Home » Blog » SIM Swapping Attacks: What to Know

SIM Swapping Attacks: What to Know

sue for unsolicited text messages

The common image of a hacker in the minds of many is someone sitting at an elaborate computer setup using complex code to breach protections and access sensitive personal data.  While many instances of data breaches do involve a level of sophistication, breaching personal data through SIM swapping is much less sophisticated. 

 

What is SIM Swapping?

SIM swapping is a type of fraud that targets personal information through cell phones, and it is on the rise.  With this type of fraud, hackers take over a victim’s phone number by having it switched to their SIM card which allows them access your phone calls, text messages, social media accounts, and other personal data.  Among other reasons, hackers will do this to steal personal information and change passwords to take over accessible accounts on your phone, including your social media and bank accounts. 

SIM swapping hackers can not only make your life miserable by locking you out of your social media and financial accounts, but they can also get enough personal information to steal your identity to use in the future.

 

How Do Hackers Perform SIM Swapping?

In short, hackers pull off SIM swapping fraud by using personal information from their targets to con wireless providers into transferring phone numbers to a new SIM card in the hacker’s device. 

In order for hackers to be successful, they need to get personal data from the target so they can pretend to be the intended victim when conning the wireless carrier.  The more personal data they get from a target, the more likely they are to be successful with the SIM swapping.  The personal data that these attackers look for includes usernames and passwords, email addresses, date of birth, and at least the last four digits of credit card numbers.

There are a couple of different ways that hackers can obtain personal information to pull of SIM swapping.  One way is to take the information that was previously exposed by other data breaches.  They will also check social media accounts for useful personal information that people publicly share, such as date of birth.  The other way some attackers gain personal information is to trick their targets into giving them the information. 

It is very important to be careful of what information you post publicly on your social media accounts and who you share your personal information with.

Tricking the Wireless Provider

Once the attacker has obtained personal information, the next step is to con the wireless provider into switching the phone number to their SIM card.  To pull this off, they need to convince the customer service representative that they are the intended victim.

A common approach is to tell the Wireless Provider’s representative that they need to transfer a phone number to their SIM card because they either lost their phone or switched carriers.  Before the representative makes the transfer, they should ask security questions to try and confirm that they are talking to the real account holder, though this does not always happen.  If the hacker succeeds, the representative transfer the number to their SIM card.

 

What Can Hackers Do After a Successful SIM Swap?

Once the hacker completes the SIM swap, they get complete access to your phone number.  They can intercept phone calls and text messages, change passwords for your banking and social media accounts linked to your phone number, and more.  They can also take over ownership of all your accounts and lock you out.

 

How Can I Tell if I Have Been SIM Swapped?

Jack Dorsey, the former CEO of Twitter, was the target of one of the most high-profile SIM swapping attacks.  Hackers managed to access his Twitter account and make racist and violent posts.  This shows that anyone can be the victim of a SIM-swapping attack. 

If you are the victim of a SIM swapping attack, you should notice the effects quickly.  The following are the warning signs of a SIM swap:

  • There is strange activity on your social media account including posts that you didn’t make.
  • You are not able to send text messages or make phone calls and have no signal.
  • Your phone no longer shows the name of your service provider.
  • You receive a notification email from your provider confirming that your new SIM card has been activated when you haven’t requested a new SIM card.
  • You are no longer the owner of your accounts.

 

What is the FCC Doing About SIM Swapping?

The Federal Communications Commission (FCC) has received many complaints concerning the rise of SIM swapping attacks.  In response, the FCC is looking into creating new rules for transferring phone numbers that wireless providers must follow before a SIM change or port request is completed.

The purpose of these new rules is to create more safeguards to protect potential targets of SIM swapping and help train customer service representatives of wireless providers to recognize instances of possible SIM swapping and take the appropriate actions.

Some of the ideas for the new rule changes include:

  • Requiring secure authentication of a customer before wireless providers transfer a phone number to a new SIM card or different carrier
  • Immediate notification from wireless providers to their customers if there has been a request for a SIM change on their account
  • 24-hour delay in SIM swap requests while the wireless provider requests verification from the customer through email, text message, the carrier’s app, or other channels
  • Training for customer service reps to recognize and prevent SIM swap fraud and respond to customers who are victims of SIM swapping

 

Currently, the FCC is considering these options and asking for public comment on the proposed rules before finalizing and proposing the regulations formally for a vote. It is unclear when these rules will be officially implemented.  In the meantime, it is important to take the steps you can to protect yourself from SIM swapping attacks.

 

How Can I Protect Myself from a SIM Swapping Attack?

You can take the following steps to help protect your phone from a SIM swapping attack:

  • PIN: Make sure you set up a PIN to access your account with your Wireless Provider. An attacker can be stopped if they cannot figure out your PIN.  You may also be able to set up a PIN specifically for your SIM card.
  • Multi-Factor Authentication (MFA): Use authentication apps instead of regular text messages for two-factor authentication. This will make it harder for hackers to intercept authentication information.
  • Set up a call back with your Wireless Provider so that they will call you back if there was a SIM change request or if they believe someone might be tampering with your account to confirm whether or not it was you.

 

How Can I Protect My Personal Information Online?

As discussed above, a SIM swapping attack can only be done if the attacker gets ahold of enough of your personal information to successfully con your wireless carrier.  You can prevent becoming a victim of SIM swapping fraud by protecting your personal information.

The following tips can help you protect your personal information online:

  • Set up Multi-Factor Authentication (MFA) on all of your accounts that support it.
  • Purchase a secure password manager like LastPass or 1Password to generate secure passwords and store them securely.
  • Do not click on pop-up ads as they may contain malware or spyware or take you to unsafe websites.
  • If your browser warns you about a website, leave the site immediately and do not click on any links on the page.
  • Do not download attachments unless you know who they are from.
  • Do not click on strange links, especially links from a source that you do not know or trust.
  • Watch out for scams in which someone poses as a financial institution that you have an account with to get access to sensitive data.
  • Be careful of what personal information you share on social media as hackers will look for information that may be useful to them to figure out your password and answer security questions.

 

What Should I Do if My Phone is SIM Swapped?

If you are the victim of SIM swapping fraud, you can take the following steps to get your information back and regain control of your accounts:

  • Call your Wireless Provider and ask them to deactivate the hacker’s SIM card and transfer service back to your phone. After doing this, change all of your passwords, enable Multi-Factor Authentication (MFA), and set up a PIN with the Wireless Provider.
  • Look for and report any unusual activity on your bank accounts, credit cards, and other financial accounts.
  • Call the Social Security Administration if your Social Security number has been stolen.
  • Talk to a class action law firm like Anderson + Wanca about filing a data breach lawsuit.
  • Freeze your credit reports. For detailed information please visit: https://www.nerdwallet.com/article/finance/how-to-freeze-credit

 

Data Breach Lawsuits and Legal Assistance from Anderson +Wanca

The attorneys of Anderson + Wanca can provide victims of data breaches such as SIM swapping attacks with legal assistance.  We can handle the legal claims and investigations related to your case as well as class action lawsuits. Our attorneys will explore all of your legal options to get financial reimbursement.

If you are the victim of a SIM swapping attack, contact our class action attorneys at Anderson +Wanca by submitting a contact form or calling (855) 827-2329 for a free consultation.