A SIM Swap Scam, also known as SIM swapping fraud, SIM card swapping fraud, or SIM hijacking, occurs when a fraudster transfers a victim's mobile phone number from their current SIM card to a different one under the attacker's control. This fraud method is used to perpetrate identity theft and can lead to compromised bank accounts or hacked social media profiles.
SIM Swap scams netted criminals $68 million in 2021 alone according to the FBI which reported more than 1,611 complaints in 2022. From 2018 to 2020, the FBI reports, victims suffered $12 million in losses. SIM Swapping is not limited only to the United States but is a global problem.
To initiate a SIM swap, the attacker typically must first gather personal information about the victim, such as their full name, date of birth, address, and other details, through various means such as social engineering, phishing, or data breaches, which are explained below.
With the personal data, the scammer then contacts the victim's mobile network provider and impersonates the victim, claiming that they have lost their phone or SIM card and need to transfer their number to a new SIM card. The attacker may provide stolen personal information to convince the provider to initiate the transfer. Alternatively, law enforcement has also documented multiple instances of phone carrier employees initiating illegal SIM swaps in exchange for bribes.
Once the mobile carrier (such as Verizon, T-Mobile, or AT&T) believes the attacker's claims and transfers the victim's phone number to the new SIM card, the attacker gains control over the victim's phone number number. This enables them to intercept calls, text messages (most crucially those containing OTPs), and other communications sent to the victim's phone number.
SIM swapping scams are a serious security threat as they allow attackers to take over a victim's digital identity, compromise their accounts, and conduct financial fraud or other malicious activities.
What is a SIM card?
To understand the workings of a SIM swap, one must first understand what a SIM card is.
A SIM card, which stands for Subscriber Identity Module, is a small electronic chip that is used in mobile devices, such as smartphones, tablets, and some other connected devices. It is essentially a portable memory chip that securely stores information used to identify and authenticate a subscriber on a mobile network.
The primary purpose of a SIM card is to establish a connection between the mobile device and the cellular network provider. It contains data such as the subscriber's unique identification number, authentication keys, network authorization data, and other relevant information. This data is essential for the network to recognize and authenticate the subscriber, allowing them to access voice, messaging, and data services.
When a SIM card is inserted into a compatible device and activated, it allows the device to connect to a specific cellular network. This enables the individual to make calls, send messages, and access the internet using the network's services. SIM cards also enable features like roaming, which allows subscribers to use their devices on other compatible networks when traveling internationally.
What is an eSIM (embedded SIM card)?
Today, SIM cards are undergoing a major change. They’re going digital.
An eSIM (embedded SIM card) acts just like the physical SIM card described above but it is fully digital. There are a few downsides to physical SIM cards that the eSIM addresses.
1. Flexibility and convenience: With eSIM, users can switch between mobile network operators without the need to physically change SIM cards which requires a paperclip, a decent amount of dexterity, and a modicum of patience.
2. Space-saving and device design: eSIM eliminates the need for a SIM card slot in devices, freeing up space for other components. This allows for even lighter and thinner phones.
3. Multiple profiles and dual-SIM capability: eSIM technology allows devices to support multiple profiles or virtual SIMs simultaneously. This means users can have multiple phone numbers or accounts on a single device, enabling features like dual-SIM functionality without the need for a physical dual-SIM card slot.
4. Remote provisioning and activation: eSIMs can be remotely provisioned and activated by mobile network operators. This means users can activate or switch to a new network operator without needing to visit a store or wait for a physical SIM card to be delivered. The provisioning process can be done over the air (OTA), making it faster and more convenient.
5. Enhanced security: eSIMs can offer improved security compared to physical SIM cards. Since the SIM card information is stored directly on the device's hardware or firmware, it is more resistant to physical tampering or unauthorized SIM swapping. This can help protect against SIM card-related fraud or attacks.
6. Environmental impact: eSIM reduces the consumption of physical SIM cards, which in turn reduces electronic waste. The elimination of physical SIM cards and their packaging contributes to a more sustainable approach to mobile connectivity.
So what can businesses do today to stop Account Takeovers?
