Yes, this fraud is known as SIM swapping, and it can be used to take over your financial accounts. SIM swapping relies on phone-based authentication. In a successful SIM swap scam, cybercriminals could hijack your cell phone number and use it to gain access to your sensitive personal data and accounts.
It's a good idea to learn about of SIM card swapping. That way you can help protect yourself against this type of fraud — or recognize if you've become a victim. Here's what you need to know.
SIM swapping involves a hacker duplicating you to your cell provider and making him believe that you're activating your SIM card on another device. In other words, they're stealing your phone number and associating it with their SIM card. If successful, this attack will deactivate your device, and their device will now be the destination for all texts, phone calls, data, and accounts tied to your phone number and SIM card. With that information, the attacker could easily gain access to your app accounts, personal data, and financial information. They could even lock you out of your services for good. Your bank account will go blank without you being informed.
A person doesn't need physical access to your phone to perform a SIM swap—they can do it all remotely, regardless of your device's make and model, or your service provider. They just need to have enough information to convince a customer support agent that they are you.
The easiest way to tell you've been targeted by a SIM Swap is when you see strange behaviour from your phone, like an inability to send or receive texts and calls despite not having service shut off; receiving notifications from your provider that your phone number or SIM card has been activated elsewhere; or being unable to login into any of your important accounts.
Preventing a SIM swap attack
Beware of phishing scams- The first step in an SIM swap attack is usually phishing. Sketchy emails with malicious links, bogus login screens, fake address bars—there are many forms phishing scams can take, but they're easy to spot if you know what to look out for. Don't click links, download programs, or sign in to websites you don't recognize. Always pay attention to the full web address.
Reduce excessive personal data online- Whether in addition to phishing or in place of it, the other early part of an SIM swap involves social engineering—basically collecting as much data about you as possible so the hacker can reliably pass for you over the phone or in an email.
Protect your accounts- Many digital accounts have settings that can help you take back your accounts if they're ever stolen—but they need to be properly set up before the account is stolen in order to be of any help. A suitable two-factor security method, a hardware token, passwords and encrypted password manager, these all can protect you and your data.
What should you do when you are attacked?
If you suspect you've fallen victim to a SIM swap or any form of ID theft, work through all of these steps quickly:
File identity theft reports with your local police bureau and the FTC.
Alert your banks/financial institutions to the potential identity report and request holds be put on your accounts and bank cards, then contact all three credit bureaus (Experian, Equifax, and TransUnion) to request a freeze on your credit and flag potential credit fraud. If you suspect your tax identity or social security numbers are compromised, contact the IRS. You might even want to change your bank account or credit card numbers just in case.
Report the identity theft to your cellular service provider. Be aware, however, that unless you can sufficiently prove this has happened and that you are the rightful account holder, they may not be able to do much (since the hacker as your phone number, and all).
If you have an offline/analogue list of your accounts and their information, change each account's email address and password (make sure the new email address is not tied to your phone number; a new one works best), and update any other account security measures. The most important places to start are your email address and financial institutions, including PayPal, etc, and any accounts tied to your phone number or Google/Apple accounts.
Important: If given the option, DO NOT has confirmation codes or reset links sent to your phone number. These will be sent to the hacker, not you.
If you cannot log in to an account or reset your password, contact that account's customer service ASAP and explain the situation. You'll be asked to prove your identity, so having as much information about the account as possible will help you take back control.
Stay alert!
