What is a SIM-swapping attack and how do you protect against it?

Scams caused over $68m in losses last year

Josh Marcus
San Francisco
Tuesday 15 February 2022 17:12 GMT
Hacker allegedy behind bitcoin heist is also rapper Razzlekhan

The FBI is warning about a massive increase in so-called “SIM-swap” attacks, where criminals find ways to divert victims’ phone numbers onto a SIM card under their control.

Last year, the FBI’s Internet Crime Complaint Center (IC3) got more than 1,600 complaints of SIM-swapping, a more than 15 times increase over previous years, according to a recent FBI public service announcement. The scams caused more than $68m in losses to victims in 2021.

“Once the SIM is swapped, the victim’s calls, texts, and other data are diverted to the criminal’s device. This access allows criminals to send ‘Forgot Password’ or ‘Account Recovery’ requests to the victim’s email and other online accounts associated with the victim’s mobile telephone number,” the FBI wrote in its PSA.

The SIM-swappers then use these links to take control of accounts linked to the phone number, including banking apps and cryptocurrency wallets.

Hackers and other criminals have a number of ways of taking control of a phone number, from using phishing techniques to infect a victim with malware, to bribing or tricking wireless carrier employees to hand over the phone numbers. Scammers can also exploit information that’s been taken during data breaches at mobile carriers, according to the FBI.

Fraudsters have also taken to a similar scam in recent years, involving opening up an account with a new cell phone carrier, then persuading the victim’s original carrier to “port out” the number to the new account.

Roughly 6,000 accounts were recently ported out from TracFone, Straight Talk, and other low-cost prepaid carriers.

The FBI says there are a number of ways of guarding against such schemes.

(Getty Images/iStockphoto)

Mobile phone users shouldn’t attract undue interest to themselves by bragging about how much money or crypto they spend, nor should they give their password or PIN to anyone representing themselves as a customer service agent unless they are sure the request is coming directly from their phone company.

Other basic pieces of cyber etiquette help, too, including refraining from putting one’s phone number online and avoiding reusing passwords.

Consumers are also advised to opt for authenticator apps, physical security keys, or biometric identifiers in lieu of mobile-based two-factor authentication if possible.

Victims of SIM-swap attacks are encouraged to immediately contact their mobile carrier and law enforcement, as well as change the passwords on all their online accounts and notify their financial institutions of the potential breach.

Last year the Federal Communications Commission said it is working on rules to combat SIM swaps.

“The FCC has received numerous complaints from consumers who have suffered significant distress, inconvenience, and financial harm as a result of SIM-swapping and port-out fraud,” the commission said at the time. “In addition, recent data breaches have exposed customer information that could potentially make it easier to pull off these kinds of attacks.”

Join our commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies


Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in