SIM Swapping Scams

Subscriber Identity Module (SIM) cards contain all the information your mobile device needs to connect to a cellular network. Cybercriminals employ SIM swapping scams, also known as “SIM hijacking attacks,” to access your cell phone number and obtain your personal and financial information.

Scammers are trying to intercept the unique access codes (two-factor authentication codes) that banks and other companies send to verify your identity when logging into an online account. Their ultimate goal is to use your cell phone to access your information to steal your money.

How Does the Scam Work?

Fraudsters learn about you through data breaches, by researching your social media profiles, via phishing scams and the dark web. They use this information to impersonate you and trick your mobile carrier into switching your SIM card with theirs.

When your mobile carrier activates the criminal’s SIM card, your phone number will be transferred to the criminal’s device. In other instances, criminals try and steal your physical SIM cards. In either situation, you’ll suddenly be unable to communicate using your mobile phone, including making phone calls, sending/receiving text messages or accessing your accounts. Essentially, all communication with your number will be directed to and controlled by the criminal.

Recognize the Signs of an Attack

• Sudden loss of cell service – you can’t make phone calls or send/receive text messages.
• You’re unable to use any apps on your phone.
• You receive security alerts indicating that your settings have changed, which you did not authorize.
• Unusual login activity for any of your online accounts (e.g., email, financial, phone, social media, etc.).

Protect Yourself

• Use unique passwords or passphrases. Using hard-to-guess, distinct passwords for each of your accounts will make it harder for fraudsters to gain access to your information.
• Don’t respond to unsolicited messages, particularly those with an unusually high sense of urgency. Typically, phone providers will not contact you requesting any sensitive information — be sure to check with your carrier to confirm their policy.
• Utilize non-text messaging two-factor authentication methods when possible. Authentication apps, biometrics or hardware tokens are preferable because fraudsters can’t digitally access them.
• Set up a SIM PIN. When enabled, this unique code is required each time your mobile device is restarted. This adds an additional layer of protection in the event of a lost or stolen cell phone. You can access the feature within settings on your phone or contact your phone manufacturer (Apple, Samsung, Google, etc.) for assistance.
• Limit what you share online. Refrain from discussing your financial assets and personal details (date of birth, first car, mother’s maiden name, anniversary) on social media. The less you can make yourself a target for fraudsters, the better.
• Contact your mobile provider to learn what protections they offer. The major carriers typically allow you to enable extra security measures to safeguard your number and account.
• Download your provider’s mobile app. These apps can be a quick way to receive security alerts and check for unusual account activity.

What if You’re a Victim?

• Contact your phone carrier immediately. Use your landline, a friend’s or relative’s phone.
• Change all your passwords.
• Check your bank accounts for unusual activity and inform your bank.
• Place a fraud alert with the three credit bureaus: Equifax, Experian and TransUnion.
• Monitor your credit reports: Visit AnnualCreditReport.com.
• Report it to the FTC at https://www.identitytheft.gov/ and report it to the FBI's Internet Crime Complaint Center at www.ic3.gov.

Where to Learn More

• https://www.ic3.gov/Media/Y2022/PSA220208 
• https://www.fcc.gov/consumers/guides/cell-phone-fraud