Nearly three years ago, a hacker took control of former Twitter CEO Jack Dorsey’s Twitter profile. Soon after, Twitter acknowledged the incident and claimed that the hack was a result of “a security oversight by [Dorsey’s] mobile provider.” More specifically, however, Dorsey was a victim of a SIM swap scam. While in Dorsey’s case the threat was mitigated rather quickly, a hacker taking over a victim’s social media account(s) is only the tip of the iceberg when it comes to the scale of damage such a scam can inflict and it can happen to anyone.
What is a SIM Swap Scam?
SIM swap scams revolve around the abuse of SIM cards, so before diving into what the scam is and how it works, it’s necessary to have a basic understanding of what SIM cards themselves are. The “SIM” in SIM card stands for Subscriber Identity Module, and essentially, each card stores information relating to your phone that is unique to you. For example, a SIM card is what links your device to your phone number, connects your device to your provider’s mobile network, and tracks your data usage. As you move the SIM card from an old device to a newer one, your mobile account data will travel along with it, meaning people will be able to contact you on your new device. In the event that someone loses their mobile device, or their SIM card is otherwise damaged, they can contact their mobile carrier to request a new one.
A SIM swap scam is when a bad actor contacts a mobile provider fraudulently posing as someone else to request a new SIM card and get their hands on the sensitive data it contains. A criminal was able to change Jack Dorsey’s Twitter password and then log in, for example, because they gained control over Dorsey’s phone number through the new SIM card.
How Does a SIM Swap Scam Work?
While there’s some work to be done behind the scenes before a criminal can truly initiate a SIM swap scam, which I’ll speak on momentarily, these scams generally begin when a criminal contacts a mobile carrier to request a new SIM card. While in reality, the criminal is posing as someone else, requesting a new SIM card in and of itself generally isn’t an unusual action. The criminal can simply claim that they lost their mobile device or that the device and/or SIM card have been damaged beyond repair—both very reasonable claims.
This is when the scam truly begins; at this point, the mobile carrier will likely ask for a full name, the phone number associated with the account, and a PIN number that was created when the account was opened. While a PIN number may sound secure enough, in reality, mobile users frequently forget PIN numbers themselves and often request to change them. A user that wishes to change their mobile account’s PIN number will generally be required to provide some form of personally identifiable information, often times like the last four digits of their social security number, along with possibly answering some security questions.
This is the component of a SIM swap scam that has the highest likelihood of failure, but if a criminal does proper research on their victim, finding the required information is far from impossible. This research is what goes on behind the scenes before the scammer calls the victim’s mobile provider and can often entail scanning the victim’s social media accounts for sensitive information, browsing the dark web for information leaked in data breaches, and exploiting the victim via phishing attacks. Any information gained through these means can be used to fool the mobile provider into thinking the bad actor is the real account holder.
After bypassing authorization with the mobile carrier, the scam is more or less already completed. The criminal would simply need to request a new SIM card, have it shipped, and insert it into their own device to take control of the victim’s mobile account and phone number.
What is the Impact of a SIM Swap Scam?
When limiting the scope of a SIM swap scam to what happened to Jack Dorsey, falling victim to the scam may not seem so bad, particularly if the threat can be mitigated as quickly as it was for him. Unfortunately, though, the damage that a SIM swap scam can inflict is much greater than a takeover of your social media accounts.
Gaining access to a victim’s phone number means that criminals have a means of bypassing two-factor authentication, meaning criminals can change passwords for any account that uses the victim’s phone number for authentication. If your bank requires new devices to log in using a texted code, for example, the criminal will still be able to change the account password and gain access because they’re in control of the victim’s phone number. Criminals could conceivably gain access to a wealth of sensitive information that can be used to control someone’s finances or even steal their identity.
How Can You Prevent Falling Victim to a SIM Swap Scam?
Keep Your Social Media Private
Before a scammer can even think about contacting a mobile provider, they first need to gain information on their victim(s), often starting by skimming their social media accounts for clues. Be sure to never share sensitive information of any kind on social media, and when possible, keep your social media private so that scammers can’t view your profile at all.
Take Precautions Against Phishing and Malware
If scammers aren’t able to find enough information about you through social media or data breaches, they’ll often rely on social engineering and phishing attacks to either gain information from you directly or infect your device with malware to passively collect your sensitive data. Knowing how to identify phishing scams and avoid them altogether is crucial in ensuring that scammers won’t have enough info on you to bypass your mobile provider’s security procedures.
Know the Signs of a SIM Swap and Set Alerts
While staying private on social media and staying alert to phishing attempts is important in preventing a SIM swap scam, if an attacker is able to gain enough of your sensitive information through third-party data breaches, even those preventative measures may not be enough. If you’re suddenly unable to make calls or send texts, got a notification of a new device using your phone number, or find yourself locked out of your social media accounts, you may be the victim of a SIM swap. Take steps to identify the SIM swap as quickly as possible including setting up banking activity alerts, change-of-password notifications, and alerts from your mobile provider.
Choose a Secure Phone Provider
When initially choosing a mobile provider, security should be at the forefront of your mind. If you find that one provider allows you to create more complex PIN numbers, offers more thorough SIM swap training for their employees, or gives you the ability to lock your account, it would be worth choosing the more secure provider. The FBI claims that SIM swap scams caused over $68 million in damages this past year alone, so even if the more secure option is a bit more expensive, it could end up saving you more than you think.
Leverage Password Managers and Authentication Apps
If a scammer finds that you use the same or similar passwords for most of your accounts and that authentication is tied to your phone number, the damage can be done even more quickly. However, if you take advantage of a password manager that creates unique passwords for all of your accounts, the criminal will be forced to change passwords for each account they attempt to gain access to. Furthermore, if you use a third-party authenticator app that uses biometrics for your accounts, for example, rather than using your phone number for authentication, the criminal may not be able to gain access at all even after the SIM swap. Making the criminal’s job as difficult as possible will grant you more time to get in contact with your mobile provider, lock your account, and limit the damage done.
