“SIM swapping” scams could leave you with a dead phone, or worse

“SIM swapping” scams could leave you with a dead phone, or worse

Did your phone suddenly stop working? Chances are that you’re just out of battery, but it could be a symptom of something much more sinister and worrisome“SIM swapping.”

In a “SIM swap” scamnamed after the “subscriber identity module,” the small, removable chip in most phones that contains network and billing informationthieves not only disable your mobile phone but they can also activate a new phone (or phones) on your account that corresponds to your phone number in its place… one that they control. Once identity thieves convince your wireless provider that they are you, they will then use their power over your account to purchase high end smartphones and send you the bill.

“SIM swapping” appears to be growing in popularity among scammers. Identity theft complaints to the FTC involving new wireless accounts made up 3.7 percent of all ID theft complaints in 2015. However, according to a blog posting by the FTC’s Chief Technologist Lorrie Cranor, complaints about this type of ID theft nearly doubled, to 6.3 percent in January of this year.

The “SIM swap” scam is a two-step process. First, identity thieves gather the information they need to convince your wireless provider that they are you. This information can include your name, Social Security Number, street address, and the name of your wireless provider. This information can be gathered from a legitimate-looking phishing email. Other fraudsters have also employed a phone scam where they call and impersonate your mobile provider and ask you a series of questions to coax you into revealing the needed data. Much of this information is also available for sale on online black markets.

After the identity thieves obtain your information, they create a falsified document such as a driver's license and head to your wireless provider’s retail store. Once there, the thieves will claim that they lost “their” phone or damaged “their” SIM card and that it needs to be replaced. After answering a few questions and providing the falsified documents, the fraudsters will be allowed to pick out a new phone (or phones) and your actual phone will stop working immediately. After charging the new phone to your account, the fraudsters will then typically turn around and sell the phone for cash.

As alarming as this form of identity theft is, fraudsters in Europe and, increasingly, in the U.S. have taken this “SIM swap” scam a step further. By taking control of a phone account, they can start to receive text messages sent to the associated phone number. They can use this to bypass a bank’s multi factor authentication protections in order to hack into bank accounts. Once they are logged in, they can transfer funds out of the accounts.

To complete this more sophisticated fraud, fraudsters collect the login credentials to your online financial accounts, and utilize their access to your phone number to bypass the multi factor authentication protections. As was the case for collecting the information needed to complete the initial “SIM swap,” the most common way for them to attain this information is through a phishing email where they will send you a legitimate looking email posing as your bank and then prompt you to “confirm” your login and password information.

Due to the many risks this type of identity theft holds, it is vital to take every preventive step possible to protect yourself.

Basic steps to protect yourself from a SIM switch:

  • Take advantage of your wireless provider’s optional security features that allow customers to provide a PIN or password each time you wish to make a change to your account. Although some providers such as Sprint automatically require a PIN number to be provided with each account interaction, many providers such as AT&T, T-Mobile, and Verizon require that you opt into these added security features that would offer additional protection from the “SIM swap” scam.

  • Be wary of suspicious emails or phone calls from people purporting to be your bank. Remember, your bank will never ask you to enter confidential information in an email.

  • If you’re unsure whether an email is from your bank, log in to your account from the bank’s own website and check. Don’t assume that links in an email will take you where you think they will. The same goes for phone calls from someone purporting to be with your bank. If you receive such a call, hang up and call the number on the back of your credit or debit card.

Sometimes, despite our best efforts individuals still become victims of identity theft. Here is what you should do if that ever happens to you:

  • If your phone stops working, immediately contact your wireless provider to find out why. Quick action can help avoid getting charges for new devices you didn’t buy placed on your account. Your wireless provider can also deactivate any SIMs that may have been activated by the scammer - preventing them from getting text messages that they need to get around multi-factor authentication.

  • Create a tailored recovery plan at identitytheft,gov. This will provide you with an identity theft affidavit that you can use when filing a police report. The affidavit is also useful should fraudulently acquired devices be charged to your wireless account or if funds are drained from your bank account.

  • File a police report at your local police station.