In 2019, scammers swapped a well-known technology journalist’s T-Mobile SIM and locked him out of his Google and Twitter accounts.[*] The hackers then charged his bank with a $25,000 Bitcoin purchase.
In another startling SIM swap scam story, a Florida woman lost her life savings in late 2022 after scammers transferred the victim’s SIM card to another phone.[*]
SIM swaps are attacks in which scammers move your phone number from a SIM card in your possession to another card that they control. This type of fraud is easy to execute and does not require any code, but it has devastating effects on victims' lives.
The adjusted losses from 1,611 SIM swapping complaints in 2021 amounted to over $68 million, according to the FBI.[*]
A SIM card swap is a gateway fraud; scammers can easily hijack your phone number — and then steal your identity. Being prepared is probably the best way to defend yourself.
What Is SIM Swapping?
SIM swapping, or SIM hijacking, occurs when attackers take control of your mobile number. They trick your cell phone provider into transferring your number to their mobile device.
The attacker then uses your phone number to access other online accounts that belong to you. Using text messages, they “recover” access to accounts (like your Gmail) in concert with other information that they have gathered about you from phishing emails, SMS two-factor authentication (2FA), or leaked data from the Dark Web.
Port-out fraud is often confused with SIM swapping, but they are two different things
Porting fraud occurs when a scammer transfers your number to another service provider.
SIM swaps refer to transferring your account to a scammer's new SIM card.
There are instances in which you may have a legitimate reason to request a duplicate SIM. If your existing SIM chip malfunctions or if you somehow misplaced the SIM, your carrier’s support team can map your phone number to a new card’s Integrated Circuit Card Identifier (ICCID).
If you’re switching to a new carrier but are still in the same geographic area, simple port-outs can be completed in a day.
Swapping to a new SIM
Porting to a new carrier
Contact your cell phone provider.
Tell your provider that you want to change the number for your SIM card.
Provide a reason for the SIM swap.
Depending on your provider, you may have to provide a one-time password or PIN.
The carrier approves or denies the swap.
Check if the existing number can be transferred to the new carrier.
Generate a number transfer PIN.
Tell the new carrier which lines to move.
Use the PIN to authorize any lines on the account.
Between 10 minutes and 24 hours
How Do You Authenticate a SIM Swap?
How can an attacker impersonate you and swap your SIM so easily? SIM swap attacks are so successful because carrier representatives are easy to trick.
The attacker can call your provider’s support line, offer a plaintive story about losing your SIM card, and get them to transfer your number. If the attacker feels threatened, they can just hang up and try again with another agent.
An empirical study by Princeton University documented six authentication challenges that attackers must overcome to complete a SIM swap:[*]
Personal information: Street address, email address, date of birth.
Account information: Last four digits of a payment card number, activation date, last payment date and amount.
Device information: IMEI (device serial number), ICCID (SIM serial number).
Usage information: Recent numbers called (call log).
Knowledge: PIN or password, answers to security questions.
Possession: SMS one-time passcode, email one-time passcode, or other multi-factor authentication (MFA) code.
How can a fraudster get around all these authenticators?
How do scammers have enough information to convince a customer service representative that they are you?
SIM swap attacks don’t happen overnight. Scammers harvest data about you before they attempt to impersonate you. They use several tactics — such as social engineering via phishing emails or malware and extensive social media research.
For example, the scammer may send an email claiming to be your service provider. They’ll ask you to fill out some information to keep your account active. You could unwittingly share personal information like your date of birth, password, address, etc.
If the scammer somehow installed malware on your mobile phone, they can record your keystrokes and see any passwords or answers to security questions that you enter. Fraudsters can buy your information off the Dark Web, thus arming themselves with any information needed to to switch your number to a new SIM card.
Authentication procedures to sign up for prepaid SIM cards tend to be more porous than with postpaid SIMs. Prepaid accounts can be registered without prior credit checks or proof of real-world identification.
Some providers like T-Mobile offer a NOPORT option that throttles a port-out request. At the time the Princeton paper was published, T-Mobile did not offer NOPORT on prepaid SIMs.
While postpaid accounts now require Number Transfer PINs (see below), prepaid accounts (like AT&T prepaid SIMs) do not.
5 Signs That Indicate a SIM Swap Attack
SIM swapping will cause your phone to act up. Here are some signs that you might be a victim:
Service changes. When your provider tells you that your SIM card or phone number has been activated elsewhere, that's the first sign.
Inability to send or receive texts and phone calls. Once the scammer activates your SIM on another device, your phone number becomes unusable.
Security notifications. Receiving alerts about changes to your profile data, such as passwords and security questions, is another sign. Failed login attempts from unrecognized sources are yet another clue that you’ve been hacked.
No access to your online carrier account. Scammers can lock you out of your carrier account. That way, you cannot file a complaint, lock your phone, or access your private information.
Inability to use apps on your phone. SIM swap attacks prevent you from logging into your phone apps and accounts.
Unusual activity on your social media accounts. SIM swap attacks usually target victims who have valuable online accounts — like a sizable audience on Twitter, LinkedIn, or Instagram. Strange online activity from social media accounts can indicate account takeovers.
How Do You Prevent Unlawful SIM Swapping?
What providers are doing:
Single-use passcodes to request a service call
T-Mobile customers are required to set up an individual 6–15 digit PIN to verify their identity when calling customer service.[*]
These authentication codes also help verify the legitimacy of any account changes.
