logo

A Consumer’s Guide to SIM Swap Fraud

How to Prevent It, How to Spot It, and How to Respond if You've Been Duped

Published on June 24, 2020 by the FairShake Team

SIM hijacking is a frightening and expensive ordeal that can affect anyone with a mobile prepaid or contract-based wireless plan.

On the FairShake Complaints Forum, we have seen complaints by victims of SIM swap attacks, some of whom claim thousands of dollars in losses. Others shared that the attack’s perpetrators included employees of their mobile carrier, too.

If you feel like it’s out of your control, don’t worry. Here’s what you need to know to defend yourself, or respond to SIM swap fraud if you’ve been a victim.

How do SIM Swaps Work?

All mobile phones use SIM cards to connect to mobile networks. These link the phone to your number and account.

Each day, the mobile carriers receive thousands of legitimate SIM swap or port-out requests. However, a Princeton Review study showed that support reps for the major US carriers (AT&T Wireless, T-Mobile, Tracfone, US Cellular and Verizon Wireless) don’t ask detailed security questions that truly verify that the caller is the legitimate account holder.

What Is SIM Swap Fraud?

SIM swap attacks are a type of account takeover scam which occurs when a thief impersonates you to your mobile carrier in an attempt to convince them to port your number to a SIM card in the thief’s possession. 

SIM swap scams are increasingly common. Thieves target SIM cards because gaining access to one’s texts may allow them to access your social media, banking, and cryptocurrency accounts. Having a stranger gain unauthorized access to these accounts has the potential to cause damage in a variety of ways.

From what we know, you are most likely to be targeted by a SIM swap scam if you have Twitter or Instagram handle or trade digital currencies such as bitcoin. It’s possible that scammers target the most common platforms for entry-level cryptocurrency holders: Among complaints submitted to the FairShake Complaints Forum, many had Coinbase accounts. (More tips on how to specifically protect your crypto holdings can be found below.)

How To Protect Yourself From Attacks

Although celebrities, executives, and reporters falling victim to SIM swaps are more likely to make news, anyone with a bank account or digital currency wallet is a target for attacks. And because mobile carrier employees aid attackers unwittingly or through bribery, even perfect security hygiene may not stop a determined attempt.

Fortunately, there are several steps you can take to reduce the likelihood of an attack and o reduce the potential damage if you are victimized.

Image credit: Bronney Hui, OpenIDEO

Behavioral Changes

Understanding social engineering and how public information can be used against you is the first step toward locking down your device.

As a general rule, the FTC recommends minimizing the amount of personally identifiable information you share online, both publicly and privately.

  • Don’t share your contact information (email address, phone number) on blogs or social media, or surveys unless you trust who is collecting the data.
  • Use an alternate phone number with online businesses and accounts, such as a landline or a VOIP-based virtual phone number such as Google Voice. VOIP numbers aren’t always supported and have their own security flaws, such as relying on the security of your Google account, but they are free and SIM hijack-proof.

Social engineering, in the context of IT security, is the psychological manipulation of people into performing actions or divulging confidential information. You can recognize and avoid attempts by following these best practices and IRS guidelines.

  • Only share information over the phone if you made the call to a number you know is correct. Scammers can spoof the incoming number to fool you.
  • Ignore phone calls and emails with wild offers, promises of free money, or threats by someone pretending to be with the IRS or another government agency. These are most likely scams, as the IRS will always contact you first by mail.
  • Do not click on attachments or links in surprise emails that appear to come from the IRS.
  • Don’t share personal information with people you haven’t met on social media or dating apps.
  • Don’t open attachments or click links in suspicious emails or text messages, even from friends and family. Oftentimes a scammer will impersonate someone using a hacked email address or social media account to target their unsuspecting friends and family.

Preventative Measures

Now that you know some best practices, you can take several precautions to secure your devices and accounts from unwanted intrusion.

Secure Your Phone

Starting with a change you can make yourself, you can add a SIM card lock PIN to your device. This requires you or an attacker to enter a 4-digit pin number when starting your phone in order to gain access to network services.

In Android, you can set this in Settings under “Security & Lock Screen.”

You may also try to add extra security measures to your wireless carrier account. The steps and protections vary between carriers.

AT&T

Go to your Profile and then “Sign-in info”. Choose your wireless account from the dropdown, if more than 1 account is linked to your ID. Select “Manage extra security” in the Wireless passcode section. Enable extra security measures and re-enter your passcode if prompted. You can learn more on AT&T Wireless support page on adding extra security.

