SIM swap scam

The fraud exploits a mobile phone service provider's ability to seamlessly port a phone number to a device containing a different subscriber identity module (SIM). This mobile number portability feature is normally used when a phone is lost or stolen, or a customer is switching service to a new phone.

The scam begins with a fraudster gathering personal details about the victim, either by use of phishing emails, by buying them from organised criminals,{{Cite web|url=https://www.theguardian.com/money/2015/sep/26/sim-swap-fraud-mobile-phone-vodafone-customer|title='Sim swap' gives fraudsters access-all-areas via your mobile phone|last=Tims|first=Anna|date=2015-09-26|website=the Guardian|language=en|access-date=2018-08-22}} directly socially engineering the victim,{{Cite news|url=https://timesofindia.indiatimes.com/city/bengaluru/many-bengalureans-lose-cash-to-sim-card-swap-fraud/articleshow/58387867.cms|title=Many Bengalureans lose cash to sim card swap fraud - Times of India|work=The Times of India|access-date=2018-08-22}} or by retrieval from online data breaches.{{cite news |last1=Murphy |first1=Margi |last2=Bennett |first2=Drake |title=Teen Gamers Swiped $24 Million in Crypto, Then Turned on Each Other |url=https://www.bloomberg.com/news/features/2023-08-04/teen-gamers-targeted-michael-terpin-in-major-sim-swapping-theft |access-date=May 11, 2024 |work=Bloomberg Businessweek |date=August 4, 2023}}

Armed with these details, the fraudster contacts the victim's mobile telephone provider.  The fraudster uses social engineering techniques to convince the telephone company to port the victim's phone number to the fraudster's SIM. This is done, for example, by impersonating the victim using personal details to appear authentic and claiming that they have lost their phone. In some countries, notably India and Nigeria, the fraudster will have to convince the victim to approve the SIM swap by pressing 1.{{Cite web|url=https://nigeriacommunicationsweek.com.ng/experts-finger-insiders-in-telcos-for-rising-sim-swap-fraud/|title=Experts Finger Insiders in Telcos for Rising SIM Swap Fraud – Nigerian CommunicationWeek|website=nigeriacommunicationsweek.com.ng|date=14 July 2018 |language=en-US|access-date=2018-08-22}}{{Cite web|url=https://www.gadgetsnow.com/slideshows/sim-swap-fraud-13-things-you-must-know-about-this-online-banking-scam/You-will-be-requested-to-press-1-or-authenticate-this-Swap/photolist/64947406.cms|title=You will be requested to press 1 or authenticate this Swap|website=Gadget Now|access-date=2018-08-22}}

Once they have a victim's personal information, attackers commonly impersonate them while contacting technical support services for their telecommunication provider and attempt to convince the employees to switch the victim's phone number to their SIM card.{{cite news |last1=Hartmans |first1=Avery |title=A hacker ripped me off for $10,000. The scam turned out to be brilliant — and terrifying. |url=https://www.businessinsider.com/credit-card-phone-theft-sim-swap-identity-theft-investigation-2023-4 |access-date=11 May 2024 |work=Business Insider |date=12 April 2023}}{{cite news |last1=Franceschi-Bicchierai |first1=Lorenzo |title=Verizon Adds Protection Against SIM Swapping Hacks in Mobile App |url=https://www.vice.com/en/article/verizon-sim-swapping-hack-protection-number-lock/ |access-date=11 May 2024 |work=Vice |date=9 July 2020 |language=en}} In some cases telephone company employees have been bribed by attackers to directly change SIM numbers.{{Cite news|url=https://www.vice.com/en/article/att-and-verizon-employees-charged-sim-swapping-criminal-ring/|title=AT&T Contractors and a Verizon Employee Charged With Helping SIM Swapping Criminal Ring|last=Franceschi-Bicchierai|first=Lorenzo|date=2019-05-13|newspaper=Vice News|language=en|access-date=2020-01-23|quote=Among the alleged criminals were also two former AT&T contract employees and one former Verizon employee, who helped the alleged criminals by providing private customer information in exchange for bribes, according to court documents.}} Attackers have sought out employees of companies including T-Mobile and Verizon through social media or employee directories in attempts to hire them, sometimes promising money in cryptocurrency for each phone number they transferred.{{cite news |last1=Franceschi-Bicchierai |first1=Lorenzo |title=How Criminals Recruit Telecom Employees to Help Them Hijack SIM Cards |url=https://www.vice.com/en/article/criminals-recruit-telecom-employees-sim-swapping-port-out-scam/ |access-date=11 May 2024 |work=Vice |date=3 August 2018 |language=en}}{{cite news |last1=TRUȚĂ |first1=Filip |title=Scammers Are Tempting Telecom Employees with $300 Bribe Offers for SIM Swapping Help |url=https://www.bitdefender.com/blog/hotforsecurity/scammers-are-tempting-telecom-employees-with-300-bribe-offers-for-sim-swapping-help/ |access-date=11 May 2024 |work=Bitdefender |date=17 April 2024 |language=en}}

Once this happens, the victim's phone will lose connection to the network, and the fraudster will receive all the SMS and voice calls. This allows the fraudster to intercept one-time passwords sent via text or telephone calls to the victim's number and thus subvert two-factor authentication methods relying on them. Since so many services allow password resets with only access to a recovery phone number, the scam allows criminals to gain access to almost any account tied to the hijacked number. This may allow them to directly transfer funds from a bank account, extort the rightful owner, or sell accounts on the black market for further identity theft and fraud.

