Your smartphone mysteriously goes dead, and you call your service provider only to learn that someone purchased and activated a new iPhone under your account. A fraudster pretended to be you, alleged that your phone was lost and started fresh with your number and any mobile banking, credit cards and other accounts tied to it.
The SIM-swapping scam has been around for about five years, but the number of cases in the U.S. is growing, experts warn.
In January 2016, 2,658 SIM-swapping reports were filed with the Federal Trade Commission, representing 6.3 percent of all identity theft complaints filed with the agency. That’s up from 1,038 SIM-swap fraud reports and 3.2 percent of total identity theft reports in January 2013.
“While 6 percent may not seem like a lot, it’s increasing,” says FTC chief technologist Lorrie Cranor. “And these are just people who report to the FTC. We know not everyone reports this to us, so these numbers are just the tip of the iceberg,” she adds.
SIM-swapping scams come with major repercussions – fraudsters with your phone’s SIM card can gain access to bank accounts, credit cards and the tools needed to get and abuse more credit under your name..
What are SIM-swapping scams?
The SIM-swapping scam is a two-step process, says John Breyault, vice president of public policy in telecommunications and fraud at Fraud.org.
For starters, identity thieves pull together the information they need to convince your wireless provider that they’re you. It’s as simple as gathering your name, Social Security number, street address and your employer.
They can get this information through a phishing scam via email or by pretending to be your service provider and asking you to verify your identity.
With a fake identity in tow, they head to your wireless service provider’s storefront, pretending “their” phone was lost or damaged and needs replacement.
“In every cellphone, you have what’s called a SIM or subscriber identity module – a little chip,” says Breyault. Fraudsters who pulled enough information to convince your wireless carrier that they're you “pick out a new phone, get a new SIM, and that SIM is encoded with your information.”
Suddenly, your phone goes dead, and you’re on the hook for a new phone charged to your account.
The scam doesn’t stop with getting the phone, though.
To complete this more sophisticated fraud, fraudsters can collect the login credentials to your online financial accounts, and utilize their access to your phone number to bypass the multi-factor authentication protections.
“A savvy identity thief who wants to attack your bank account will know all texts going to your phone,” Breyault says.
With your phone, the fraudster can “bypass two-step authentication. They have access to your credit card, they can transfer funds, sign up for credit cards,” he says. “That’s worrisome.”
How prevalent are SIM-swapping scams?
Cranor herself was a SIM-swap fraud victim. Earlier this summer, her cellphone went dead.
“I assumed it was bad coverage or something -- until the next morning, I realized my husband’s phone wasn’t working either,” Cranor says.
She called their service provider to learn that someone claiming to be her had purchased two new iPhones with new SIM cards that were activated.
Later, she learned that the fraudsters had walked into a store in Ohio with a fake ID with her name and photo in hand, hundreds of miles from where she lived, and charged the new phones to her account.
Cleaning up the mess was a tedious process: Her service provider refunded the cost of the new phones, she and her husband had to get new SIM cards, and she had to argue to have charges removed for upgraded features and insurance on the devices the fraudsters had tacked on her bill.
That's all minor compared to some of the reports she's seen filed the federal government’s identitytheft.gov website. Some people didn’t know their SIM card had been swapped until their bank accounts were drained, or they got a call from their credit card company the next day flagging irregular spending.
‘They even hijacked my iPad’
Dena Haritos Tsamitis, director of Carnegie Mellon University’s Information Networking Institute, didn’t notice her phone went dead as she hurried from meeting to meeting at work one day in March.
When she called her service provider, she learned that someone impersonating her had upgraded her account and purchased two new iPhones.
A SIM-swapping scam “wasn’t on my radar at all,” she says. “We’re so focused on people getting into online accounts, but this is a traditional case of someone using false credentials in a store,” she says.
“They even hijacked my iPad,” she says. “I felt completely violated, and wondered why it was me and how I got picked.”
To get her digital life back, Haritos Tsamitis had to get a new phone and new SIM card. She also signed up for – and pay out of pocket for – a credit freeze and credit monitoring in case fraudsters were trying to open accounts in her name.
SIM-swapping fraud arrives in the U.S.
SIM-swapping scams first surfaced in Australia about five years ago, says Rodger Desai, chief executive officer of PayFone, a New York City-based mobile security authentication company. Then cases started popping up in Europe, and early in 2016 several news stories focused on the fraud.
In the U.S., SIM-swapping fraud “is very, very hot right now.”
To stop the scam, PayFone uses algorithms to check the authenticity of a transaction, Desai says.
If you’re calling the bank to open a new account, or you’re transferring funds on your phone, as examples, more than 400 factors are analyzed to assess your riskiness before the transaction is approved. If you’ve just activated a new phone, received a new number, or any other anomalies pop up, they’re flagged, and the transaction won’t be processed.
“Most of the time nothing has changed – you haven’t lost your device, or your address is the same,” he says. All of this “happens in real time because fraud happens so quickly.”
Desai watched as the mobile phone number’s importance took off in the past few years. It suddenly became the master key to get into accounts, such as email, DropBox and bank accounts.
“We saw banks relying on [two-step authentication] to confirm identity, but it’s a very poor system,” he says. “It’s very trivial how easy it is to take over someone’s phone number.”
What’s being done to reduce the risk of fraud To stem SIM-swapping fraud Sprint, T-Mobile, AT&T and Verizon have adopted PINs, passcodes and passwords to better protect customer cellphone accounts.
- AT&T now requires customers to provide a passcode before any online, phone or in-store interaction. The passcode can be turned on online via the customer’s account or through the myAT&T app.
- Sprint customers must set up a PIN and security questions.
- Verizon requires customers to set up a PIN either through their online profile, by calling customer service or when visiting a Verizon store.
- T-Mobile users can create customer care password on their accounts, and setup can be done in store or over the phone.
As mobile phone users, you have to do your part, too.
While you may have set up a PIN with your service provider, you’re still on the hook to watch out for phishing attacks, security experts say.
Always diligently check your credit card and phone statements, and if your phone mysteriously loses its signal or turns to “no network” or “emergency calls only,” contact your service provider immediately if restarting your device doesn’t help.
In the event fraudsters have swapped your SIM and purchased new phones, Cranor and Haritos Tsamitis urge fellow victims to file a police report and a complaint with the FTC, identitytheft.gov and fraud.org.
Before this happened to Cranor, the privacy and security expert hadn’t even heard of a SIM-swapping scam. Now she’s making awareness – and provider security precautions – a priority. She even wrote a blog post on the FTC website about her experience.
One problem, Cranor says, is “people who work in phone stores aren’t trained to scrutinize driver’s licenses. There are tools that are available that could help them do a better job, but they aren’t provided.”
Something as simple as texting or calling her before putting through the fraudster’s order for new phones would have verified whether her phone was indeed lost, she says.
“If they had texted or called me, I would’ve responded, and this wouldn’t have happened,” Cranor says.