Verizon Wireless

Call *611 and ask for a Port Freeze on your account

T-Mobile

Call T-Mobile Customer Service at 1 (800) 937-8997 from your mobile phone and ask for NOPORT, which protects you from SIM swap attacks. Unfortunately, it took multiple calls to T-Mobile support to reach a representative who would process our request, so we hope they add this to their website in the near future.

Metro by T-Mobile

Metro doesn’t provide extra security measures that users can add to their accounts. However, all Metro customers have an 8-digit pin needed to make changes to their account. For proper security, choose something unique that can’t be easily guessed or obtained, and change it annually.

You can learn more about Metro’s SIM swap fraud prevention, or change your security PIN by logging into your Metro account, clicking profile, and clicking edit security PIN.

Sprint

Log in to your Sprint account, then go to My Sprint > Profile and Security > Security Information and update the PIN or security questions then click Save.

Secure Your Online Accounts

Password Managers and Authenticator Apps

The first step recommended by the FTC is to start using a password manager, such as LastPass or 1Password. With data breaches happening constantly, it’s unsafe to use the same password on multiple websites. A password manager not only saves you the hassle of remembering unique passwords for every site, but it adds several other conveniences to your phone and browser that save you time.

LastPass Password Manager - BestPhoneSpy
Image credit: LastPass

Modern password managers include the following features:

  • Generate and remember strong, unique passwords
  • Automatically remembers your login information as you browse the web
  • Saves time by auto-filling passwords, addresses, and credit card numbers.
  • Mobile apps autofill your passwords and use your phone’s fingerprint scanner or face ID for quick authentication

The default multifactor authentication method for banks, digital currency wallets, and email accounts is typically SMS. The best way to ensure that your accounts remain secure even if your SIM is hijacked is to use a two-factor authentication app with your most important accounts. 

A two-factor authentication (2FA) app
Image credit: Authy

Apps like Authy, LastPass Authenticator, and Google Authenticator are examples of software-based identity verifiers that implement two-factor authentication using the temporary one-time password codes in addition to your password.

You can add two-factor authentication to all of the following services:

  • E-commerce sites like Amazon
  • Job search sites like LinkedIn and AngelList
  • Email services like Gmail, Outlook, and MailChimp
  • Online cryptocurrency wallets like Coinbase

Removing Public Information from the Web

To make yourself as small of a target as possible, some security experts suggest deleting online accounts that you no longer use, as data breaches make it easy for fraudsters to obtain lists of targets.

The FTC recommends hiding any contact information you publicly share on social media, and not approving friend requests from people you don’t know. Sites like Facebook and LinkedIn are frequently scraped for contact information by data brokers, and thieves often create fake profiles to learn enough about you to trick the call center employee.

You can do this in your privacy settings, or use a privacy assistant app like Jumbo Privacy + Security toscan your social media profiles for vulnerabilities and give you the option of fixing each one individually from inside the app.

Lastly, security journalists suggest unlisting yourself from online ‘people search directories’ like Whitepages, PeopleFinder, and Spokeo. These sites index people’s phone numbers and addresses and make them publicly searchable.

To find where your information is indexed, search Google for your email address in quotation marks, like “example@fairshake.com”, and open any people indexing site that appears in the organic results. Next, repeat the search with your mobile phone number in quotation marks, like “555-555-5555”. From there, you can submit opt-out requests to each of the sites, although some make their removal forms difficult to find. For links to the opt-out forms of some of the biggest data brokering websites, there is a list at the bottom of this article.

For Cryptocurrency Holders: Store your assets securely

While it’s always bad if a mobile phone carrier allows your account to be breached, as a holder of digital currencies you can take specific steps to minimize the damage from any breach.

If you own Bitcoin, Ethereum, Litecoin or any other cryptocurrency, you are a high-value target for cybercriminals because it is easier to steal digital currency without leaving a trace than it is to empty one’s bank account. Additionally, many exchanges and online wallets have experienced data breaches and generally do not provide the level of security one would expect from a bank, according to Bitcoin.org.

They also suggest using a hardware wallet to securely save your cryptocurrency offline. Popular hardware wallet brands such as Ledger and Treznor offer entry-level wallets for approximately $60 USD that support over 1,000 different coins and tokens.

How to Tell if You’re a Victim of SIM Swap Fraud

Early Attack Warning Signs

If you have bitcoin, a memorable social media handle, or handle sensitive information, you are more likely to be targeted by SIM swap attacks and should watch for these early signs of exposure.

