It’s a tiny plastic card in your phone—and a potential gateway for cybercriminals waiting to lay claim to your device: Let’s put the spotlight on SIM cards and the scary scam that is ‘SIM swapping’. Once fraudsters control your SIM card, they’ve taken virtual ownership of your phone. They can receive calls, texts, and even account verification codes (thankfully, data like photos or apps aren’t affected!). Don’t just imagine the damage this could do—get proactive about your online security with Avira Free Security. It helps protect against malware, phishing attempts, online fraud, and more.
What is SIM swap fraud?
You probably thought you’d heard it all when it came to hacking attempts. You’d never click on an unknown attachment that could be laced with malware like ransomware—or fall for even the most cunning phishing attempt that sounds exactly like it came from your bank. Yet many of us haven’t heard of a diabolical scam that leaves your phone under a hacker’s control, even if it never leaves your hands: Beware the attack of the SIM swaps, which sounds like a plot for a Marvel comic but is a very real mobile threat indeed.
But first, back to the very beginning: To understand SIM swapping, you’ll need to know what a SIM card is. If you yelled “subscriber identity module” you’d be spot on and can skip this paragraph. A SIM is a tiny card that contains an identifying chip. This contains the data needed to grant you permission to make/receive calls and send texts. No SIM, no calls. Without it, you’d only be able to use your phone’s built-in tools, like the camera, as well as Wi-Fi enabled activities like surfing the web.
During a SIM swapping scam, the fraudster impersonates the victim to convince the mobile phone carrier to transfer the victim’s phone number to the scammer’s own SIM card. When the scammer has control over the mobile phone number, they wield all the power that comes with it, including access to many aspects of their target’s digital life, such as online accounts. Thankfully, hackers can’t get hold of data on the phone, such as photos, as a SIM swap only affects services linked to the device network. You might not mind calls, messages, and voicemails from your mum ending up in third-party hands but imagine more dire consequences, like a scammer intercepting codes for two-factor authentication (2FA), or one-time password messages. What might they post on your social media feeds and what havoc could they wreak if they gained access to online accounts, sensitive business information, and your financial data?
To protect against SIM swapping, all the usual measures apply, but we’ll discuss these at length later: Use strong, unique passwords for all your online accounts, enable additional security measures like app-based authentication, and be extra cautious about sharing personal information with unknown individuals. Some mobile phone providers offer additional security features such as PIN codes or passphrases that must be provided before any changes can be made to an account. And obviously, your passphrase isn’t easily guessable because it’s not based on personal information you’ve shared (RIGHT?).
No matter how proud you may be of your latest high-end device, it’s important to remember that no phone is immune to SIM swapping. If it has a SIM card, it’s a possible target. Beyond ‘just’ SIM swaps, smartphones are popular for many types of hacking as they’re a treasure trove of personal details and accessibility. From exploits to phishing attempts, cybercriminals use many methods to hack phones.
Now let’s explore the steps scammers typically take to gain control of the tiny, mighty chip card that rules our mobile worlds.
How does SIM swapping work? Understanding the scammers’ process
Round 1: Patience and research skills. Cybercriminals identify potential victims by obtaining sensitive personal information. This can be found via data brokers, data breaches, or simply by trawling dark web marketplaces where personally identifiable information is as readily available as bananas in most supermarkets. Some hackers also use spyware software (to monitor you online and harvest your data), as well as phishing emails, which might claim to be from your smartphone provider and ask you to provide personal information like your name and birthdate. Another popular technique for data-gathering is called ‘smishing’. This SMS form of phishing uses text messages sent by hackers pretending to represent legitimate companies. Block and delete them! Social media research is also a useful tool, and we give cybercriminals a helping hand by posting personal details in our social media profiles. Is your mother’s maiden name or your first car the answer to a security question, for example?
Round 2: Impersonation. Armed with personal details, the scammer can now contact the victim’s mobile phone provider and pretend to be the legitimate owner of that SIM card. They’ll use the personal information they stole previously to try and bypass security checks. “Hi, this is John Smith speaking, and I’ve lost my phone/it’s been damaged/been stolen” are popular opening lines for identity theft. They then ask the customer service representative to activate a new SIM card in the scammer’s possession. This transfers (‘ports’) the hapless victim’s telephone number to the SIM card in the cybercriminal’s device. Once this request has been completed, phone calls and texts intended for the legitimate owner of that phone will end up with the fraudster instead. Their work is done. Your problems are just beginning.
Did you know that SIM swap scams have resulted in some high-profile hacks? In 2019, former Twitter CEO, Jack Dorsey’s, Twitter account was taken over in this way and the perpetrators posted racist and sexist remarks. In 2020, a lawsuit was filed against an 18-year-old high school senior from New York who was accused of swindling digital currency investor Michael Terpin of nearly $24 million in 2018. The hacker was just 15 years old at the time of the crime and used data stolen from smartphones by SIM swaps!
Is SIM swapping always illegal?
It’s important to remember that SIM swapping is intended to be a legitimate practice but only if it occurs between consenting parties. The account holder might want to swap their SIM card to grant someone else access to their smartphone information, for example, but usually, they’ll be looking to change their SIM because they’re upgrading their device or travelling to another country. It’s when a third party gains unwanted access to an unsuspecting person’s phone for criminal purposes, that it becomes a SIM swap scam or fraud—also known as a ‘port-out scam’, ‘simjacking’ (SIM hijacking), and ‘SIM splitting’.
Recognising the signs of SIM swapping fraud
There’s a silver lining as SIM swaps are usually easy to identify. Look out for the following warning signs and act fast:
- You can’t make calls or send texts: It could mean that scammers have deactivated your SIM and are now using your phone number. Your service provider can confirm whether a swap has occurred or there is simply a temporary problem.
