Protect Yourself from SIM Swap Scams

Sim card swap scams are particularly scary.  First, we will discuss how they work, then we will show you several ways to attempt to protect yourself.  

How does it work?

A SIM card swap scam happens when a scammer calls your cell phone provider and convinces the employee to activate a new sim card for your phone number.  Let’s back up a bit. Inside your phone is a computer chip that tells your cell phone provider the phone number of the physical phone in your hand.  So the phone number is tied to the chip, not the physical device. For some phones, you can take that chip out and put it into a new phone.  The new phone now has that phone number. 

We use this concept when our physical phone breaks.  We take the sim card out and put into a new phone.  Sometimes, we need to replace the chip entirely.  When this happens, we call out provider and tell them the serial number of our new chip.  The provider moves the phone number from the old chip to the new chip. 

Scammers can use this to their advantage if they have enough information about you.  They can call your provider, pretend to be you and move your phone number to their SIM card in their phone. 

The question then becomes, why is this problematic? Your phone will no longer work, you will get no phone calls, text messages and won’t be able to use data.  The scammer will get your phone calls and text messages.  If the scammer knows enough about you they can use your phone number to reset your passwords that use two-factor authentication, because they are receiving your text messages. If they are successful in changing your email password and getting into your email, they can change passwords to all of your accounts. 

Phone numbers have become like social security numbers.  Phone numbers and social security numbers were never meant to be universal identifiers for companies. Phone companies and SSA were never prepared for the importance of this task and therefore it is an insecure method. 

How do you protect yourself?

For this scam to work, the scammer had to gather enough information about you to convince the cell phone provider that they are you.  So half of this equation, you don’t have any control over. Focus on what you do have control over, your information. Hide it, protect it, decentralize it. 

Do not reply to phishing emails or any emails that request personal information.  The first step in the scam is that they need to convince your provider that they are you. So don’t give them that information.

Set up a PIN or password on your cellular account. This is another step that would keep scammers from pretending to be you. 

Set up multi-factor authentication (MFA).  MFA requires something you have (password) and something you are (fingerprint, facial recognition, retina) or a physical item (keychain fobs).  This isn’t super common yet, but it will become more common. 

Set up email as well as text alerts for your phone provider, email and financial accounts, so you are alerted when things are changed.  

Unlink your phone number from your account when possible. Consider using a Google Voice number. 

Don’t use common services (Google, Facebook) to log in to other accounts. 

If you are the target of this scam, contact your cell phone provider to report identity theft, change your account passwords and monitor your financial accounts.