One indicator of your level of risk is the appearance of your phone number in data breaches. You can check if any of your accounts were compromised using the free service Have I Been Pwned. Once you enter your email address, the service lets you know if any breaches you were involved in included your phone number, which puts you at a higher risk of being targeted. Have I Been Pwned can also alert you when your email is found in future breaches by clicking on the Notify Me button.

Image credit: Elio Reichert, OpenIDEO

If you start to receive phone calls, emails, or text messages from individuals or businesses saying you need to provide them with information or log in, you may be the target of phishing attempts. Phishing is the fraudulent act of soliciting sensitive information such as usernames, passwords, and PIN codes while claiming to be from a trusted organization. These communications usually come with a threat or offer and try to deceive the target into providing their Google or bank account credentials on the fraudster’s website. 

Common phishing messages imitate:

  • A Google Doc being shared which one has to “sign in” to view
  • Your bank letting you know about an unrecognized charge, which you can “sign in” to dispute
  • The IRS saying you owe them taxes
  • Your phone company saying a bill is due
  • Texts or Facebook messages from strangers
Image credit: Jason Kravitz, OpenIDEO

 

If you receive a call from someone claiming to be from your bank or phone company, the FCC recommends that you politely tell them that you’ll call back and hang up, look up the support number on your account statement or the back of your card, and call back. 

If anyone calls and asks you for a pin code sent by text to verify your identity, don’t do it, according to the FCC. Only do so if you placed the call, as a dedicated fraudster can spoof their phone number using off-the-shelf dialer software to make it appear that the call is coming from your bank.

Successful Attack Signs

You may be the target of SIM swap fraud if you receive an unexpected text message stating the SIM card for your phone number has been changed. This means your phone line is deactivated and can no longer make calls, texts, or use mobile data – even to contact your carrier.

If you start to receive emails mentioning unauthorized logins, or are logged out of your email and your password stops working, this means that the fraudster has successfully used your phone number to reset your password on an online account.

If you spot suspicious charges on bank or credit card statements, or had bitcoin or another digital currency stolen from you, this may mean that the attack was successful and you should consider taking further steps to report the possible theft.

How to Respond if Your SIM is Hijacked

If you think someone has made unauthorized changes to your account, don’t wait to act. Here are some steps you can take to mitigate the damage:

During an Attack

Start by calling your mobile carrier using a working phone, which may need to be a landline or a friend’s phone if your phone number stops working.

Image credit: Rebecca Wang, OpenIDEO

Here are the phone numbers for the fraud departments of all major U.S. carriers:

  • AT&T: 1-800-331-0500
  • Verizon: 1-800-922-0204
  • T-Mobile: 1-800-937-8997
  • Metro: 1-888-863-8768
  • Sprint: 1-888-211-4727

Remove your phone number from your accounts, like your email. If it’s too late and your email password has been changed, try to reset your password using your recovery email address.

Next, the FCC recommends that you call your bank using the number on the back of your credit or debit card, and let them know that someone has stolen your identity. If the thief hasn’t changed your password, you can also check your recent transactions to see if transfers have been attempted

If you think a scammer has your social security number or bank account info — go to IdentityTheft.gov to report the theft.

You can place a security freeze on your credit report to restrict access to it, which makes it more difficult for thieves to open accounts in your name. To place the freeze, contact each of the nationwide credit bureaus:

Equifax
Equifax.com/personal/credit-report-services
800-685-1111

Experian
Experian.com/help
888-397-3742

TransUnion
TransUnion.com/credit-help
888-909-8872

After an Attack

  • Your first step is to contact your phone company and change your account password or PIN.
  • The next of action after a security breach is to change your onlineaccount  passwords: Start with your email password if it was compromised, and removing any backup security info you don’t recognize.
  • You should also take the steps mentioned above to protect your SIM security going forward, like setting up a 2-factor authentication app, so your phone can’t be used to reset your account passwords.
  • You may also want to contact local law enforcement via the non-emergency police number to report any theft.

Your Legal Recourse vs. the Phone Company: Consider Arbitration

If you’ve suffered financial losses due to a SIM swap attack, we can help you file a legal claim against your mobile carrier if you think they aided the hijacker or didn’t properly train or instruct their support reps to recognize an impersonator.

In the past year alone, we’ve seen several individuals settle claims for thousands of dollars against their phone companies using an independent legal process.

In 2019, FairShake helped more consumers file legal claims against their mobile carrier than any other organization. Our claims resolution specialists are experts in SIM swap claims against phone companies like AT&T, Verizon, T-Mobile, and Dish.

Click here to learn more about arbitration, or start your claim using the form below.







Tagged: All Fraud Scams

Start A Claim

Start A Claim