To prevent ATOs, companies need to secure OTPs by analyzing, in real-time, the trust level of a transaction through phone number intelligence and associated trust indicators - enter Prove’s Trust Score+™. Trust Score+ leverages phone number signals from the core telephony infrastructure, proprietary data sources, and Prove’s 15+ years of phone data to identify risks based on the history of that phone number while pulling in Mobile Network Operator (MNO)/carrier data to track risky phone number behavior in real-time during high-risk events (e.g., money movement, password changes, phone number updates, etc.) to detect account takeover risk, identify device theft, unauthorized SIM swaps and ports, and more.
Keep reading for more critical information about SIM Swaps and how to prevent them.
How do fraudsters collect the necessary data to commit SIM Swap Fraud?
To initiate a SIM swap, a fraudster must first collect personal data about the victim. Fraudsters collect the necessary data to commit SIM Swap Fraud using three primary strategies: social engineering, phishing attacks, and data breaches. We’ll explore each of these categories below.
What is social engineering?
Social engineering is a method used by fraudsters to manipulate and deceive victims into divulging sensitive information, performing certain actions, or granting unauthorized access to systems or resources. It relies on psychological manipulation and exploiting human behavior rather than technical means. The primary goal of social engineering is to gain unauthorized access, steal information, or facilitate other malicious activities. Phishing is a common form of social engineering.
What is Phishing?
In this type of attack, fraudsters send out an email that appears to be legitimate but is designed to collect sensitive data such as login credentials or credit card information. To borrow from the fishing analogy, the fraudsters cast out a wide net and the victims who fall for the scam are the fish. Many phishing email messages are made to appear as if they have been sent from senior management or legal or law enforcement. This form of cyberattack includes seemingly authentic email delivery failure notifications (usually with a link), scanned documents, or packaged delivery. During this time of COVID-19, there has been a significant spike in phishing attempts through emails claiming to be from WHO, CDC, and other government bodies.
What is a data breach?
A data breach refers to an incident where unauthorized individuals gain access to sensitive, confidential, or protected data belonging to individuals, organizations, or systems. It involves the unauthorized acquisition, disclosure, or use of data by individuals or groups who do not have legitimate access rights to that information. Data breaches can occur in various forms and may target personal, financial, or corporate data. The consumer information stolen from a data breach can be used by the fraudster to commit SIM Swap fraud or sold on the dark web.
Social engineering, data breaches, and phishing provide scammers with the information necessary to conduct a fraudulent SIM swap. But why do SIM swaps exist in the first place? Keep reading to find out.
What is the legitimate purpose of SIM swapping?
Adding to the complexity of SIM swap fraud is the fact that in many cases, SIM swaps are a legitimate method of allowing mobile users to keep their phone numbers but switch devices. Many people request legitimate SIM swaps after they upgrade their mobile device to the latest model, replace a lost or stolen mobile device, or when they are traveling internationally and want to change mobile carriers.
Here are the general steps to request a SIM swap:
1. Contact your mobile network operator: Reach out to your mobile carrier’s customer support or visit their nearest store. You can typically find their contact information on their website or your monthly bill.
2. Verify your identity: Be prepared to provide identification and account verification information to confirm your identity. This may include details such as your full name, mobile number, address, and any other information such as a security question required by your operator's security procedures.
3. Explain the reason for the SIM swap: Communicate the reason for your SIM swap, whether it's a lost or damaged SIM card, device upgrade, network migration, or another legitimate purpose.
4. Follow the operator's instructions: The operator will guide you through the process and provide specific instructions on how to proceed. This may include filling out forms, providing additional documentation if required, or visiting a store in person.
5. Activate the new SIM card: Once you have received the new SIM card from your operator, you will typically need to activate it. Follow the provided instructions, which may involve inserting the new SIM card into your device and following any on-screen prompts or dialing a specific activation number.
6. Test the new SIM card: After activation, ensure that your new SIM card is working correctly. Make a test call, send a text message, and verify that you have access to data services if applicable.
What is the Difference between SIM Swapping and Porting Attacks?
Porting and SIM swaps (i.e. SIM jacking) are often used interchangeably; although they are very similar concepts, there are a few important differences.
While SIM swaps allow a consumer to switch devices but keep their phone number, porting allows the consumer to keep their device but switch service providers (i.e. AT&T or Verizon).
The main thing to remember, however, is that both SIM swapping and porting are often the first steps to account takeover fraud.
How does SIM swapping lead to Account Takeover Fraud?
