Smartphones have been a boon to productivity and convenience. Many consumers have shifted their banking and investment transactions to the time-saving apps on their phones. But along with convenience, a reliance on mobile devices has attracted scammers looking to steal information and assets. A growing type of fraud exploiting mobile phone usage is known as SIM swapping.
What Is a SIM?
A subscriber identity module (SIM) was traditionally a small, removable card in your mobile phone that identified your phone number and authenticated your identity to a mobile network. When you got a new phone, you (or the phone store employee) would typically remove the SIM card from your old phone and transfer it to the new one.
In recent years, phone manufacturers have been phasing out physical SIM cards in favor of digital eSIMs, which are built into mobile devices and are more versatile. You can now change your device or service provider without going to a store or fiddling with the hardware.
What Is SIM Swapping?
But the convenience of eSIM cards has opened a potential security hole for bad actors: If they can convince your provider that they’re you—say by collecting personal information you post on social media—they can have your eSIM transferred to their device and potentially access your personal information, financial accounts and incoming messages. This type of fraud is known as SIM swapping.
The fraudulent holder of a SIM can access a wide range of content on a phone, which can serve as a gateway to financial, social media, email and other accounts. Thus, SIM swapping has a lot of potential for harm, as does port-out fraud, which is a related tactic that involves bad actors deceptively transferring a phone number from one wireless provider to another to gain control of the account.
The risks of these types of fraud are high for investors because mobile phone numbers have become a key to establishing customer identity and securing financial data. Websites commonly use multi-factor authentication (MFA) to verify the identity of someone attempting to access secure online data. If you try to log in to your bank or brokerage firm account, the institution might ask for more information than just your ID and password. This additional “factor” is often your mobile phone number since that’s unique to you and easy to access. If you set up MFA using this number, you’ll get a text message including a task to complete (like entering the accompanying numerical code) before you can access your account.
However, if someone swaps your SIM, they’ll be able to intercept the message meant to confirm your identity, thus fraudulently gaining access to your account.
How Can I Reduce My Risk?
Consider these steps to protect yourself against fraud involving SIM swaps:
- Use a form of MFA that doesn’t include your mobile number, such as biometrics (fingerprints, facial recognition, voice recognition, etc.) or a hardware token (a small device that generates a unique passcode for logging into an online system).
- Add a personal identification number (PIN) that will be required along with your user ID and password to access your wireless account.
- Use strong, unique passwords for each of your online accounts. Using the same password for many or all your accounts means that if your password is compromised for one site, it puts the others at risk.
- Enable security updates and alerts for your accounts to ensure that you receive security notifications in a timely manner.
- Remain vigilant against cybersecurity threats, particularly phishing attacks.
- Minimize the amount of personal information you share online—including social media—as it could be used for SIM swapping.
What Are Some Signs of a Possible SIM Swap?
A number of red flags can indicate the potential for SIM swapping or related fraud, including:
- Loss of signal and services only on your mobile device;
- Notification that a new device or number has been activated when you didn’t add either of these;
- Inability to access your online accounts;
- Evidence of fraudulent transactions completed or requested; and/or
- An unusual number of notifications (calls and/or texts) to your mobile device.
What Can I Do If I Suspect SIM Swapping?
Here are actions you can take if you suspect your mobile account has been compromised by a SIM swapping scheme:
- Report your suspicions quickly to your mobile carrier and any companies where your accounts could be at risk.
- Contact law enforcement and the Federal Trade Commission (FTC).
- Lock or freeze your existing accounts.
- Close any new or unauthorized accounts.
- Place a fraud alert on your credit profiles.
- Keep a detailed report of the mitigation steps you’ve taken.
Learn more about protecting your money.