UPDATE: Secure Your Number to Reduce SIM Swap Scams
It starts when bad guys find a person to target who has valuable accounts that are accessible online. What kind of accounts? The crooks could be interested in draining a financial account or taking over a social media account with a large following.
To do this, they want to take control of your phone to get past extra authentication that may be an added layer of protection for your online accounts. That’s where somebody can’t get into your account (even you) unless they can receive a one-time PIN via text or call.
The code is delivered to your phone, so the bad guys want the phone! They physically can’t get it unless they take it from your pocket. So, they try a “SIM swap,” which lets them transfer your phone number onto their device.
If they take over the phone number, the authentication text or call comes to their device, not yours.
Here’s how the scheme works:
Once the bad guys decide you are a target, they do some homework. They try to gather information about you, like email, home address, phone numbers, social media accounts and the financial institutions you use. They sometimes do this through phishing attacks, where you click on a suspicious link and get a virus on your computer or device. But they sometimes can get much of the information with simple internet searches.
A bad guy wants this information so he can pretend to be you when he contacts your phone carrier. He’ll ask to turn on a SIM card that he has and swap it with the one currently in your phone. If he’s successful, this means your number is now on the bad guy’s phone, and he can receive your text messages and your calls. He can intercept those authentication texts or calls from your bank, credit-card issuer or other companies, and get access to your online accounts.
You may not know this has happened until your mobile device suddenly loses service. Then, you may not be able to get into important accounts online, because the bad guy has changed your passwords and your account profile details. You can lose money, and the bad guy now has access to more of your personal information.
While this scam tends to target high-profile individuals, it could happen to anyone.
In the meantime, the measures you take to secure your phone number can be key to protecting your identity. Not all hacks are preventable, but here are a few tips to help avoid the SIM swap scam and other phone hijacking attacks such as porting.
- Be careful about sharing your phone number. Be selective in what number you share with the companies you do business with, and limit how often you share it with others. This includes on social media, email and websites. Be selective when it comes to including the number you use to authenticate your accounts on telephone lists and directories.
- Add all “extra security” measures to your AT&T Wireless accounts. If you create a unique passcode on your AT&T account, in most cases we’ll require you to provide that passcode before any changes can be made, including ports initiated through another carrier. Follow this link for more information.
- Keep your personal email inbox clean. Delete phone bills, bank statements and other emails that may include personal information. If your email account is compromised, this will help minimize the chance hackers can get sensitive information.
- Don’t share personal information online. Don’t post information on social media that could be used by the bad guys to gain access to your accounts. This includes answers to security questions, legal names and dates of birth.
- Refresh yourself on our Cyber Aware tips to protect yourself online.
If you believe your SIM card has been swapped without your consent, report it to your carrier right away using the contact information on your bill.