Digital Hygiene 🧼

SIM swap scam: This is how thieves take control of your phone – and your online accounts

Cybercriminals have a new tool in their kit known as a SIM swap scam that can let them break into some of the most secure accounts that are protected by two-factor authentication.

As smartphones get smarter and smarter, they are becoming ever more connected to nearly every aspect of our lives. Most of us have apps for bank accounts, Paypal, credit cards, subscription accounts like Netflix, Amazon accounts and more, all connected to our phones. While this has made life more convenient, it also opens up a major door for thieves to enter our private lives. One of the newest ways hackers are stealing information is known as a SIM swap scam.

A SIM swap scam, also known as SIM card jacking, SIM splitting, smishing and a port-out scam, is a way for hackers to take over your phone. The way they do it is rather rudimentary, but the power they can wield can be extremely dangerous — and costly.

In short, a SIM swap scam is a way for hackers or identity thieves to trick a phone company into handing over access to your phone number.

This is a scam that has picked up steam in recent years, mainly because of the emergence of two-factor authentication.

While having access to a phone number might not seem like a big deal, it does allow hackers a way into many accounts. It is most dangerous for those that require you to verify your identity via a text message to your phone or a call.

SIM swap scam might not be the primary form a scammer uses, but it can be the key to the safe once they are inside the proverbial bank.

What is SIM card jacking?

SIM hijacking is when hackers trick telecom companies to get access to your SIM card so that they can access your online accounts. It’s a form of account takeover fraud.

Thieves typically target specific individuals for this scam to work, rather than random unsuspecting people in other scams. 

These criminals begin their scams by finding out as much information about their potential victims as they can. They do this by searching publicly available records through people search websites, through public social media accounts and through data breach databases.

Companies verifying an identity often ask for information such as a mother’s maiden name, a birthday, the name of a pet or a favorite sport.

RELATED: How to remove yourself completely from people search websites 

RELATED: How to check if you were part of a data breach

How the SIM card scam works

Once the cybercriminal has built up a good amount of background information about their victim, they often take things to the next level through a social engineering technique such as phishing.

The thieves will try to trick unsuspecting victims into sharing their logins, social security numbers or more via fraudulent links mostly sent via email. In this way, they try to “phish” the information out of the victims with traps.

At this point, the criminals will then contact the victim’s phone provider armed with enough information to convince the service representative they are actually the victim. The cybercriminal will convince the rep to port the victim’s cellphone number to a new SIM card owned by the criminal, hence the term SIM swap.

Hackers can typically convince the representatives from cellphone companies to do this through elaborate stories about stolen, lost or broken phones. A convincing tale accompanied by enough personal information to satisfy the rep can lead to them handing over the keys to the number via the SIM swap.

What happens next?

If the cybercriminal makes it this far and your number is swapped to their SIM card, you will immediately lose access to your phone number and your network. All calls and texts that were meant for you will go to the scammer’s phone.

Remember when Twitter CEO Jack Dorsey’s own Twitter account began posting tweets with profanity and racial slurs in 2019? Hackers gained access to his phone and Twitter account via a SIM swap scam 

When hackers have access to your texts and calls, they can request companies send them temporary login codes via text message for many “secure” websites such as Google and Twitter. 

Another way hackers can use your number is by breaking a two factor authentication security measure.

In this case, hackers will have already gained access to a login and password (usually from a data breach) but haven’t been able to access a secure account because it requires a second form of authentication. One of the most common forms is a numerical code sent to a cellphone via SMS text. This can pry open even the most secure accounts.

If a hacker is able to gain access to say a bank account of a credit card, they could quickly empty the bank account and max out a credit card. 

If they access social media accounts or email, hackers could steal confidential messages that could be used to blackmail a victim or post damaging information on their accounts.

How to avoid a SIM swap scam

Avoiding falling victim to a SIM swap scam is unfortunately not very easy. Just like avoiding phishing scams, it’s easier said than done. In most cases, it is actually impossible. 

There are steps you can take to lower your risk.

The first is to avoid posting too much of your personal information on the internet. Don’t list your birthdate, your pets’ names or anything else that representatives may ask during an authentication process. Don’t give cybercriminals the ammo they need to break into your account in the first place.

A second prevention method is when using two-factor authentication to avoid relying on SMS text messages and phone calls as the authentication method. Instead, you could download an authentication app that doesn’t rely on a text or call.

A third prevention method is to be alert and aware of phishing attempts. That means not responding to unsolicited emails or texts. Be sure to check the URL of any suspicious-looking website that may be asking for your personal information. Check to ensure that the URL matches the actual website. Hackers love to make look-a-like websites to pry your information out of you. 

Fourth, if you think something is fishy with your phone and it stops working someday, call your phone company. Then check your bank account. Here’s more about what to do after a data breach. Hopefully, with a little SIM swap savvy, it won’t happen to you!