If you’re like most people, you are probably wondering why anyone would go through all this trouble just to intercept your phone calls and read your SMS. For the most part, fraudsters aren’t all that interested in reading that text message sent from your best friend. What they’re really looking for are one-time passcodes (OTPs). With a one-time passcode, fraudsters can gain entry into a victim’s online banking accounts or any other online account that utilizes 2-factor authentication (2FA).
What is 2-factor authentication (2FA) and how does it fuel SIM swapping?
Two-factor authentication is ubiquitous in today’s digital landscaping. Accessing social media accounts, bank accounts, financial institution accounts, and cryptocurrency accounts almost always requires some form of two-factor authentication.
Two-factor authentication (2FA) pairs two forms of credentials to make digital interactions more secure. For example, 2FA might pair ‘something you know’ (your username & password) with ‘something you have’ (your phone). To complete a possession check (‘something you know’), companies often send out a one-time passcode or OTP.
One frequent factor used in two-factor authentication is often the one-time passcode.
Learn how you can fortify 2FA >
What is a one-time passcode (OTP)?
The one-time passcode (OTP) is a frequently used credential that verifies a user’s identity using the mobile phone. The one-time passcode (OTP) is sent via SMS to the user’s mobile device. At Prove, we call this ‘running a possession check.’
When a customer first creates an account, they enter their phone number. Later, when they log in or complete a high-risk transaction, a series of random digits is texted to their phone. This is an OTP. To continue, the customer must enter the OTP that was texted to them. With SIM swap attacks, fraudsters can intercept the OTP and gain access to the victim’s bank accounts, social media profiles, financial institutions, cryptocurrency accounts, etc. In just a few minutes, a skilled fraudster can drain a victim’s life savings, open a credit card under the victim’s name, etc.
Learn how you can avoid sending OTPs to scammers >
What are the telltale signs that you’re a victim of fraudulent SIM Swapping?
Detecting SIM swap fraud can be challenging, as it often happens without the victim's immediate knowledge. However, there are a handful of important signs of SIM swap fraud. Here are a few warning signs to watch out for:
1. Sudden loss of cellular service: If your phone suddenly loses service or displays a "No Service" message when you usually have good network coverage, it could be an indication that your SIM card has been swapped.
2. Inability to make or receive calls or messages: If you are unable to make or receive calls, send text messages, or access mobile data despite having a functioning device, it might be a result of a SIM card swap.
3. Unusual text messages or emails: Keep an eye out for unexpected text messages or emails from your mobile service provider, bank, or other online accounts stating that changes have been made to your account, such as a SIM card replacement or phone number update. These notifications may indicate fraudulent activity.
4. Disruption in online account access: If you suddenly find yourself locked out of your online accounts, such as email, social media, or financial services, and you did not initiate any password changes or account modifications, it could be a sign that a SIM swap has occurred.
5. Unfamiliar calls or messages: If you receive calls or messages from unknown contacts asking about unusual account activities, password resets, or authentication codes, it could be an indication that someone is attempting to gain unauthorized access to your accounts.
6. Unauthorized transactions or account changes: Monitor your bank statements and online accounts for any unauthorized transactions, password changes, or modifications to personal information. These actions may indicate that someone has gained control of your accounts through a SIM swap.
7. Unexpected account deactivation or notifications: If you receive notifications that your accounts have been deactivated or closed, and you did not initiate these actions, a fraudster may have performed a SIM swap to take control of your accounts.
If you notice any of these signs or suspect that you may be a victim of SIM swap fraud, it is crucial to take immediate action. Contact your mobile service provider, inform them of the situation, and ask them to investigate any unauthorized SIM card changes. Additionally, change your account passwords, enable additional security measures, and closely monitor your financial and online accounts for any further suspicious activity.
What is the best way for consumers to protect against SIM swap fraud?
One of the easiest but most effective ways to protect yourself against SIM swap fraud is to contact your mobile carrier and inquire about setting up a unique PIN or password that is required for any changes to your account, including SIM card swaps. Choose a strong and secure PIN, and avoid using easily guessable information like your birthdate or phone number. Of course, no security measure is 100% effective so SIM swaps are always possible.
If a SIM swap still takes place, there are a few important steps the consumer can take to limit the type of fraud they will be exposed to:
- Contact your service provider and let them know you want a secure identity solution like the ones offered by Prove. In the meantime, follow the below best practices.
