SIM Swap fraud has been prevalent for years now targeting both traditional financial services as well as crypto investments. The scam is where a criminal hijacks your mobile phone by using a new SIM card affiliated with your phone number. Once accomplished, two-factor authentication goes from a first line of defense against scammers to a virtual skeleton key to all of your accounts. SIM Swap fraudsters quickly change your passwords gaining access to your accounts emptying them of any value, sometimes before the target is even aware.
Earlier this month, the Federal Bureau of Investigation (FBI) issued a Public Service Announcement intending to increase awareness of the ploy. The FBI noted that from January 2018 to December 2020, the FBI Internet Crime Complaint Center (IC3) received 320 complaints related to SIM swapping incidents with adjusted losses of approximately $12 million. In 2021, IC3 received 1,611 SIM swapping complaints with adjusted losses of more than $68 million.
SIM Swap perpetrators cannot accomplish the criminal act alone. Either there is an insider working at a mobile provider that facilitates the scam or they use “social engineering” to convince unwitting mobile provider employees to aid them in their nefarious acts.
To avoid becoming a target of a SIM Swap scam, the FBI recommends individuals take the following precautions:
- Do not advertise information about financial assets, including ownership or investment of cryptocurrency, on social media websites and forums.
- Do not provide your mobile number account information over the phone to representatives who request your account password or pin. Verify the call by dialing the customer service line of your mobile carrier.
- Avoid posting personal information online, such as mobile phone numbers, addresses, or other personally identifying information.
- Use a variation of unique passwords to access online accounts.
- Be aware of any changes in SMS-based connectivity.
- Use strong multi-factor authentication methods such as biometrics, physical security tokens, or standalone authentication applications to access online accounts.
- Do not store passwords, usernames, or other information for easy login on mobile device applications.
The FBI recommends mobile carriers take the following precautions:
- Educate employees and conduct training sessions on SIM swapping.
- Carefully inspect incoming email addresses containing official correspondence for slight changes that can make fraudulent addresses appear legitimate and resemble actual clients’ names.
- Set strict security protocols enabling employees to effectively verify customer credentials before changing their numbers to a new device.
- Authenticate calls from third-party authorized retailers requesting customer information.
In reality, the burden of defense is on mobile service providers that should not allow ANY SIM changes by phone, compelling individuals to go into a physical location to prove their identity. Additionally, the prosecution of employees participating in inside jobs, should be made public and perpetrators should earn jail time.
Some targets have fought back. Perhaps the best-known case is that of Michael Terpin who is suing AT&T for its negligence in a crypto theft of around $24 million. Terpin saw crypto siphoned from his accounts after a perpetrator gained access to these accounts in a SIM Swap scam. He sued AT&T for more than $200 million in damages along with the $24 million. While the $200 million was tossed by the judge engaged in the case, last we heard the $24 million was still in play.
The FBI asks targets to report information concerning all suspicious activity to local law enforcement agencies or your local FBI field office (contact information can be found at www.fbi.gov/contact-us/field-offices.)
Additionally, report the activity to the FBI’s Internet Crime Complaint Center at www.ic3.gov.