What is a SIM-swapping attack and how do you protect against it?

The latest headlines from our reporters across the US sent straight to your inbox each weekday

Your briefing on the latest headlines from across the US

Please enter a valid email address

Please enter a valid email address

SIGN UP

I would like to be emailed about offers, events and updates from The Independent. Read our privacy policy

The FBI is warning about a massive increase in so-called “SIM-swap” attacks, where criminals find ways to divert victims’ phone numbers onto a SIM card under their control.

Last year, the FBI’s Internet Crime Complaint Center (IC3) got more than 1,600 complaints of SIM-swapping, a more than 15 times increase over previous years, according to a recent FBI public service announcement. The scams caused more than $68m in losses to victims in 2021.

“Once the SIM is swapped, the victim’s calls, texts, and other data are diverted to the criminal’s device. This access allows criminals to send ‘Forgot Password’ or ‘Account Recovery’ requests to the victim’s email and other online accounts associated with the victim’s mobile telephone number,” the FBI wrote in its PSA.

The SIM-swappers then use these links to take control of accounts linked to the phone number, including banking apps and cryptocurrency wallets.

Hackers and other criminals have a number of ways of taking control of a phone number, from using phishing techniques to infect a victim with malware, to bribing or tricking wireless carrier employees to hand over the phone numbers. Scammers can also exploit information that’s been taken during data breaches at mobile carriers, according to the FBI.

Fraudsters have also taken to a similar scam in recent years, involving opening up an account with a new cell phone carrier, then persuading the victim’s original carrier to “port out” the number to the new account.

Roughly 6,000 accounts were recently ported out from TracFone, Straight Talk, and other low-cost prepaid carriers.

The FBI says there are a number of ways of guarding against such schemes.

Mobile phone users shouldn’t attract undue interest to themselves by bragging about how much money or crypto they spend, nor should they give their password or PIN to anyone representing themselves as a customer service agent unless they are sure the request is coming directly from their phone company.

Other basic pieces of cyber etiquette help, too, including refraining from putting one’s phone number online and avoiding reusing passwords.

Consumers are also advised to opt for authenticator apps, physical security keys, or biometric identifiers in lieu of mobile-based two-factor authentication if possible.

Victims of SIM-swap attacks are encouraged to immediately contact their mobile carrier and law enforcement, as well as change the passwords on all their online accounts and notify their financial institutions of the potential breach.

Last year the Federal Communications Commission said it is working on rules to combat SIM swaps.

“The FCC has received numerous complaints from consumers who have suffered significant distress, inconvenience, and financial harm as a result of SIM-swapping and port-out fraud,” the commission said at the time. “In addition, recent data breaches have exposed customer information that could potentially make it easier to pull off these kinds of attacks.”