- Use strong and unique passwords: Create strong and unique passwords for all your online accounts, including email, banking, and social media. Avoid using easily guessable information such as your birthdate or common words. Consider using a password manager to securely store and generate strong passwords.
- Enable two-factor authentication (2FA): Although two-factor authentication can have security vulnerabilities, it is still useful. Implement two-factor authentication for your online accounts whenever possible. Instead of relying solely on SMS-based verification, choose app-based authentication or hardware tokens if given the option.
- Be cautious with sharing personal information: Be mindful of the personal information you share online or over the phone. Fraudsters often gather information from social media profiles, phishing emails, or social engineering techniques. Avoid sharing sensitive details unnecessarily.
- Be wary of unsolicited communications: Be cautious of unsolicited calls, emails, or text messages requesting personal information or login credentials. Verify the legitimacy of such requests independently before providing any sensitive information.
- Monitor your accounts regularly: Keep a close eye on your bank statements, mobile bills, and other financial accounts. Regularly review transactions and look for any suspicious activities, unexpected charges, or changes in account information. Report any discrepancies to your service provider immediately.
- Be cautious of public Wi-Fi networks: Avoid using public Wi-Fi networks, especially for accessing sensitive accounts or conducting financial transactions. Public Wi-Fi networks can be insecure, making it easier for attackers to intercept data.
- Update your devices and apps: Keep your mobile devices, operating systems, and apps up to date with the latest security patches. Regular updates help protect against known vulnerabilities that fraudsters might exploit.
By following these measures, consumers can significantly enhance their protection against SIM swap fraud and reduce the likelihood of falling victim to such scams. However, it's important to remember that no security measure is foolproof, and remaining vigilant and proactive is crucial to maintaining online security.
What is the best way for companies to stop Account Takeovers resulting from SIM Swap Fraud?
Companies play a critical role in preventing fraudsters from stealing OTPs and accessing victims’ accounts. Today, leading banks, financial institutions, and companies from almost every industry are leveraging Prove’s Trust Score to avoid sending those critical OTPs to bad actors. Here’s how it works:
To prevent Account Takeover (ATO) incidents, companies can enhance security measures by implementing the real-time analysis of One-Time Passwords (OTPs) with the help of phone number intelligence and associated trust indicators. One effective solution is Trust Score+™, which utilizes a combination of phone number signals derived from telephony infrastructure, proprietary data sources, and Prove's extensive phone data spanning over 15 years.
By leveraging this information, Trust Score+™ can assess the risk level associated with a specific phone number based on its historical behavior. It also incorporates real-time data from Mobile Network Operators (MNOs)/carriers to identify potentially risky phone number activities during high-risk events like money transfers, password changes, and phone number updates. Consequently, it enables the detection of account takeover risks, device thefts, unauthorized SIM swaps, and other fraudulent activities.
A phone number that has recently been targeted in a porting attack would receive a lower Trust Score and would not be eligible to receive OTPs. Today, Trust Score is widely recognized as an essential tool for organizations issuing OTPs, providing them with an additional layer of protection against ATO incidents.
Conclusion: SIM Cards, SIM Swapping, and the Rise of Identity Theft.
Fraudsters have weaponized a legitimate tool, the SIM Swap, to break into online accounts that are protected by two-factor authentication. Scammers are using stolen information to fool mobile carriers into SIM swapping. After SIM swapping (aka SIM jacking) an account, fraudsters will request and intercept OTPs from a victim’s bank accounts, cryptocurrency accounts, and social media profiles. They will go on to gain access to the online accounts, steal all funds as quickly as possible, and then perpetuate additional forms of identity theft like taking out a new credit card or loan. While there are some steps that individuals can and should take to prevent SIM swaps from occurring, the onus is on financial institutions, banks, and companies to fortify their two-factor authentication systems by leveraging phone-centric technology before issuing any OTP.
Keep reading
Developers know identity verification is an essential element of effective digital onboarding and the customer lifecycle. Choosing the right one can feel like navigating a maze of features and complexity.
In an age where our smartphones have become almost like extensions of ourselves, the identity assurance achieved through smartphone possession and data is a natural evolution.
Rodger Desai, CEO of Prove, a leading identity verification solution provider, offers a unique perspective on the rising fraud in the gig economy, advocating for robust digital identity verification as a key defense mechanism.