The FBI says a criminal scheme involving mobile phones and wireless providers intensified in 2021, leading to tens of millions of dollars in losses. It's called SIM swapping.
SIM stands for Subscriber Identity Module. The general public may know it in terms of the SIM card that is in their smartphone.
How much has it grown? For the three year period from 2018 through 2020, people made 320 SIM swapping complaints adding up to losses of $12 million, the FBI said. In 2021 alone, that rose to 1,611 complaints and $68 million lost.
Why is SIM swapping dangerous?
Ever send a "forgot password" or "account recovery" request and have a two-factor authentication response sent back to your phone?
If a criminal pulls off a successful SIM swap, then the victim's calls, texts and data are sent to the criminal's own mobile device. Then, the scammer can send those requests and have the authentication sent back to their own phone.
The crook could potentially access the victim's accounts. They can go in and change passwords to gain control of the accounts.
It can even happen to tech-savvy people like Tony Pietrocola, president and co-founder of cybersecurity firm AgileBlue.
"It was a zombie phone. It was on, I could see all my stuff. But I couldn't make a call, couldn't text, couldn't go to the internet," he told WKYC last year.
How do criminals pull off SIM swapping?
Here are three common ways, according to the FBI.
- Criminals will act as a mobile phone customer (the victim of the scheme) and trick the mobile carrier company into switching the victim's mobile number to that of a SIM card the criminal has.
- The criminal uses an insider threat to conduct SIM swap schemes and pays off a mobile carrier employee to switch the victim's mobile number to the criminal's SIM card.
- The criminal may use phishing techniques, such as sending a malicious link via an email, to trick employees into downloading malware. The criminal can then hack the mobile carrier system and do the SIM swap.
How do I protect myself from SIM swapping?
Here are tips from the FBI.
- Limit what you reveal about yourself on social media and other online forums.
- Don't advertise about your financial assets, including investments in cryptocurrency.
- Don't post your phone number, address or other personal identifying information.
- It's a long-standing rule, but still holds true: Don't use the same password for multiple accounts.
- Many phones have ways you can easily store your passwords or usernames for quick logins. Don't use these features.
- If someone contacts you and asks for your mobile phone account information, especially your password or PIN, don't give it. Hang up, look up the number for your carrier and call them directly.
- If possible, use extra multi-factor authentication methods like biometrics, physical security tokens or standalone authentication apps.
What do I do if I think I'm a SIM swapping victim?
- Call your mobile carrier immediately to get your phone number back.
- Go into your online accounts and change your passwords.
- Contact financial institutions and place an alert on your accounts.
- Contact the police or your local FBI field office and report the activity to the FBI's Internet Crime Complaint Center.
The FBI is also urging mobile carriers to train up employees on SIM swapping and phishing scams and set strict rules for verifying customer credentials.
