SIM Swap Fraud Is Growing

In the middle of the day your cell phone mysteriously goes dead.  Later on, when you call the cell phone carrier, you find out that someone else pretending to be you has visited a store and claimed to have lost your phone.  Customer service agents moved your mobile number to a new SIM card on a new phone, and using your phone and other personal information gathered earlier through phishing scams or social engineering, have used the phone to help empty your bank account.

The SIM is the Subscriber Identity Module, and confirms your identity to the cell phone network. SIM cloning and SIM swapping allow an attacker to use your phone and all of the applications and data that is stored on your phone.

Acquiring your phone is  the last step in a longer campaign that started with a series of phishing emails designed to trick you out of your user IDs and passwords on as many services as they could get.  This may have included collecting answers to the secret questions used to reset passwords or confirm your identity to a customer service agent.  Having the phone allows them to intercept the 2FA codes that are sent to your phone, which is the last step in logging into something like your bank account.  This usually gives the attacker access to other important accounts, including your social networks and email account.  Email account hijacking has unfortunate outcomes of its own.

SIM swap fraud has been on the rise lately.  U.S. Fair Trade Commission reports that there were 1,038 reported incidents of SIM swap identity theft in January 2013.  Three years later by January 2016, that number had increased to 2,658.  To protect yourself from this scam there are steps you can take to make hijacking your cell phone account harder.

  • Be alert for phishing exploits – Do not click on links in emails.  Use extra care when receiving emails from vendors that require you to log into your account or enter personal information into a web page form.  Make sure the web address for the web page you are on makes sense for the web site.
  • Use computer and smartphone anti-malware – A good anti-malware app should keep surveillance exploits such as keyloggers off of your phone and computer.
  • Change the answers to your knowledge-based questions – We all have given supposedly “secret” answers to questions such as “what is the name of your high school” or “what was the color of your first car.”   These answers are used to verify our identity when resetting a password or calling a customer service agent.  Truthful answers are easy to research using the Internet.  Making up untrue or bogus answers and recording them in your password manager is one way to keep the SIM scammers from guessing or finding the answers online.
  • Set up extra security on your cell phone account.
    • Verizon allows you to create a PIN that is required to verify your identity when calling customer service or visiting a store.
    • Sprint uses a PIN coupled with questions and answers.
    • T-Mobile uses a special PIN used when calling customer service.
    • AT&T requires the use of a passcode to identity you to a customer service agent

More information:


About the Author:

Cybersecurity analyst, pen-tester, trainer, and speaker. Serving small business owners in the St Paul, Minneapolis, and western Wisconsin area since 2001. Cybersecurity and hacking have been a passion of mine since I entered the computer and networking business in 2000. I hold several cybersecurity certifications including Certified Information Systems Security Professional (CISSP), Certified Advanced Security Pratitioner (CASP), and Certified Ethical Hacker (CEH). Other computer industry certifications include A+, Network+ and Microsoft Certified System Engineer (MCSE). As Cybersecurity Analyst at The WyzCo Group, I help our clients experience high levels of security on their computers, networks, and websites. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA. We also provide Cybersecurity Awareness Training for clients and their employees. I am a frequent speakers at cybersecurity conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference, the (ISC)2 World Congress, and the ISSA International Conference, and many local community organizations, Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2008.

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.