Number Transfer PIN (NTP)
A Number Transfer PIN is a code generated when porting a postpaid number to another carrier.
This authentication method ensures that a SIM swap or port-out request is from a genuine customer.
All three major carriers now use NTPs for authentication:
Verizon rolled out NTPs and Number Locks in July 2020.[*]
T-Mobile added NTPs for port-outs in April 2022.[*]
SMS verification to change SIMs
Carriers like AT&T built a risk-scoring model to identify high-risk requests by customers for SIM changes and port-outs.[*] If a SIM swap request meets (or exceeds) specific thresholds in their risk model, AT&T sends a no-charge SMS confirmation for the customer to approve or reject a pending SIM swap.
Account takeover protection
Verizon provides customers with a feature called Number Lock to prevent SIM swaps. When you activate a Number Lock on your account, the number cannot be transferred until you remove the lock.
Two employee sign-off
If other authentication methods aren’t available, carriers like Verizon require two employees to sign off on a SIM swap or port-out transaction. AT&T responded that such a step would hinder legitimate SIM swap requests and not actively prevent social engineering or collusion.
Multiple authentication protocols
In a statement released by Verizon, the carrier states that they are training customer care employees to identify and present unauthorized SIM change attempts through multiple authentication protocols.[*]
These protocols include:
Push notification-based authentication.
Face ID or fingerprint recognition to log in securely to the carrier’s native app.
Answering security questions.
In stores, retail employees are also required to scan a customer’s ID using technology that looks for indications of authenticity.
What you can do:
Set up 2FA via an authenticator app
Use an authentication app like Google Authenticator (or a similar tool) to secure all of your online accounts.
Browse the 2FA Directory to learn which apps and websites support this important layer of authentication.
Be wary of phishing emails, texts, or phone calls
Keep an eye out for phishing emailsand other ways scammers can wrest your data from you.
Don’t click on any links from emails or texts from people you don’t know. Reputable companies (like your credit card company or carrier) will not ask for your personal information through email.
Use biometric authentication, password manager
Create unique, complex passwords and store them in a password manager. Download its browser plug-in, so you always have easy access to your passwords.
SIM cards may be easy to steal, but faking biometrics is not. Turn on Face ID authentication for your devices to keep your devices secure and your data uncrackable.
Set up a SIM PIN and carrier alerts
When you buy a SIM card, you also get a PIN for it. This four-digit code activates the SIM card when you insert it into your phone.
Change the PIN from its default number to a new one that only you know. Learn how to change your SIM PIN on Apple and Android devices.
Double-check that your mobile carrier will alert you in case of a SIM swap or port-out. Many providers will send a text message asking you to confirm a swap.
Place a port freeze or number lock
Call your cell phone provider and ask for a port freeze, and lock the account to your current SIM. If you have Verizon, you can lock your SIM from your MyVerizon mobile app.
Use a no-contract, temporary number to maintain privacy if you need to give out your number for non-essential transactions. Apps like Burner and Hushed will give you a second number that you can use for calls and texts from your smartphone.
Aura also lets you generate email aliases to hide your actual email address so that you can prevent unwanted or spam emails from crowding your inbox.
Restrict what you post online
The more you share on social media, the easier it is for scammers to learn who you are. Don’t share your phone number, Social Security number, information about financial assets, or daily locations.
Run a free privacy scan to see what personal details of yours have been exposed in a data breach and remove them.
Remove your cell phone as an account recovery option
Go into all your online accounts and set your primary email address as a recovery option. If a scammer only controls your cell phone number, it’ll be harder to take over accounts when your cell phone is not a recovery option.
Alert your carrier. Call your phone provider immediately. Remember that you can’t make phone calls anymore, so you need to borrow someone’s phone. Explain your predicament and ask your provider to remove your number from the stolen SIM.
Write down the service representative’s ID number, name, and case ID number. Keep this information for your records and future conversations with the police.
Request that your service provider retains all logs. Ask for the phone’s International Mobile Equipment Identity (IMEI) number, time of call, and the names of everyone involved in fulfilling the SIM swap request. Save this information for your police report.
Notify your banks and other financial service providers. Alert your bank, investing accounts, and any other financial institutions about the unlawful SIM swap.
Lock down your accounts. Write down a list of all your online accounts, like personal email, cryptocurrency exchange, payment apps, and online banking accounts. Starting with your primary email address, go down the list and change the login credentials for every account. Prioritize accounts that you know the attacker has access to or has tried to get access to.
File a police report. Visit your local police department’s website and file a police report online (if possible) or in person. Then report the attack to the Internet Crime Complaint Center (IC3) on www.ic3.gov.
Place a fraud alert on your credit reports. Contact one of the three credit bureaus (Equifax, Experian, or TransUnion) and request a fraud alert. You can do this online in under 30 minutes.
File a report on the BBB Scam Tracker. This tool collects and presents scam data to prevent others from falling prey to similar attacks.
Don’t engage with the attacker. Attackers may attempt to extort you after swapping your SIM. Avoid having any conversation with them. Record — but ignore and don’t respond to — any messages.
If you have a cell phone, whether it’s prepaid or postpaid, you’re at risk of a SIM swap attack. Monitoring your finances and other important accounts is one way to soften the blow after such attacks.
And for precautions that you can’t manage on your own, there’s always Aura. Identity protection services like Aura double down on monitoring, alerts, and recovery.
Aura also offers $1 million in identity theft insurance coverage along with 24/7 support from experienced fraud resolution specialists who can walk you through an identity theft recovery plan.