So… I was a victim of a sim swap scam. It’s a little bit embarrassing to admit it, seeing how I regard myself as a generally savvy guy. I was apprehensive about making a post about this topic, but ultimately decided to as sim swap scams are growing in popularity and it can happen to anyone. If my story prevents one person from being a victim, then it’s time well spent sharing my experience.
This post may contain affiliate links, meaning I get a commission at no cost to you if you decide to make a purchase through my links. Visit this page for more information. The content on this page is accurate as of the posting date; however, some of the offers mentioned may have expired.
What is a SIM swap scam?
A SIM swap scam is when a scammer convinces a mobile service provider to switch a victim’s service to a SIM card that they control. It’s a type of account takeover fraud that targets weaknesses in two-factor authentication (2FA).
There are two strategies that fraudsters use to switch SIM cards:
- pretending to be you by using a fake ID at a retail store that provides services for your mobile carrier in an attempt to replace your SIM card with a newly purchased one
- paying an employee, typically a customer service representative that works for your mobile service provider, to switch your SIM card in exchange for payment
The first method usually involves buying your personal information (name, social security, address, etc.) from the dark web, to create a fake ID with it and answer any security questions they may run across. Unfortunately, with the number of websites that get hacked, the chances are quite high that your personal identifying information is available for sale.
The second method takes advantage of the fact that many call center employees are hired from third-world countries who are paid low wages. They can be more easily bribed than others. The fraudster reaches out to people who work there and offers them money to process a SIM card switch. See an example of this being done via a text message below:
Unfortunately, both options used by scammers are highly effective in taking over your phone number.
Once they have access to your phone number, they’ll try to reset your email address. Most email systems have a “Forgot password?” feature where the email service provider will text a security code to your phone number before allowing a password change. This isn’t an issue for the scammer since they “own” your number.
With both your phone number and email address under their control, this is where the real carnage begins. The scammer will try to log into every single financial account you have and get as much out of it as they can before someone finds out.
SIM swap scams highlight the flaw in using phone numbers and email addresses as the two-factor authentication method.
Not only can scammers gain access to your accounts, but any unusual activity that trips financial platforms typically involve the company trying to verify that the transaction is legit via a security code sent as an SMS or email.
Scary right?
How I Got Scammed
I was eating breakfast with my wife when I received a text message from my mobile carrier telling me that my current SIM card is no longer valid and a new one had been activated on a new phone.
My phone number got deactivated a few seconds later. It was quickly followed by a message that my email account password has been reset and changed. Since I was still on Wi-Fi, I started to see notifications from my bank, investing, and crypto apps that someone had initiated funds to be transferred out of my accounts.
I was in a state of shock, but quickly got my senses together and used my wife’s phone to contact every company I had accounts with to freeze them with a fraud alert. Then, I contacted my mobile service provider and went through a rigid security check to verify that I am who I said I was.
This involved taking a selfie holding my driver’s license in one hand and my passport in the other. They also directed me to take a “moving selfie” on a verification app that had me move my head left to right and up to down.
The scammer started all of this around 3:00am EST assuming I’d be asleep (and I would have on any other night). They had managed to initiate pending transfers worth $98,656 within the first 30 or so minutes. That would have been an extremely unpleasant thing to wake-up to.
Luckily, I was in Maldives, which at that time was mid-morning and thankfully I was able to get everything squared away with. In the process, I learned a ton on how to prevent it from happening again in the future.
Preventing SIM Swap Scams
The best way to prevent SIM swap scams from happening to you is to stop using your phone number and email address as the two-factor authentication option.
Instead, use an authenticator app. These are mobile apps that provide an extra layer of security to your online accounts by generating time-based one-time passwords (TOTPs).
The authenticator apps I use have time-based passwords that change every 30 seconds and are not tied to your phone number or email address, making them much more secure than using your phone number or email.
Reputable authenticator apps include Google Authenticator, Authy, Microsoft Authenticator, and LastPass Authenticator.
The downside (and it’s a big one) is that not all accounts support app-based authenticators. This blows my mind. We’re in 2024 and some companies just don’t take security as seriously as they should. Some of them say it’s an IT limitation, but in my experience, that’s just a cop-out because they don’t want to invest money to build this feature into their platform.
If you find yourself not able to use authenticator apps, there are other steps you can take to make your accounts more secure.
- Contact your mobile service provider and tell them to lock your SIM card. This will require additional steps to switch your SIM card, thus making it harder for a scammer to gain control.
- Use an authenticator app as your two-factor authentication method for your email account. Unlike financial accounts, most email platforms support this.
- Use different passwords for your various accounts to slow down any potential fraud and buy you additional time to handle the situation.
- Change the phone number tied to your online accounts to a different number that isn’t registered in your name (don’t use Google Voice – not all accounts support it and you can lose your Google Voice number if you’re not actively using it).
The Bottom Line
SIM swap scams have increased more than 400% from 2018 to 2021, according to FBI Internet Crime Complaint Center, so it’s super important for you to protect yourself as best as you can before it happens to you.
While my personal experience with SIM swapping was definitely scary, I didn’t lose anything financially through sheer luck of being in a far-away island. As our way of saying thanks, we actually pay homage to Maldives by visiting twice-a-year (or at least that’s my wife’s excuse to fly there!).
Do you have experience of getting SIM swapped? Share your experience in the comments below. I’d love to hear from my readers.