SIM Swap Fraud Is Growing

In the middle of the day your cell phone mysteriously goes dead.  Later on, when you call the cell phone carrier, you find out that someone else pretending to be you has visited a store and claimed to have lost your phone.  Customer service agents moved your mobile number to a new SIM card on a new phone, and using your phone and other personal information gathered earlier through phishing scams or social engineering, have used the phone to help empty your bank account.

The SIM is the Subscriber Identity Module, and confirms your identity to the cell phone network. SIM cloning and SIM swapping allow an attacker to use your phone and all of the applications and data that is stored on your phone.

Acquiring your phone is  the last step in a longer campaign that started with a series of phishing emails designed to trick you out of your user IDs and passwords on as many services as they could get.  This may have included collecting answers to the secret questions used to reset passwords or confirm your identity to a customer service agent.  Having the phone allows them to intercept the 2FA codes that are sent to your phone, which is the last step in logging into something like your bank account.  This usually gives the attacker access to other important accounts, including your social networks and email account.  Email account hijacking has unfortunate outcomes of its own.

SIM swap fraud has been on the rise lately.  U.S. Fair Trade Commission reports that there were 1,038 reported incidents of SIM swap identity theft in January 2013.  Three years later by January 2016, that number had increased to 2,658.  To protect yourself from this scam there are steps you can take to make hijacking your cell phone account harder.

  • Be alert for phishing exploits – Do not click on links in emails.  Use extra care when receiving emails from vendors that require you to log into your account or enter personal information into a web page form.  Make sure the web address for the web page you are on makes sense for the web site.
  • Use computer and smartphone anti-malware – A good anti-malware app should keep surveillance exploits such as keyloggers off of your phone and computer.
  • Change the answers to your knowledge-based questions – We all have given supposedly “secret” answers to questions such as “what is the name of your high school” or “what was the color of your first car.”   These answers are used to verify our identity when resetting a password or calling a customer service agent.  Truthful answers are easy to research using the Internet.  Making up untrue or bogus answers and recording them in your password manager is one way to keep the SIM scammers from guessing or finding the answers online.
  • Set up extra security on your cell phone account.
    • Verizon allows you to create a PIN that is required to verify your identity when calling customer service or visiting a store.
    • Sprint uses a PIN coupled with questions and answers.
    • T-Mobile uses a special PIN used when calling customer service.
    • AT&T requires the use of a passcode to identity you to a customer service agent

More information:


About the Author:

Cybersecurity analyst, pen-tester, trainer, and speaker. Owner of the WyzCo Group Inc. In addition to consulting on security products and services, Bob also conducts security audits, compliance audits, vulnerability assessments and penetration tests. Bob also teaches Cybersecurity Awareness Training classes. Bob works as an instruction for CompTIA’s non-profit IT-Ready Program in the Twin Cities. IT-Ready is a tuition free 8-week program designed to teach students of all ages the fundamentals of IT support to prepare them for an entry level position in Information Technology Support. Graduates of the classes take the exams to become CompTIA A+ certified. Bob is a frequent speaker at conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. Bob has been blogging on cybersecurity since 2006 at

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.