SIM swap fraud: What it is, why you should care and how to prevent it

Scams related to the coronavirus pandemic are on the rise. Phone calls and text messages claim to offer a cure or test kits, but what the scammers are really after is your personal information. With that information, hackers and scammers can do all sorts of things, like take control of your phone number and then access your online accounts. 

In January, a published study revealed how incredibly easy it to do, potentially leading to thousands of dollars in fraud — that’s your money on the line. The practice of SIM swapping is becoming increasingly common, and despite carriers putting safeguards in place, researchers were able to demonstrate taking over your phone number quickly and with ease.

The SIM card inside your phone is a small plastic chip that tells your device which cellular network to connect to, and which phone number to use. We rarely ever think about SIM cards, except maybe when we get a new phone. 

SIM swapping occurs when someone contacts your wireless carrier and is able to convince the call center employee that they are, in fact, you, using your personal data. 

They do this by using data that’s often exposed in hacks, data breaches, or information you publicly share on social networks to trick the call center employ into switching the SIM card linked to your phone number, and replace it with a SIM card in their possession. 

Once your phone number is assigned to a new card, all of your incoming calls and text messages will be routed to whatever phone the new SIM card is in. 

At first glance, it seems somewhat harmless. But when you consider that most of us have our phone numbers linked to our bank, email and social media accounts, you quickly begin to see how easy it would be for someone with access to your phone number can take over your entire online presence. 

Matthew Miller, a contributor to CNET sister site ZDNet, fell victim to a SIM swap scam last year, and he’s still experiencing the repercussions of the fallout. Whoever took over Miller’s phone number gained access to his Gmail account, and promptly changed his password, then erased every email, deleted every file in his Google Drive account, and eventually deleted his Gmail account altogether. 

Miller later discovered he was targeted because he had a Coinbase account and his bank account was linked to it. Miller’s phone received his Coinbase account’s two-factor authentication codes, so the hackers were able to log into his cryptocurrency trading account and buy $25,000 worth of Bitcoin. Miller had to call his bank and report the transaction as fraud. That’s on top of the immense vulnerability he felt.

One ill-gotten gain for someone who takes over your phone number is the instant access to any two-factor authentication codes you receive through text messages, the pin that an institution texts you to verify that you are who you say. That means if they have your password, they’re just a few clicks away from logging into your email, bank or social media accounts. 

And if someone gains access to your email account, they can change passwords and search through your email archive to build a list of your entire online presence. Take the time to move away from SMS 2FA codes and use app-based codes instead. Seriously.