How would you feel if one day you turned on your phone, and it said, “No data. No SIM card.” Suddenly, you can’t check new emails, send or receive texts, or make a phone call.
What’s happened? Your information has been stolen in what’s known as a SIM swap scam. It can happen to anyone who owns a smartphone–and people who own crypto are a particular target, thanks to the irreversible nature of cryptocurrency transfers.
SIM card swap fraud is on the rise, the FBI reports. While the Bureau received 320 complaints about unauthorized SIM swaps from 2018 through 2020, SIM-swapping fraud complaints soared to over 1,600 in 2021 alone. The amount stolen also skyrocketed, from thefts worth $12 million for 2018-20 to losses valued at over $68 million in 2021.
What is a SIM swap and how do criminals exploit this to steal your crypto, fiat, and other assets? Here’s our guide to how SIM swap fraud works, plus a list of steps you can take to keep your phone and your financial accounts safe.
What is a SIM card?
SIM stands for Subscriber Identity Module. Smartphones require a SIM card in order to send texts or send and receive calls. While early SIMs were physical cards you could remove from your phone and insert in another phone, some more recent phones have an embedded or eSIM.
Whether it’s embedded or not, the SIM holds important personal data and permissions for that phone’s owner. It’s what enables you to accept and place phone calls and to send and receive texts.
How does a SIM swapping scam work?
Also known as “porting out,” SIM swapping involves transferring stored information from one SIM card to another. SIM card swapping can be done for legitimate reasons by the actual owner of a SIM card, such as when you buy a new phone and transfer your data to the new model. The SIM card in the older phone would then be erased.
In a SIM swap scam, an attacker gets hold of enough private information to successfully pose as you or someone close to you, such as a spouse. They convince your mobile carrier to port out your data to a new SIM card–one they control. Your SIM card gets blanked.
The attacker now controls your phone number. From there, the attacker need only click “lost password” on all your financial accounts to reset those passwords. Even if you have two-factor authentication (2FA) set up, the attacker can intercept the one-time codes if they are sent by email, voice, or text.
Once your passwords are reset, the attacker has full access, and you’re locked out of your accounts. At this point, the thief can drain your accounts via wire transfers, move your coins into crypto mixers, or execute other moves that empty your accounts while concealing their identity.
Ways you may be victimized by SIM swap attackers
How do attackers get the private information they need to execute unauthorized SIM swaps? There are three common ways:
- Phishing: Fake emails, texts, or social media messages, often appearing to come from major retailers or celebrities, may ask you to click a link and enter personal info to claim a prize or fix a billing problem. Attackers hack prominent accounts and then send out messages with links to sites that either install malware to capture your password inputs, or request you input personal information on a malicious site. SIM-swap focused phishing attacks are sometimes known as “smishing.”
- Social engineering: This is the art of convincing people of something untrue. A classic example in SIM swap scams is the “crying baby phone call.” In this gambit, a woman claims to be the wife of someone who forgot which email address they used for an account login. She’s flustered, and there’s a crying baby in the background. However, it’s all a scam, and that baby is a recorded YouTube video.
- Corrupt or incompetent phone employees: Mobile carrier employees may be low-wage workers who’ve received little training. Some can be bribed to disclose customers’ private information–a sales representative for one mobile carrier’s sales representative was convicted in 2021, after earning more than $500 a day participating in SIM swap scams. Other workers may share personal data unwittingly by failing to consistently follow security protocols.
However SIM-swap thieves obtain private data, the result is the same. They use your passwords, security questions, usernames, and other personal info to port out your SIM card’s data to a card they control.
Recent SIM swap fraud examples
SIM-swap fraud is so common that examples abound. In one of the biggest recent SIM-swap hauls, then-high schooler Ellis Pinsky led a group of attackers that tricked an AT&T employee into porting out the SIM card in the phone of crypto investor Michael Terpin to a device they controlled. The upshot was a nearly $24 million theft. Pinsky, whom the media dubbed “Baby Al Capone,” has since joined with Terpin to sue AT&T over the incident.
In the past year, thefts traced to alleged SIM swapping include:
- Tampa resident Dan Clark lost his $700,000 life savings to a SIM-swap scam in May 2022.
- A Castle Rock, Colo. man who lost $24,500 from his Wells Fargo account in early March 2023. The bank alleges a SIM swapper initiated a wire transfer to the victim’s account that drained the funds.
- A Broward County, Fla. woman whose Coinbase account was robbed of $18,000 worth of crypto by a SIM swapper in Fall 2021. A transfer of another $3,000 was initiated from her bank account by the attacker, who visited a T-Mobile store and convinced staff there to transfer SIM card data to their phone.
In many cases, the weak link appears to be low-paid and potentially poorly trained mobile carrier employees. If an attacker tries enough times, they may find one help-desk person willing to give them the personal information needed to execute a swap–either out of ignorance, or in exchange for an under-the-table fee.
7 steps to safeguard your phone
Fortunately, there are many actions you can take to avoid being the victim of SIM swap scams. They include:
- Don’t provide personal info. Beware of phishing emails, texts, and social media messages that request any confidential information such as parts of your Social Security number, address, or passwords. If you suspect there really is a problem with an account, always navigate to their site on your own rather than clicking on a provided link. Particularly, don’t provide any mobile-number account information on an inbound call–always call your carrier yourself to verify the call is legitimate.
- Don’t share private info on social media. Do you really need your birthday or street address on your Facebook profile, for instance? This kind of personal data is exactly what thieves use to impersonate you to your mobile carrier, so they can port out your logins to their phone. Also bear in mind that bragging about the value of your crypto on Discord may make you feel important, but it’s a great way to attract criminals.
- Avoid email-, voice-, or text-based 2FA. Instead, use authenticator apps such as Authy or Google Authenticator. Alternatively, employ biometrics such as face or fingerprint recognition. It’s too easy for a SIM-swapping attacker to end up receiving one-time codes via an email, voice, or text.
- Choose tough questions. Don’t set up easily guessed-at security questions, such as where you were born or went to high school. These are facts attackers could readily discover online.
- Select robust, unique passwords. Especially for key security points such as accessing your phone, computer, and financial accounts, make sure each password is long, complex, one-of-a-kind, and stored securely.
- Don’t preload logins. Don’t enable autofill on your phone for the username, password, PIN, or passkeys of any sensitive accounts.
- Boost your security level. Investigate what security upgrades your key institutions offer, especially your mobile carrier. Some now offer the option to add a PIN as an added security layer. Add available security measures such as a required call-back or activity notifications from banks that alert you immediately of suspicious activity.
Many phone users take a casual attitude toward securing their device, forgetting that it is often the gateway to accessing their financial accounts. Be vigilant, use more layers of security, and you can avoid becoming a SIM-swap victim.