Published on June 24, 2020 by the FairShake Team
SIM hijacking is a frightening and expensive ordeal that can affect anyone with a mobile prepaid or contract-based wireless plan.
On the FairShake Complaints Forum, we have seen complaints by victims of SIM swap attacks, some of whom claim thousands of dollars in losses. Others shared that the attack’s perpetrators included employees of their mobile carrier, too.
If you feel like it’s out of your control, don’t worry. Here’s what you need to know to defend yourself, or respond to SIM swap fraud if you’ve been a victim.
All mobile phones use SIM cards to connect to mobile networks. These link the phone to your number and account.
Each day, the mobile carriers receive thousands of legitimate SIM swap or port-out requests. However, a Princeton Review study showed that support reps for the major US carriers (AT&T Wireless, T-Mobile, Tracfone, US Cellular and Verizon Wireless) don’t ask detailed security questions that truly verify that the caller is the legitimate account holder.
SIM swap attacks are a type of account takeover scam which occurs when a thief impersonates you to your mobile carrier in an attempt to convince them to port your number to a SIM card in the thief’s possession.
SIM swap scams are increasingly common. Thieves target SIM cards because gaining access to one’s texts may allow them to access your social media, banking, and cryptocurrency accounts. Having a stranger gain unauthorized access to these accounts has the potential to cause damage in a variety of ways.
From what we know, you are most likely to be targeted by a SIM swap scam if you have Twitter or Instagram handle or trade digital currencies such as bitcoin. It’s possible that scammers target the most common platforms for entry-level cryptocurrency holders: Among complaints submitted to the FairShake Complaints Forum, many had Coinbase accounts. (More tips on how to specifically protect your crypto holdings can be found below.)
Although celebrities, executives, and reporters falling victim to SIM swaps are more likely to make news, anyone with a bank account or digital currency wallet is a target for attacks. And because mobile carrier employees aid attackers unwittingly or through bribery, even perfect security hygiene may not stop a determined attempt.
Fortunately, there are several steps you can take to reduce the likelihood of an attack and o reduce the potential damage if you are victimized.
Understanding social engineering and how public information can be used against you is the first step toward locking down your device.
As a general rule, the FTC recommends minimizing the amount of personally identifiable information you share online, both publicly and privately.
Social engineering, in the context of IT security, is the psychological manipulation of people into performing actions or divulging confidential information. You can recognize and avoid attempts by following these best practices and IRS guidelines.
Now that you know some best practices, you can take several precautions to secure your devices and accounts from unwanted intrusion.
Starting with a change you can make yourself, you can add a SIM card lock PIN to your device. This requires you or an attacker to enter a 4-digit pin number when starting your phone in order to gain access to network services.
In Android, you can set this in Settings under “Security & Lock Screen.”
You may also try to add extra security measures to your wireless carrier account. The steps and protections vary between carriers.
Go to your Profile and then “Sign-in info”. Choose your wireless account from the dropdown, if more than 1 account is linked to your ID. Select “Manage extra security” in the Wireless passcode section. Enable extra security measures and re-enter your passcode if prompted. You can learn more on AT&T Wireless support page on adding extra security.
Call *611 and ask for a Port Freeze on your account
Call T-Mobile Customer Service at 1 (800) 937-8997 from your mobile phone and ask for NOPORT, which protects you from SIM swap attacks. Unfortunately, it took multiple calls to T-Mobile support to reach a representative who would process our request, so we hope they add this to their website in the near future.
Metro doesn’t provide extra security measures that users can add to their accounts. However, all Metro customers have an 8-digit pin needed to make changes to their account. For proper security, choose something unique that can’t be easily guessed or obtained, and change it annually.
You can learn more about Metro’s SIM swap fraud prevention, or change your security PIN by logging into your Metro account, clicking profile, and clicking edit security PIN.
Log in to your Sprint account, then go to My Sprint > Profile and Security > Security Information and update the PIN or security questions then click Save.
The first step recommended by the FTC is to start using a password manager, such as LastPass or 1Password. With data breaches happening constantly, it’s unsafe to use the same password on multiple websites. A password manager not only saves you the hassle of remembering unique passwords for every site, but it adds several other conveniences to your phone and browser that save you time.
Modern password managers include the following features:
The default multifactor authentication method for banks, digital currency wallets, and email accounts is typically SMS. The best way to ensure that your accounts remain secure even if your SIM is hijacked is to use a two-factor authentication app with your most important accounts.
Apps like Authy, LastPass Authenticator, and Google Authenticator are examples of software-based identity verifiers that implement two-factor authentication using the temporary one-time password codes in addition to your password.
You can add two-factor authentication to all of the following services:
To make yourself as small of a target as possible, some security experts suggest deleting online accounts that you no longer use, as data breaches make it easy for fraudsters to obtain lists of targets.
