If you’re not familiar with SIM swap fraud, prepare to be terrified.
This scam, also known as port-out or SIM splitting fraud, allows criminals to hijack your cellphone number. Once they have your number, the bad guys can clean out your financial accounts, confiscate your email, delete your data and take over your social media profiles.
Fraudsters can do all this because many companies — including banks, brokerages, email providers and social media platforms — verify your identity by texting a code to your cellphone. Intercepting those codes can give a criminal an all-access pass to your financial and digital life.
This kind of identify fraud is getting more attention after a wave of cryptocurrency thefts and attacks on high-profile victims, including Twitter CEO Jack Dorsey, who briefly lost control of his Twitter account.
• THIS IS THE FRAUD THE EXPERTS FEAR MOST
The potential damage is so great that security expert Avivah Litan, vice president at research firm Gartner Inc., fears losing her phone number far more than having her Social Security number compromised.
What’s more, you can’t prevent this fraud — only your carrier can. And right now, criminals are finding it’s pretty easy to fool the phone companies.
Sometimes the scam artists bribe or blackmail carrier employees; sometimes, the employees are the criminals. Other times, the fraudsters use identifying data they’ve stolen, bought on the dark web or gleaned from social media to convince carriers that they’re you. They pretend they want to change carriers or say they need a new SIM card, the module that identifies a phone’s owner and allows it to connect to a network. Once they persuade the carrier to transfer your number to a phone they control, they can attack your other accounts.
Even getting your cellphone carrier to recognize what’s happening, and help you stop it, can be a challenge, says security expert Bob Sullivan, host of the “So, Bob” technology podcast. Victims report being forced to educate phone company employees about the fraud and having their numbers stolen more than once.
Phone companies protest they’re doing all they can, and solutions that would make this theft harder also would inconvenience people who legitimately want to switch carriers or need their numbers transferred to new SIM cards because their phones have been lost or stolen.
• CHANGE HOW YOU’RE IDENTIFIED, IF YOU CAN
First, ask your phone company to put a personal identification number on your account. Hopefully the carrier will require that to be produced before your phone number is “ported out” to a new carrier or assigned to a different SIM card.
Then, investigate whether you can switch to more secure authentication on your sensitive accounts. Being texted a code is better than nothing, since this “two factor” authentication is harder to beat than just using a password. Better options would be to get the codes through a call to a landline or by using an authenticator app such as Authy, Google Authenticator or Duo Security on your smartphone.
• ASSUME THE WORST
If your phone stops working or you can’t send or receive texts, don’t assume it’s a glitch. Call using an alternate method or visit your carrier immediately to report phone takeover fraud. Sullivan recommends knowing a few alternate ways to contact your carrier, such as Wi-Fi calling, Skype or a backup phone.
If you do become a victim, you should:
• Alert your financial institutions.
• Change the email and password associated with all your financial and payment accounts.
• Freeze your credit reports.
• File identity theft reports with your local police department.
Morning Briefing Newsletter
Get a rundown of the latest local and regional news every Mon-Fri morning.