Estimated Reading Time: 3 Minutes
While most consumers are appreciative of the fact that their mobile phones house mass amounts of sensitive data that needs to be protected, many don’t think about the possibility of that information being hacked remotely, completely under the radar until it’s much too late. While the physical theft of a smartphone can be frightening, account takeover via SIM (subscriber identity module) swapping can have far greater consequences with devastating ramifications.
SIM swapping is a type of fraud that exploits cell phone carriers’ ability to “port” a number to a different device, which is typically done in instances where a customer has lost or had their phone stolen. The key to accomplishing this scam is simple: the fraudster merely has to impersonate the victim, pretending they are in need of porting their number to a new device. By providing the right information – which can be obtained via a number of different methods, including phishing, hacking, or buying it on the black market – scammers can easily trick the phone carrier representative into doing exactly what they need. Once successful, the victim’s mobile phone then becomes unusable as it no longer has service, and the fraudster receives all calls and messages going forward.
Importantly, fraudsters are then able to intercept any one-time passwords, taking advantage of two-factor verification/authentication – a security feature that utilizes something a user knows (i.e., a password), as well as something they have (i.e., a mobile phone). Most commonly, for the second authentication factor, platforms use a PIN sent via an SMS to your mobile phone. When combined with your user name and password, the result is supposed to be a stronger and more resilient layer of security. But for SIM swap victims, this means that the fraudster can now access their bank account, social media accounts, email, and other sensitive accounts. Essentially, SIM swapping can easily transpire into many other types of fraud, including financial fraud, utilities fraud, tax fraud, and more.
What’s worse, unlike financial fraud and other more common types of fraud, cell phone account fraud has no legal framework for remediation. This, combined with the fact that there is little consumer protection, means the resolution process is often immensely time-consuming, redundant, and stressful. To date, victims spend a lot of time trying to prove that it was in fact fraud (and not their own debt). Moreover, they often have to deal with the fact that there are no liability limits as there are with credit cards – making the victim accountable for payment of the fraud and not the cell phone carrier.
NBC6 contacted four of the U.S.’s top mobile phone carriers to ask how they are protecting their customers from SIM swaps. Consensus indicates that the best course of action is for consumers to contact their carrier to request that an administrative block be placed on their mobile phone account, as well as establish a PIN for any account changes. Generali Global Assistance (GGA) also recommends the following for your customers:
- Because the root of this scam starts with a fraudster gaining access to sensitive information, this is a good reminder to never give out personal information over the phone or through email, particularly when unsolicited.
- Additionally, never click any links or attachments in emails that appear to come from your phone provider. Instead, contact the carrier at the phone number listed on your bill or through your account on the carrier’s website.
- If you have access to mobile phone protection software, make sure you’ve activated it. Most will detect phishing scams and alert you so that you don’t inadvertently click on something malicious.