The FTC recommends hiding any contact information you publicly share on social media, and not approving friend requests from people you don’t know. Sites like Facebook and LinkedIn are frequently scraped for contact information by data brokers, and thieves often create fake profiles to learn enough about you to trick the call center employee.
You can do this in your privacy settings, or use a privacy assistant app like Jumbo Privacy + Security toscan your social media profiles for vulnerabilities and give you the option of fixing each one individually from inside the app.
Lastly, security journalists suggest unlisting yourself from online ‘people search directories’ like Whitepages, PeopleFinder, and Spokeo. These sites index people’s phone numbers and addresses and make them publicly searchable.
To find where your information is indexed, search Google for your email address in quotation marks, like “email@example.com”, and open any people indexing site that appears in the organic results. Next, repeat the search with your mobile phone number in quotation marks, like “555-555-5555”. From there, you can submit opt-out requests to each of the sites, although some make their removal forms difficult to find. For links to the opt-out forms of some of the biggest data brokering websites, there is a list at the bottom of this article.
While it’s always bad if a mobile phone carrier allows your account to be breached, as a holder of digital currencies you can take specific steps to minimize the damage from any breach.
If you own Bitcoin, Ethereum, Litecoin or any other cryptocurrency, you are a high-value target for cybercriminals because it is easier to steal digital currency without leaving a trace than it is to empty one’s bank account. Additionally, many exchanges and online wallets have experienced data breaches and generally do not provide the level of security one would expect from a bank, according to Bitcoin.org.
They also suggest using a hardware wallet to securely save your cryptocurrency offline. Popular hardware wallet brands such as Ledger and Treznor offer entry-level wallets for approximately $60 USD that support over 1,000 different coins and tokens.
If you have bitcoin, a memorable social media handle, or handle sensitive information, you are more likely to be targeted by SIM swap attacks and should watch for these early signs of exposure.
One indicator of your level of risk is the appearance of your phone number in data breaches. You can check if any of your accounts were compromised using the free service Have I Been Pwned. Once you enter your email address, the service lets you know if any breaches you were involved in included your phone number, which puts you at a higher risk of being targeted. Have I Been Pwned can also alert you when your email is found in future breaches by clicking on the Notify Me button.
If you start to receive phone calls, emails, or text messages from individuals or businesses saying you need to provide them with information or log in, you may be the target of phishing attempts. Phishing is the fraudulent act of soliciting sensitive information such as usernames, passwords, and PIN codes while claiming to be from a trusted organization. These communications usually come with a threat or offer and try to deceive the target into providing their Google or bank account credentials on the fraudster’s website.
Common phishing messages imitate:
If you receive a call from someone claiming to be from your bank or phone company, the FCC recommends that you politely tell them that you’ll call back and hang up, look up the support number on your account statement or the back of your card, and call back.
If anyone calls and asks you for a pin code sent by text to verify your identity, don’t do it, according to the FCC. Only do so if you placed the call, as a dedicated fraudster can spoof their phone number using off-the-shelf dialer software to make it appear that the call is coming from your bank.
You may be the target of SIM swap fraud if you receive an unexpected text message stating the SIM card for your phone number has been changed. This means your phone line is deactivated and can no longer make calls, texts, or use mobile data – even to contact your carrier.
If you start to receive emails mentioning unauthorized logins, or are logged out of your email and your password stops working, this means that the fraudster has successfully used your phone number to reset your password on an online account.
If you spot suspicious charges on bank or credit card statements, or had bitcoin or another digital currency stolen from you, this may mean that the attack was successful and you should consider taking further steps to report the possible theft.
If you think someone has made unauthorized changes to your account, don’t wait to act. Here are some steps you can take to mitigate the damage:
Start by calling your mobile carrier using a working phone, which may need to be a landline or a friend’s phone if your phone number stops working.
Here are the phone numbers for the fraud departments of all major U.S. carriers:
Remove your phone number from your accounts, like your email. If it’s too late and your email password has been changed, try to reset your password using your recovery email address.
Next, the FCC recommends that you call your bank using the number on the back of your credit or debit card, and let them know that someone has stolen your identity. If the thief hasn’t changed your password, you can also check your recent transactions to see if transfers have been attempted
If you think a scammer has your social security number or bank account info — go to IdentityTheft.gov to report the theft.
You can place a security freeze on your credit report to restrict access to it, which makes it more difficult for thieves to open accounts in your name. To place the freeze, contact each of the nationwide credit bureaus:
If you’ve suffered financial losses due to a SIM swap attack, we can help you file a legal claim against your mobile carrier if you think they aided the hijacker or didn’t properly train or instruct their support reps to recognize an impersonator.
In the past year alone, we’ve seen several individuals settle claims for thousands of dollars against their phone companies using an independent legal process.
In 2019, FairShake helped more consumers file legal claims against their mobile carrier than any other organization. Our claims resolution specialists are experts in SIM swap claims against phone companies like AT&T, Verizon, T-Mobile, and Dish.
Click here to learn more about arbitration, or start your claim using the form below.