A number of high-profile hacks have occurred using SIM swapping, including some on the social media sites Instagram and Twitter. In 2019, former Twitter CEO Jack Dorsey's Twitter account was hacked via this method.{{Cite magazine|url=https://www.wired.com/story/sim-swap-attack-defend-phone/|title=How to Protect Your Phone Against a SIM Swap Attack|magazine=Wired|via=www.wired.com|last1=Barrett|first1=Brian}}{{Cite web|url=https://www.theverge.com/2019/8/31/20841448/jack-dorsey-twitter-hacked-account-sim-swapping|title=The frighteningly simple technique that hijacked Jack Dorsey's Twitter account|first=Russell|last=Brandom|date=August 31, 2019|website=The Verge}}

In May 2020, a lawsuit was filed against an 18 year old Irvington High School senior in Irvington, New York, Ellis Pinsky, who was accused with 20 co-conspirators of swindling digital currency investor Michael Terpin{{Snd}}the founder and chief executive officer of Transform Group{{Snd}}of $23.8 million in 2018, when the accused was 15 years old, through the use of data stolen from smartphones by SIM swaps. The lawsuit was filed in federal court in White Plains, New York and asked for triple damages.

{{cite news

|last= Stempel

|first= Jonathan

|date= 7 May 2020

|title= U.S. cryptocurrency investor sues suburban NYC teen for $71.4 million over alleged swindle

|url= https://www.reuters.com/article/us-crypto-currency-lawsuit-idUSKBN22J32V

|work= Reuters

|access-date= 4 January 2021

}}

Nadeau, Barbie Latza (May 8, 2020) [https://www.thedailybeast.com/15-year-old-ellis-pinsky-led-ring-of-evil-computer-geniuses-in-dollar24m-cryptocurrency-heist-says-lawsuit "15-Year-Old From Suburbs Led ‘Evil Computer Geniuses’ in $24M Cryptocurrency Heist: Lawsuit"] Daily Beast {{update-inline |date=May 2024 |reason=So did he win the lawsuit?}}

In early 2022, the US FBI reported a sharp increase in money losses to consumers in 2021, and continuing into 2022, from this type of fraud.{{cite news |url=https://www.cnbc.com/amp/2022/02/19/how-to-avoid-sim-card-scam-that-once-fooled-jack-dorsey.html |title=This SIM card scam once fooled Jack Dorsey—here's how to avoid it |first=Mike |last=Winters |date=February 19, 2022 |work=CNBC |access-date=February 19, 2022 }}{{cite news |url=https://www.wsj.com/amp/articles/sim-swapping-attacks-many-aimed-at-crypto-accounts-are-on-the-rise-11645227375 |work=The Wall Street Journal |title=SIM-Swapping Attacks, Many Aimed at Crypto Accounts, Are on the Rise |date=February 18, 2022 |first=Ginger Adams |last=Otis |access-date=February 19, 2022 }} The losses in 2021 alone were five times larger than the three prior years summed: “The FBI says that victims lost $68 million to this SIM-card based scam in 2021, compared to just $12 million in the three-year period between 2018 and 2020.” The FBI received 1,600 complaints about SIM-swapping in 2021, a sharp increase from the three previous years. The swaps happen quickly once the scammers have sufficient information to persuade a mobile phone carrier to assign a stolen phone number to their phone; the thefts of money happen when the thieves then receive the two-factor codes sent to the proper owner of the phone number.

In South Korea, alleged incidents of SIM swapping attacks have been documented since the beginning of 2022. The common pattern includes victims facing abrupt disruptions in their mobile services, coupled with a notification suggesting a change. As a result, affected individuals discover that their bank and cryptocurrency accounts have been compromised.{{Cite book |last1=Kim |first1=Myounghoon |last2=Suh |first2=Joon |last3=Kwon |first3=Hunyeong |chapter=A Study of the Emerging Trends in SIM Swapping Crime and Effective Countermeasures |date=August 2022 |title=2022 IEEE/ACIS 7th International Conference on Big Data, Cloud Computing, and Data Science (BCD) |chapter-url=https://ieeexplore.ieee.org/document/9900510 |pages=240–245 |doi=10.1109/BCD54882.2022.9900510|isbn=978-1-6654-6582-3 |s2cid=252625262 }}

{{reflist}}

{{Scams and confidence tricks}}

Category:Fraud in India

Category:Confidence tricks

Category:Mobile security