A SIM swapping scam (or SIM hijacking) is a type of fraud where a criminal takes over a victim's mobile phone number by tricking the service provider into transferring it to a new SIM card under the scammer's control. This allows the fraudster to intercept calls and text messages, including one-time passcodes (OTPs) used for two-factor authentication, and gain access to sensitive accounts like banking, email, and social media.
The SIM Card Scam
The process typically involves several stages:
- Information Gathering: The criminal collects personal information about the victim (name, address, date of birth, account details) through phishing, social media, or purchasing data from the dark web.
- Impersonation: The fraudster contacts the victim's mobile carrier, impersonating the victim, and claims the original SIM card is lost or damaged.
- The Swap: Using the gathered personal information to answer security questions, the scammer convinces the carrier employee to activate a new SIM card in their possession. In some cases, employees have been bribed to facilitate this.
- Account Takeover: Once the number is transferred, the victim loses mobile service, and all calls and texts are redirected to the criminal's device. The criminal then uses the number to reset passwords and access the victim's online accounts.
Warning Signs
- Sudden loss of mobile service: This is often the first sign, as your original SIM card is deactivated.
- Unexpected notifications: You receive emails or texts about account changes, new SIM activation, or password resets that you didn't initiate.
- Inability to access accounts: You are locked out of your email, bank, or social media accounts.
- Unauthorized transactions: You spot payments or transfers from your bank accounts that you did not make.
Advertisements - Continue reading below
Protect Yourself
- Set up a unique PIN/passcode with your carrier: Most providers allow you to set a specific PIN or password on your account that is required before any changes can be made. Check your carrier's website for details, such as the Verizon SIM Protection feature.
- Avoid SMS-based 2FA: Use stronger forms of two-factor authentication, such as app-based authenticators (like Google Authenticator or Microsoft Authenticator) or physical security keys (like YubiKey). These methods tie authentication to a physical device, not your phone number.
- Limit personal information shared online: Be cautious about what you post on social media, avoiding details like your date of birth, address, or pet names, which are often used for security questions.
- Be vigilant against phishing: Do not respond to unsolicited calls, emails, or texts asking for personal details, even if they appear to be from a legitimate source like your bank or phone provider.
- Monitor your accounts: Regularly check your bank accounts and credit reports for any suspicious activity.
- Set up account alerts: Ask your bank and mobile carrier to send you alerts for any significant changes to your accounts.
If You're a Victim
- Contact your mobile carrier immediately: Use another phone to call them and report the fraud, asking them to restore control of your number to you.
- Secure your financial accounts: Alert your bank and other financial institutions to freeze accounts and dispute any unauthorized transactions.
- Change passwords: Once your service is restored, change the passwords for all your online accounts, starting with your email and banking.
- Report the fraud: File a report with law enforcement and relevant government agencies, such as the FBI's Internet Crime Complaint Center (IC3) in the U.S. or Action Fraud in the UK.