SIM-swapping attacks are 15 times more likely today than just a couple of years ago, the FBI warned in a new public service announcement last week.
In all of 2018, 2019 and 2020, the bureau said, its Internet Crime Complaint Center (IC3) "received 320 complaints related to SIM-swapping incidents with adjusted losses of approximately $12 million," which comes to about 107 complaints and $4 million lost each year.
By contrast, the FBI said, "in 2021, IC3 received 1,611 SIM-swapping complaints with adjusted losses of more than $68 million."
What SIM swapping is
SIM swapping involves crooks persuading, bribing or tricking wireless-carrier tech-support staffers into transferring phone numbers from a victim's mobile SIM card to a SIM card in their possession.
Malware injected into a carrier's computer networks can also pull this off, the FBI noted, and information stolen from carriers in data breaches can also be used.
Technically, SIM swaps are different from port-out scams, in which tech-support personnel at a second wireless carrier are bribed or tricked into "porting" the mobile number from the victim's carrier. A few weeks ago, the news broke that crooks had ported out about 6,000 numbers from TracFone, Straight Talk and other low-cost prepaid carriers.
But the end result is the same. As the FBI put it, "the victim's calls, texts and other data are diverted to the criminal's device."
"This access allows criminals to send 'Forgot Password' or 'Account Recovery' requests to the victim's email and other online accounts associated with the victim's mobile telephone number," the bureau added.
... and why SIM swapping is such a big problem
In an ideal world, if you were a victim of SIM-swapping or a port-out scam, you would be cut off from your wireless carrier's network for a little while until you could persuade the carrier to switch the number back to you.
Unfortunately, phone numbers are now (wrongly) used by online companies as a means of verifying customer identity. If someone has control of your phone number for only a few hours, then they can use it to hijack many of your online accounts.
"Using SMS-based two-factor authentication, mobile application providers send a link or one-time passcode via text to the victim's number, now owned by the criminal, to access accounts," the FBI PSA said. "The criminal uses the codes to login and reset passwords, gaining control of online accounts associated with the victim's phone profile."
If someone has your phone number, they can leverage it to take over your webmail accounts and your social-media accounts, which is bad enough. But the real target is where the money is: your online bank accounts and, especially, any cryptocurrency accounts you may have. Millions of dollars in cryptocurrency have been stolen as the result of SIM-swap and port-out attacks.
How to protect yourself from SIM-swapping attacks
Like Social Security numbers, mobile phone numbers were never meant to be used as a means of identification. Yet that's what they have become.
In the long run, either the online companies using phone numbers as ID will find another way of verifying identity, or the wireless carriers will stop treating phone numbers as disposable tokens that can easily be moved between devices or individuals.
While we wait, here's what you can do to protect yourself.
- Don't brag about how much money you have, especially on social media
- Don't give the password or PIN to your mobile account to anyone who calls or texts pretending to be tech support. Call the carrier yourself to see if there's really anything wrong
- Don't put your mobile phone number online
- Don't reuse passwords among online accounts. Use one of the best password managers instead
- Don't use SMS-based two-factor authentication to protect an online account if there's a stronger 2FA option available. Authenticator apps, physical security keys or biometric identifiers such as fingerprint or face readers are all safer than SMS text messages
What to do if you're a victim of SIM swapping
Unfortunately, you can't totally prevent SIM swapping yourself because the ultimate power lies with wireless-carrier personnel. Even someone who's taken all the precautions above can still become a victim.
Here's what to do if it happens to you.
- Contact your mobile carrier immediately to try to regain your number. You may need to provide a lot of information to verify your identity
- Change your passwords on all your online accounts. Again, password managers will help
- Tell the banks and all other online financial institutions where you have money (including cryptocurrency exchanges) that your accounts are at risk of being hijacked
- Place a fraud alert on your credit files, or go a step further and set up a credit freeze
- Report anything suspicious to the local police or to the local FBI field office
- Report what happened to the FBI's Internet Crime Complaint Center
- Consider paying for one of the best identity-theft-protection services