A SIM swap scam, aka SIM swapping, SIM jacking, or SIM
hijacking, is when a criminal steals someone’s mobile phone number by tricking the
victim’s cell phone provider into transferring the number to a SIM card that is
in the criminal’s possession.
After the number has been transferred, the criminal can insert the SIM card into their phone and use it to access the victim’s online accounts by bypassing two-step verification.
How do SIM swap scams work?
Here is a breakdown of what happens during a SIM swap scam:
- The criminal contacts your mobile phone carrier and pretends to be you.
- Most commonly, the criminal will say that their phone and SIM card (your phone and SIM card) has been lost or destroyed and that your mobile phone number needs to be transferred to the new SIM card that they already have.
- After the criminal has convinced the customer service representative that their bogus story is legitimate, your mobile phone number will be transferred to their SIM card.
- The criminal inserts the SIM that is now linked to your phone number into their phone and uses it to bypass the SMS-based two-factor authentication of your online accounts. Because two-step verification is used during “forgot password” and “account recovery” requests, it means the criminal can take over any online accounts linked to your phone number and reset their passwords with no issue.
How to stay protected from SIM swap scams
According to IDCare, a not for profit organisation that supports victims of identity theft, in 2021 there were more than 850 reports of SIM swap scam with almost $3 million in losses.
It is recommended people take the following precautions to stay protected from SIM swapping scams:
- Never post information about your financial assets (including cryptocurrency) anywhere on the internet
- If you receive a phone call from someone requesting information relating to your mobile phone number or provider account, do not give it. If you believe the call may be from your mobile phone provider, contact its customer service department directly
- Avoid sharing personal information (including your mobile phone number) online
- Use a strong and unique password for every online account
- Watch out for any changes in SMS-based connectivity
- Use strong multi-factor authentication methods like biometrics (fingerprints, iris patterns, for example), standalone authentication apps, and physical security tokens
- Never store passwords, usernames, or other personal information that could be used to log in or hack into your online accounts on mobile device apps
How criminals get personal data
Wondering how a criminal would even get their hands on the personal information needed to pull off a SIM swap scam in the first place? It’s no secret — they most often get it from data leaks. Trend Micro ID Security will check if your personal information has been leaked on to the Dark Web so you can take corrective action. Learn more here.
Think you might be a victim of SIM swapping?
If so, follow these steps:
- Get in touch with your telco provider for help regaining control of your phone number.
- Change the passwords to all your online accounts
- Contact your financial institutions so they can watch out for any suspicious activity with your accounts
- Report any suspicious activity to local police, ASIC or ACCC’s Scamwatch.