In a SIM swap scam, criminals effectively take over your phone number — allowing them to intercept your text messages and bypass two-factor authentication. We've seen identity thieves use this scheme to gain entry to our members' financial accounts, social media profiles, cryptocurrency wallets, and more. Here's what you need to know to protect yourself.
Almost every American owns a cell phone, and for many of us, they function as keys to our digital lives.
It’s common for our phones to contain highly sensitive personal information — including login credentials. If you've enabled two-factor authentication, you probably also use your phone to verify your identity in order to access certain accounts.
Fraudsters know this, and they've hatched a fraud type to take advantage.
In a SIM swap scam, criminals hijack the SIM cards that most cell phones contain. If the scheme is successful, any incoming texts or calls may be rerouted from a victim’s device to a fraudster’s device.
“Once a scammer has access to your SIM card, it can be difficult to take back control of your phone number,” says Kelli Starks, Senior Restoration Specialist at Allstate Identity Protection. “What’s more, the criminal may now have access to personal information that could be used to steal your identity.”
Let's take a closer look at how SIM swap schemes work, and what you can do to avoid them.
What does a SIM card do?
A SIM card, or subscriber identity module, is a memory chip inside some cell phones that store important information, including the phone number associated with the device.
This small piece of hardware is important; it pinpoints your phone number to your specific mobile network, which allows you to make and receive calls, send text messages, and connect to the internet.
SIM cards have been around since 1991 — and are still used today. In fact, the three major wireless carriers in the U.S. (AT&T, T-Mobile, and Verizon) use SIM cards to tie phones to their cellular networks.
Some newer devices use eSIMs, which are digital versions of physical SIM cards.
There are times when you may have to legitimately switch your SIM card from one device to another, like when you lose your phone or upgrade to a new model. Whenever you do, all the data stored on that SIM card is injected into the new device.
However, other times, thieves take advantage of this capability and perform a SIM swap attack.
What is SIM swapping?
You may think that the only way a criminal could get access to your SIM card is by physically stealing your phone.
And while that’s one way the theft might play out, the Federal Bureau of Investigation (FBI) warns that SIM swap scams are increasingly happening remotely.
So, even as some companies begin to make a switch from physical SIM cards to eSIM cards, it doesn't mean that SIM swapping will be a thing of the past.
Here’s how we’ve seen the scheme from a distance: A scammer pretends to be you and calls your wireless provider claiming that your phone is lost. Upon convincing the customer service representative of this bogus story, the representative may shut down your SIM card and transfer all data stored there to the fraudster's SIM card. From then on, any calls or texts to your phone would be sent directly to the thief, giving them full control of your phone number.
Another way criminals pull off a SIM swap? The FBI says that thieves may send phishing messages to phone company employees that trick them into downloading malware used to carry out the SIM swap.
Or other times, fraudsters may even bribe phone company employees to make phony SIM swaps on their behalf, so the employees are actually in on the scam.
How does this affect SIM swap victims?
No matter the method, this means that your number is now in the hands of the scammer because the SIM card is what identifies your phone with your cell network.
"If your mobile device is set up as your two-factor verification method, the thief may be able to access your important accounts," says Starks.
For instance, if they know your email address and where you bank, they can use the "Forgot Password" link and get the authorization code sent to your phone number — which they now have access to. They could then change your password and lock you out of your account.
Here are some additional examples of what a scammer can do with this level of access:
Drain money from your bank accounts
Open new accounts in your name
Buy new phones using your personal information
Starks recalls an instance where a member even lost crypto due to a SIM swap — which shows that no account is totally safe. “We've seen criminals get into accounts like Coinbase, a cryptocurrency company, as a result of a SIM swap. Once they do, they typically completely drain the account. In this particular case, the funds can be hard to recover because crypto is not currently considered official U.S. currency.”
Previously, SIM cards held your contacts and texts as well. The majority of modern phones, however, now store this data in cloud storage or on the device itself.
The best way to check what's stored in your SIM card is to buy a SIM card reader.
In 2021, the FBI announced that SIM swap schemes cost consumers $68 million — which is $56 million more than the amount reported from January 2018 to December 2020.
Given this, it’s more important than ever to be prepared and know how to prevent a SIM swap.
How to prevent SIM swapping
The FBI isn’t the only government organization aware of this issue.
In 2021, the Federal Communications Commission (FCC) proposed rules to prevent SIM swapping — and if approved, wireless carriers may be required to adopt additional security methods before redirecting phone numbers to new devices.
Still, hackers have proven that they are capable of bypassing company-placed regulations, so you should always have personal security measures in place to ensure your safety.
Try these simple tips:
Use biometrics or a security key as your two-factor authentication (2FA) verification method. 2FA — or multi-factor authentication — will always add a layer of security that goes beyond just a password alone. But if text messages are your verification method, know that they’re more likely to be intercepted during a SIM swap. On the other hand, biometric authentication (which relies on unique characteristics like facial recognition or fingerprint scanners) and security keys (which require a physical key that looks like a flash drive to be inserted or tapped against your device) could be more effective methods.
Turn on any additional security measures that your wireless account offers. Many major cell phone carriers now let you add a verification code or “PIN” to your account. So if a hacker calls your phone company pretending to be you, they'd have one more hurdle to clear: guessing the unique PIN associated with your account. Contact your wireless service provider to find out if they offer this feature, and enable it if available.
Know the signs of phishing. Phishing emails, texts, and calls are often used by scammers to obtain personal information that can help them "prove" to phone companies that they are you. This can make the scam especially convincing and helps the fraudster sneak through unseen. Never give out your personal information to someone that reaches out to you out of the blue. Also, hold off from oversharing online — especially on social media.
How to tell if your SIM card has been fraudulently swapped
If you suddenly and mysteriously lose cell service, consider it a major tell that your SIM card has been hijacked.
In addition, you might receive security alerts that your login credentials have been changed or that a log-in attempt has been made from an unusual location.
If you’ve spotted one of these red flags, stay calm and follow these next steps:
Contact your cellular service provider immediately and report the possible hack
Closely monitor your checking, savings, and credit card accounts for any suspicious activity
Give us a call if you’re an Allstate Identity Protection member. We can help keep a close eye on your identity and provide tips on what to do moving forward