- You receive notifications of unknown activity: In the early stages of a SIM swap, you might receive texts or calls about a change to your service. Contact your service provider immediately to find out what actions have been taken.
- You lose access to online accounts: Can you suddenly not log in to your bank accounts, social media profiles, or emails? They may have been taken over and the login details changed. Here’s essential reading on what to do if your email account has been hacked. Here’s how to get your hacked WhatsApp account back.
- Your social media accounts show strange new posts or other changes: If you know you didn’t update your social media profile, and your account shows pictures, comments, or posts that you aren’t responsible for, a SIM-jacking scammer may be at work. If possible, log in to change your password. Take these steps fast if your social media account has been hacked.
- Unexpected transactions show up: Suspicious transactions on bank or credit card account statements? Orders on Amazon you didn’t place? This could be another symptom of SIM swapping. Contact the service providers immediately and see this guide if your Amazon account has been hacked.
How to deal with SIM swap fraud
If you suspect that something is wrong, act quickly! The longer you wait, the greater the impact the attacker is likely to have, so this isn’t the time for a calming cup of tea. Contact your mobile phone provider immediately to investigate the incident, recover control, and find out how the swap occurred in the first place. Also, call any financial organisations to review unexpected transactions and access issues. And whoever you speak to, it’s a good idea to make this a habit: Request a reference number for your call and keep a log so you can record any actions that were promised in case of future disputes. Don’t be afraid to double check as mistakes can happen! Make sure that the incident you have raised has been correctly recorded—you can even call back and check.
Speaking of raising the alarm… how will you make those important calls if your device is out of order? Be prepared and consider having a backup phone that you can use if you’ve lost signal due to a SIM swap scam.
If you’re in England, Wales, or Northern Ireland you should report all cybercrime to Action Fraud. In Scotland, contact Police Scotland by phoning 101 and see Cyber Scotland for helpful resources and cyber-services information.
Is the future SIM-card free and can eSIMS help prevent SIM swaps?
Are the days of the physical SIM card numbered? Phone manufacturers (led by Apple) are swiftly marching towards embedded SIMs or ‘eSIMS’. These come pre-installed so they can’t be inserted or removed. They make setting up a new phone a doddle and it’s also easier to switch to a different network as you won’t need to physically change the card. You’ll never have to hunt for that pesky SIM ‘ejector’ tool again! There are downsides too. If your handset stops working, you can’t quickly whip out the SIM and use it in another phone. If you travel abroad often, you may regularly switch SIM cards in your phone, and an eSIM makes this more difficult. Love them or hate them, the most recent smartphones and wearables come with eSIMs, including the iPhone (iPhone XR and later) Samsung Galaxy, and Google Pixel.
Yet does the move to embedded SIMs help prevent SIM swap fraud? Scammers often claim that they’ve lost or damaged their SIM card, to get the number ported to another card. If a phone has no removable SIM card, this excuse won’t be plausible. Sadly, eSIMs can’t eliminate SIM swapping scams entirely because the phone number associated with an eSIM can still be transferred to another eSIM-capable device. If a scammer is able to exploit vulnerabilities in the authentication processes of a mobile network, they can still successfully launch a SIM swap attack regardless of the type of SIM that’s being swiped.
The five steps to helping prevent SIM swap scams
Don’t declare your phone a palm-sized security hazard and bin it! No one wants to go without a phone. Instead, take these steps to help minimise SIM swap attacks.
- Follow the basic rules of online safety: Be alert and think (at least) twice before clicking on a link, opening an attachment, or downloading a file. Be very wary of emails requesting sensitive personal data and always double–check the sender. Service providers will not ask account owners to provide these details via email, so they’re most likely phishing emails and need to be blocked and deleted.
- Ask for callbacks: Some banks or mobile service providers offer this service. If they need to make changes to your account, ask them to call the number registered with the account to proceed. This can help stop a SIM swap fraud that’s in process!
- Don’t use a phone number to authenticate accounts: Always choose two-factor authentication if it’s available but opt for a secure app instead of a phone number. This links the authentication process to your physical device and not just its phone number. Unless a scammer has stolen your phone, they won’t be able to intercept your authentication messages—and in the event of a SIM swap, they’ll have access to fewer accounts.
- Choose multiple layers of security for phone accounts: Most phone companies let account holders set passwords, PIN codes, and security questions to help enhance security. Ensure that these measures are in place so it’s much more difficult for an authorised person to gain access and make changes. Never reuse a password across multiple accounts and ensure it’s a complex and random mix of upper- and lower-case letters, numbers, and symbols. Free Avira Password Manager helps create, store, and manage complex passwords for all your online accounts.
- Make the most of biometrics: Technical innovation lets us scan our faces, fingerprints, and sometimes even irises to verify our identity. Set this up wherever possible to safeguard access to your phone, when downloading software, etc.
- Post minimal personal information in social media accounts: Whether it’s your mother’s maiden name, your first pet or your birth date, avoid divulging any information that could help a cybercriminal gain access to your online accounts.
See here for a quick round-up on how to help keep your smartphone safer from malware and cybercriminals.
Stay safer from online scams, malware, and more
Remember that, regardless of your device, cybercriminals are always finding new vulnerabilities to exploit. There are many different types of hackers, and those with illegal and malicious intent are termed ‘black hat hackers’. To help keep even the most sophisticated online attacks at bay, reputable online security is essential. Avira Free Security for Windows and Free Security for Mac combines multiple tools, including Antivirus, VPN, Password Manager, and more into a single, convenient solution for greater privacy, performance, and protection. For mobile devices, there’s Avira Free Security for Android and Avira Mobile Security for iOS. Both use multiple layers to help protect you from web-based dangers.