need to perform a SIM swap.

They Know You

Do you have an ex-significant other that may hate you? A co-worker constantly giving you the side eye? Or maybe a family member that you thought you could trust?

If you have someone in your life that has a bone to pick with you, they may see SIM swapping as a way to seek revenge. Especially now that this technique is getting more and more common.

Step 2: The Scammer Tricks or Pays Off a Mobile Service Provider

Once the scammer has all the personal information they need, they can now work their evil magic on an unknowing service provider.

The scammer can simply walk into any mobile store and ask the worker to transfer “their old number” to the phone they have in their hand. This can also be done over the phone as well.

But what if the scammer lacks some security question information?

That’s the evil beauty of this operation.

Let’s say the scammer gets the first few security questions correct but gets stumped by the question, “What was the name of your childhood best friend?”

As long as the scammer has some of the correct information, there’s a good chance that the worker will bypass the rest of the required questions. Service providers are often told to do whatever they can to please the customer. Or, it’s a low-wage worker who just wants to go home.

And if the worker denies the scammer, it’s no big deal. They’ll just head over to the next mobile store and try again.

Yes, Insiders are Often Involved

Here’s the really scary part. There are A LOT of inside jobs when it comes to the SIM swap.

Instead of calling a mobile provider or walking into a store, a scammer can go on the dark web and buy your SIM information from a person who works for the company directly. These people are called insiders, aka an “inny,” and they are willing to do a quick SIM swap for a price.

This is by far the most insidious part of this scam.

The worst part is, you can do very little to protect yourself from an inny swapping your SIM.

Step 3: The Scammer Takes Advantage of 2-Factor Authentication

2-factor authentication requires users to provide two forms of credentials in order to log into an account.

This security measure was designed to add more protection from those trying to take your information. Ironically, when it comes to SIM swapping, it’s how scammers do the most damage.

Once the SIM swap is complete, the scammer can then request a new password at your bank, for example. The bank will send out a one-time passcode (OTP).

Instead of that passcode going to your phone, the scammer receives it.

From there, the scammer can now change the passcode, locking you out of your own account. They can then move as much money out of your account as your bank allows.

By the time you figure out what happened, it’s too late.

How to Know You’re the Victim of a SIM Swapping Attack

For many victims, they only realize a SIM-swapping attack hit them after their bank account has been drained.

One of the key signs that your SIM has been swapped is if the dreaded “no service” message pops up. If the message only lasts for a short period of time, this might mean there’s a small issue with the company or you’re in a bad area. But if the message lasts for hours, it’s possible that you no longer have access to your number.

Without service, you won’t be able to text or call anyone. But if you’re connected to Wi-Fi, try accessing your bank or another important account. If your password doesn’t work for your account, then there’s a big chance that your SIM was swapped.

Contact your bank and all of your other important accounts immediately. Also, check for any unauthorized purchases.

Visit identitytheft.gov for further instructions.

How To Prevent SIM Swapping Attacks

Most SIM swapping attacks can be prevented by being extremely careful with your online activities.

Here’s a quick list of how to protect yourself from SIM swapping:

1. Look out for phishing emails. Only click on links from those you trust. And even then, be extra careful. Keep in mind that your bank or any other service provider is not allowed to ask for sensitive information in an email.

   
   

2. Try not to share your phone number online as much as you can, or even at all.

   
   

3. Look into your bank’s mobile alert system. It’s possible that your bank can message you if any strange activity is going on with your account.

   
   

4. When choosing security questions, choose the toughest ones you can. Make sure your answers can never be tied to any social media post or online activity.

   
   

5. Use one email for your online banking account and a different email for everything else you do online.

   
   

6. Once you get control of your phone number again, change all of your passcodes.

   
   

7. Instead of storing all your passwords on your phone, use an authentication app like Google Authenticator. This app has 2-factor authentication, but it only works on your physical phone and not just the phone number. That way, the scammer would need your actual device to perform the SIM swap.

What to Do About Inside Jobs

You now know how to prevent SIM swapping attacks on your end, but what about inside jobs? Unfortunately, Inside jobs are out of your control. But there is good news. 

The FBI has been cracking down on “innies” recently, and they’re catching a good amount of them.

One recent catch involved a man who performed SIM swaps for up to $500 dollars a day while working for a mobile company. He was sentenced to a year of home confinement and charged with a $77,000 restitution payment.

Hopefully, mobile phone companies will come up with a way to stop this growing scam in its tracks as soon as possible.