In this article:
To increase security, many companies now require you to enter a code that's texted to your phone when you try to log in from a new device or make changes to your account. It's an important security feature called multifactor authentication that can keep hackers and fraudsters out of your account—but it could also backfire. A fraudster could take control of your phone number via "SIM swapping" and use the secure code to break into your account.
Criminals using SIM swap attacks may be able to get into your financial accounts, including bank and crypto accounts, and then drain the funds. An FBI notice from February 2022 says the FBI received 1,611 SIM swapping complaints in 2021 (compared with a combined total of 320 from 2018 to 2020), and the 2021 attacks led to a loss of over $68 million.
What Is SIM Swapping?
A SIM (subscriber identity module) card allows your mobile network to identify your phone and grant it access. Also known as simjacking, SIM swapping is when someone gets your phone number moved to a SIM card that's in a phone they control. There are also similar port-out scams, when the attacker switches (or "ports") your number to a new SIM card at a different carrier.
To conduct a SIM swapping scam, the fraudster could call your mobile carrier and imitate you (perhaps using personal information they've found or bought online). They may also use social engineering or bribery to convince a representative to move your number or hack into the mobile carrier's system so they can swap and port numbers.
Once a criminal has control of your phone number, they'll receive the verification codes and other data sent to your number. They can then try to break into your accounts or reset your passwords using the verification codes.
If you're using your phone at the time it swaps over, you'll notice it disconnects from your phone network. However, fraudsters may carry out these attacks in the middle of the night, when victims likely won't notice, and then quickly port the number back to your SIM card before you wake up.
How to Enable SIM Swapping Protections
Federal law requires mobile carriers to let you port your phone number to a new SIM card, and carriers may be required to quickly respond to a request. But because of the rise in SIM swapping scams, the Federal Communications Commission (FCC) has proposed new rules that would require carriers to add additional security features, such as the use of pre-established passwords, before porting numbers.
The three major phone carriers are already offering some options that you can enable to help protect you from SIM swapping and unauthorized porting. If you share a plan with others, you may need to enable these separately for each line:
You can add a passcode to your account by logging in to your AT&T account and going to the "Manage Extra Security" section. You'll be prompted to enter this passcode when you want to manage your account online or at a store. You also may have to request a Number Transfer PIN before you can port your number to a different carrier, which you can do from the myATT app, your online profile or by calling *PORT.
T-Mobile's Account Takeover Protection keeps unauthorized people from transferring your number to another carrier. The person responsible for the plan's bill can contact T-Mobile to turn the feature on. Additionally, the primary account holder may need to request a Number Transfer PIN using the T-Mobile app or website to port any of the numbers tied to the account.
Verizon's Number Lock will keep your number from being ported until the lock is disabled. You can also create an Account PIN, which you'll use to verify that you're an account owner. And there's a Number Transfer PIN, which an account owner or manager will need to request before transferring a number to a new carrier. You can enable and disable these security features from your online account or using the My Verizon app, and you can also request a Number Transfer PIN by dialing #PORT.
Other Ways to Protect Yourself From SIM Swapping
Enabling the security features through your carrier could be a simple way to keep your phone number safe, but there are also additional steps you can take to help protect yourself and your accounts from an attack:
- Try to use non-SMS multifactor authentication. Some accounts let you enable multifactor authentication (MFA) that doesn't rely on text messages. For example, you might be able to use an authenticator app, hardware token (a device that generates codes) or your fingerprint or face scan instead of a texted code. Then, even if someone takes over your number, they won't be able to get into your account or reset your password.
- Try to keep your personal information personal. The attackers will need to know personal details if they want to impersonate you when calling your carrier. Run a free privacy scan to see what's available online, and look into ways to remove your information from people search sites.
- Don't post about your assets online. Talking about how much crypto or retirement savings you have online could make you a target.
- Beware of social engineering attacks. Fraudsters may try to trick you into sharing personal information that they can sell or use for a SIM swap. For example, they could pretend to be a customer representative who needs to verify your name, address and other personal information. Beware of these phishing, smishing and vishing attacks, which are sent via email, text or call, respectively.
Look Into Identity Theft Monitoring
SIM swaps and port-out scams are two ways that criminals can use and monetize your personal information, but there are many others. Identity theft monitoring programs can monitor your credit reports, the dark web and other databases for suspicious changes and leaked information, which may help you quickly react if something goes awry. Some of the programs, such as Experian IdentityWorksSM, also come with identity theft insurance and dedicated fraud resolution support, which can help you restore your identity and pay for associated costs.