Fact Check

Are Mobile Phone Users Vulnerable to 'SIM Swap' Fraud Through Phone Calls?

A social media post about a resurgent scam misstates the problem, but the form of fraud is very real.

Published Jan. 4, 2019

 (Shutterstock)
Image Via Shutterstock
Claim:
Cellphone users are being increasingly targeted by a "SIM swap fraud," in which their phones will briefly stop working before they receive a call tricking them into surrendering their information.
What's True

SIM swap fraud, in which a cellular service provider is duped into assigning a mobile phone number to a new SIM card is real and on the increase, according to experts.

What's False

SIM information cannot be gathered or swapped via a phone call, and victims will often not be aware that their information has been stolen until they find themselves unable to place calls.

One of the many new forms of crime that modern technology has brought us is a form of identify theft known as SIM swap fraud.

Subscriber identification modules (SIMs), commonly referred to as SIM cards, store user data in Global System for Mobile (GSM) cellphones. In simple terms, your phone's SIM card stores identifying information that authenticates your cellphone service and allows you to connect to mobile networks.

If fraudsters can gather enough personal information about you to answer some common security questions, they may be able to call your cellphone service provider, claim that you have lost or damaged your phone's SIM card, and ask the provider to switch your phone number to a different SIM card (which is in their possession). Once that's done, the fraudsters effectively control your phone number and can use it obtain a wealth of sensitive information -- including, possibly, requesting that your bank send codes via text messaging that will enable them to reset passwords and log in to your financial accounts.

While security experts have been trying to raise awareness of SIM swap fraud, at least one social media post on the subject sought to provide useful preventative advice but misstated how such fraud actually occurs. The most common version of the post read as follows:

Dear All, Please lets be very careful. There is a new HIGH TECH FRAUD in town called the SIM SWAP FRAUD and hundreds of persons are already VICTIMS.

How it works

1 A new fraud called SIM SWAP has started. Your phone network will momentarily go blind / zero (No Signal / Zero Bars) and after a while a call will come through.

2 The Person on the other side will tell you that he is calling from (your cell phone company) depending on your network and that there is a problem in your mobile network.

3 He will instruct you to Please press 1 on your phone to get the network back.

*Please at this stage don't Press anything, Just cut the call.

If you press 1, the network will appear suddenly and almost immediately go blind again (Zero Bars) and by that action, your phone is #HACKED.

It is increasing day by day. Within a second they will empty your bank account and cause you enough damage.

What you will experience

It will appear as though your line is without Network, meanwhile your SIM has been SWAPPED.

The danger here is that, you will not get any alert of any transactions, so please those of us doing USSD Banking and Mobile Banking BEWARE. So please be careful.

Please forward to your contacts, loved ones and friends

Received from a Cybersecurity Group

Steven Andrés, an instructor in the graduate program in homeland security at San Diego State University, termed that advice "incorrect."

Rather than being tricked over the phone and asked to press a button to initiate a malicious swap, Andrés explained, victims typically don't even know their SIMs were swapped out until it is too late:

The SIM in your current phone will just display "No Carrier" without any audible notification. You won't receive any phone calls and will not be able to make any phone calls. But in today's modern world where most of us communicate through words instead of phone calls, you may not realize your phone has lost cellular service until you leave the house.

Victims connected to WiFi networks at home or work would still be able to use email on their phones, as well as access the internet and social media apps such as WhatsApp, Twitter, and Instagram.

Andrés, who founded his own tech security company, told us that SIM swaps provide perpetrators with the ability to receive a victim's incoming calls or SMS (text) messages, just as Wired reported in August 2018:

At its most basic level, a SIM swap is when someone convinces your carrier to switch your phone number over to a SIM card they own. They're not doing it for prank call cover, or to rack up long-distance charges. By diverting your incoming messages, scammers can easily complete the text-based two-factor authentication checks that protect your most sensitive accounts. Or, if you don't have two-factor set up in the first place, they can use your phone number to trick services into coughing up your passwords.

Another security firm, Flashpoint, found evidence suggesting that some scammers pay off mobile phone service employees to help them execute SIM swaps on targeted customers' accounts. The company also listed signs that a user's SIM information has been hijacked, which echo the ones Andrés mentioned:

Affected phones cannot make calls, have no reception, and potentially have no 911 access. Additionally, attackers take over online accounts belonging to the subscriber. Unexpected text messages or e-mails referring to password resets, account logins, or phone number changes may occur before a successful takeover.

According to the tech news site Motherboard, in 2017 hackers exploited a weakness that allowed them to specifically target T-Mobile service users by gaining enough information that they could call the company, impersonate their victims, and request new SIM cards. T-Mobile alerted users in January 2018 to watch out for scammers trying to seize their information. One scam victim told the site that:

I lost $5200 in total, $1999 from one account, $2500 from another and $600 in credit card points redeemed for cash. I still haven't gotten my number back and have spent countless hours closing and reopening all my bank accounts, filling a police report, dealing with banks, credit card companies and TMobile. I've had to pay interest on my credit card as all my funds were frozen from Jan 9 to Jan 25th and I'm pretty sure I'll get some check return fees because I didn't change my transfer account for my auto debits in time.

The best part was TMobile sent me a bill and charged me for ending my service and porting out my number. Are you kidding me?!?!

Both Wired and Andrés recommended that cell phone users implement two-step verification for their accounts, but Andrés also urged them to seek more information from their service providers.

"I would strongly urge your readers to contact their carriers and specifically ask how they can completely block SIM or other account changes," he said. "The issue is that even if you have a PIN on your account, if there is an unscrupulous employee at the carrier, they may be able to easily bypass the protection."

Sources

Barrett, Brian.   "How to Protect Yourself Against a SIM Swap Attack."     Wired.   19 August 2018.

Flashpoint.   "SIM Swap Fraud Offers Account Takeover Opportunities for Cybercriminals."     8 June 2018.

Franceschi-Bicchierai, Lorenzo.   "'I Lived a Nightmare:' SIM Hijacking Victims Share Their Stories."     Motherboard.   12 February 2018.

Arturo Garcia is a former writer for Snopes.