Protect yourself against SIM swapping

SIM swapping is a growing form of identity theft with associated personal losses estimated at more than $68 million. (Kelvin Chan/AP Photo)

NEW YORK — SIM swapping is a growing form of identity theft that goes beyond hacking an email or social media account. In this case, thieves take over your phone number. Any calls or texts go to them, not you.

Experts say these scams will only increase and become more sophisticated, and the data shows they’re on the rise. The FBI Internet Crime Complaint Center reports that complaints about SIM swapping increased more than 400% from 2018 to 2021, with associated personal losses estimated at more than $68 million.

Ads

Rachel Tobac, CEO of online security company SocialProof Security, says the numbers are a significant underestimate because most identity fraud goes unreported.

How does the scheme work?

Criminals use personal information about their victims (phone numbers, addresses, dates of birth, and social security numbers) obtained through data breaches, leaks, dark web purchases, or phishing scams. They then pose as victims when contacting their mobile provider.

They claim that the original phone and SIM card are damaged, lost or accidentally sold and ask to link the number to a new SIM or eSIM card in their possession. Once this is done, the phone number and the ability to receive text messages or calls to verify accounts belong to the criminals.

Prevention is the best form of protection, according to cybersecurity experts. The tricks and habits that security experts say help prevent SIM swapping, which they have long advocated for online security in general. They include the following:

Better password habits

If your credentials are involved in a cyberattack, hackers may attempt to use the stolen passwords to gain access to other services and collect the personal data they need to swap a SIM card.

Change it if you’ve used the same or similar login credentials for multiple websites or online accounts. If criminals steal your password from one service, they can try it on your other accounts and quickly get into all of them. Consider a password manager if you need help remembering your various login credentials.

Also use strong passwords that contain letters, numbers and symbols. The longer they are, the better.

Multi-factor authentication without SMS

Add biometrics or multi-factor authentication to apps and devices that don’t require SMS. These methods often use separate login methods and encryption that aren’t tied to your phone’s identity, making them harder for criminals to access.

AT&T also recommends contacting your carrier to set up a unique passcode to prevent significant account changes, such as porting phone numbers to another carrier. Your carrier may already have other protections against SIM swapping, so it’s worth calling them to ask.

Beware of phishing attacks (especially at work)

Criminals use emails or text messages to trick you into giving away your personal and financial information. They also want to expose your workplace to potential attacks. This is incredibly effective.

Cybersecurity firm Proofpoint concluded in its annual State of the Phish report that most data breaches worldwide are still due to human error.

If you suspect you have received a possible phishing message or email, report it. Most popular email platforms have buttons or features specifically for reporting phishing attempts. If you are at work, follow the advice of your company’s information security team.

Steps you can take if you are a victim

All major US carriers have webpages that provide victims with information on how to report SIM card fraud.

However, an Associated Press reporter who was recently hit by such an attack advises that victims should work diligently with the provider to resolve the problem. Filing complaints with the Federal Trade Commission, the Internet Crime Complaint Center or their state attorneys general can speed up recovery efforts.

If card payment numbers have been stolen, inform your bank or credit card company. Explain that your card is susceptible to fraud and ask the company to warn you of any suspicious activity.

You can also notify the credit bureaus, including the three leading companies: Equifax, Experian and TransUnion. They can freeze your credit, restrict access to your credit report, make it difficult to open new accounts, or issue a fraud alert. They will also add an alert to your credit report, encouraging lenders to contact you before lending money.