NEW YORK (AP) — SIM swapping is a growing form of identity theft that goes beyond hacking into an email or social media account. In this case, thieves take over your phone number. Any calls or texts go to them, not you.
Any protections consumers allow to ensure access to their financial accounts, such as two-factor authentication texts, can now help attackers and lock out owners.
Experts say these scams will only increase and become more sophisticated, while data shows they are on the rise. The FBI’s Internet Crime Complaint Center reports that SIM swapping complaints have increased more than 400% from 2018 to 2021with associated personal losses estimated at over US$68 million.
Rachel Tobac, CEO of online security company SocialProof Security, says the numbers are likely a huge underestimate because most identity theft goes unreported.
How does the scheme work?
Criminals use personal information about their victims – phone numbers, addresses, birthdays and Social Security numbers – obtained through data breaches, leaks, dark web purchases or phishing schemes to impersonate victims when contacting your mobile operators.
They will claim that the original phone and SIM card were damaged, lost, or accidentally sold, and will request that the number be associated with a new SIM, or eSIM, card in their possession. Once this is done, the phone number belongs to the criminals, along with the possibility of receiving text messages or calls to verify accounts.
Prevention is the best form of protection, according to cybersecurity experts. The tricks and habits that security experts say help you avoid SIM swapping are what they’ve long recommended for online security in general. They include the following:
Best password habits
If your credentials are detected in a cyber breach, hackers could try to use the stolen passwords to access other services and collect the personal data needed to perform a SIM swap.
If you are using the same or similar login information for multiple websites or online accounts, be sure to change it. If criminals steal your password for one service, they can try it on other accounts and easily access them all. If you find it very difficult to memorize your various credentials, consider a password manager.
Also use strong passwords that include letters, numbers and symbols. The longer they last, the better. Some experts say they should be 16 characters long.
Multi-factor authentication without texts
Add biometrics or multi-factor authentication apps and devices that don’t involve text messaging. These methods often use separate login methods and encryption that are not tied to your phone’s identity, making them more difficult for criminals to access.
AT&T also advise Contact your carrier to set up a unique password to prevent significant account changes, such as porting phone numbers to another carrier. Your carrier may already have other protections in place to protect against SIM swapping, so it’s worth calling them to ask.
Beware of phishing scams (especially at work)
Criminals will use emails or text messages to try to trick you into giving up your personal and financial information or to expose your workplace to potential attacks, and this is incredibly effective.
In its annual State of the Phish report, cybersecurity firm Proofpoint found that the majority of data breaches around the world still center on human oversights.
If you suspect you have received a possible phishing message or email, report it. Most popular email platforms have specific buttons or functions for reporting phishing attempts. If you are at work, follow the advice of your company’s information security team.
Steps to follow if you are a victim
All major US carriers have webpages that guide victims on how to report SIM fraud.
But an Associated Press reporter, who recently was hit by such an attack, advises that victims be diligent in working with the carrier to resolve the issue. Register complaints with the Federal Trade CommissionO Internet Crime Complaint Center or their state attorneys general can accelerate recovery efforts.
If your card payment numbers are stolen, report it to your bank or credit card company, explaining that your card is at risk of fraud and asking the company to alert you to any suspicious activity.
You can also notify credit bureaus, including the three main companies: Equifax, Experian and TransUnion. They can freeze your credit, which restricts access to your credit report and makes it difficult to open new accounts or issue a fraud alert, and they will add a warning to your credit report encouraging creditors to contact you before lend money.
