SIM Swapping Fraud: Sophisticated Scams That Bypass Two-Factor Authentication Security Measures
When you login to your bank account or purchase a product online using your credit or debit card, you may notice that entering your password sometimes isn’t enough to get you past security. Instead, you may also be asked to enter a security code that you receive via text message.
This practice, known as SMS-based two-factor authentication (2FA), is designed to make accounts more secure. The logic is that the account remains protected from fraud even if the first security factor, like the username and password combination, is compromised.
Unfortunately, SMS-based second factors are not impenetrable; they can be defeated by attacks like SIM swapping.
This security vulnerability presents problems for businesses, too, because they are often made to bear the cost of unauthorized activity in the form of chargebacks. In this article, we discuss what SIM swapping is, how it works, and what merchants can do in response.
Recommended reading
- Address Fraud: How Criminals Swap Addresses to Abuse Victims
- The Top 5 Prepaid Card Scams to Watch Out For in 2024
- How do Banks Conduct Credit Card Fraud Investigations?
- Key Credit Card Fraud Statistics to Know for 2024
- Scammers See Opportunity as March Madness Begins
- Man-in-the-Middle Attacks: 10 Tips to Prevent These Scams
What is SIM Swapping?
- SIM Swapping
SIM swapping is a fraud tactic. A scammer tricks a mobile carrier into transferring a victim's phone number to a new SIM card under the scammer’s control. They can then intercept calls and texts, and potentially access sensitive accounts linked to the victim's number.
[noun]/sim • swäp • iNG/
SIM swapping is a form of account takeover fraud by which a scammer attempts to gain access to an online account by stealing the user’s login credentials. It targets the SMS-based authentication factor in accounts secured by two-factor authentication.
Let’s say a user tries to login to their account. He keys in his username and password, but before he can login, he gets a message, saying that a text has been sent to his phone, and prompting him to enter the code in the text message.
If a scammer has already gained unauthorized access to the victim’s phone number via SIM swapping, that scammer can intercept the text, get the security code, and defeat the two-factor authentication attempt. The scammer then has access to the victim’s account, and can steal funds or sensitive information.
How Does SIM Swapping Work?
SIM swapping is a complex scam. Fraudsters who wish to hijack a victim’s account must jump through several hoops to defeat the SMS-based security factor. This can be done via the following steps:
#1 | Scammer Gathers Details About The Victim
A scammer may become interested in a victim because the first factor securing their account, like a username and password combination, was leaked online. To execute a SIM swapping scam, the perpetrator will need to gather more information about the victim, though. At minimum, the scammer will need to know the victim’s name, address, and phone service provider.
Scammers can get ahold of personal information by mining it from leaked data breaches or by purchasing it from criminal data vendors. SIM scammers may also use social engineering tactics or phishing attacks, in which legitimate-looking emails or phone calls are delivered to the victim. If the victim (falsely) believes that they are being contacted by someone they recognize, the victim may then voluntarily divulge sensitive information to the scammer.
#2 | Scammer Hijacks The Victim’s Phone Number
Armed with information about the victim, the scammer can now move onto their next mark: the victim’s phone service provider.
In this step, the scammer calls the victim’s provider, or visits a location in person and pretends to be the victim. The scammer then asks the phone company to port or swap the victim’s phone number over to a SIM card in the scammer’s control and possession; to literally “swap” the SIM card.
This lets the scammer gain control of the victim’s phone number. The scammer can then intercept calls and texts meant for the victim, including one-time security codes sent via SMS.
#3
|
The Scammer Defeats 2FA and Gains Unauthorized Access
to the Victim’s Account
The scammer first presents the compromised username and password combination. Once entered, the scammer must then input a one-time security code that is sent via text message.
A one-time security code, typically six- or seven-digits in length, is sent to the victim’s number. Now that the scammer has access to the victim’s phone number, though, the scammer simply copies and pastes the security code into the login portal. By hijacking the victim’s account, the scammer can steal funds, payment information, or other sensitive data that can then be used to commit identity theft or aid in further attacks.
How Much of a Threat is SIM Swapping?
The threat is significant.
SIM swapping scams are also becoming more prevalent. As two-factor authentication arrangements involving SMS security codes become more popular. For example, the FBI’s Internet Crime Complaint Center, or IC3, received 320 complaints about SIM swapping scams between January 2018 and December 2020. Fraud-related losses during this period were estimated at roughly $12 million annually.
Let’s compare that to losses attributed to SIM swapping fraud in 2021. Here, losses increased to $68 million annually, representing more than a fivefold increase. In 2021, the IC3 received 1,611 reports of SIM swapping fraud; a more than 400% increase in just a few years’ time.
The Center’s Internet Crime Report for 2023 shows that the agency received 1,075 complaints about SIM swapping crimes, which resulted in $48,798,103 in losses during 2023 alone. So, while SIM swapping may have slowed, the activity remains a significant threat.
Real-World Examples
Individuals unlucky enough to be victims of SIM swapping scams can be defrauded out of thousands — or even tens of thousands — of hard-earned dollars. Below, we’ve outlined a couple of high-profile examples:
Colorado SIM Swapping Victim Loses $24,500
In 2023, a Castle Rock, Colorado man lost $24,500 in a SIM swapping attack in which scammers exploited vulnerabilities in two-factor authentication methods to initiate a wire transfer from the victim’s bank account.
The victim, Darren Rowell, received an email alerting him of the suspicious activity, but by the time he arrived at his local Wells Fargo branch in an attempt to cancel the unauthorized transfer, he was too late. “Seven minutes later, the wire actually went through,” Rowell said in an interview with KUSA (Channel 9). “$24,500 was taken out of my savings.”
SIM Swapping Fraudsters Steal $21,000 From California Man
A similar scenario occurred in 2024 when SIM swapping scammers drained $21,000 from a Los Angeles resident’s Bank of America account.
Like Rowell, Jeff Drobman received alerts of suspicious activity. Someone had attempted to login to his bank account, and his password was changed. When he tried to phone Bank of America, he realized he couldn’t place calls; his phone number had already been swapped into the attacker’s SIM card.
By the time he could find another phone to dial his bank’s fraud team, his money was already gone. “They go, ‘They’ve already withdrawn $21,000 from your account.’ Are you kidding me? That’s half of my bank account,” he said in an interview with NBC Los Angeles.
How Does SIM Swapping Impact Merchants?
SIM swapping impacts merchants in at least two ways. The most obvious ramification is that this type of fraud elevates the prevalence of (legitimate) chargebacks.
Cardholders who discover unauthorized activity on compromised debit or credit cards will dispute those transactions with their issuing bank. When these legitimate disputes occur, it is neither the merchant nor the fraudster— but rather the merchant — who bears the cost of fraud.
Merchants and businesses can also be the targets of SIM swapping fraud. For instance, businesses that provide their employees with phones for work may be targeted by SIM-swapping scammers who use stolen phone phone numbers as a gateway into the target company’s intranet. All it takes is one unsecured device to grant access.
Once fraudsters gain unauthorized access to a company’s internal network, they can wreak havoc on databases. They can leak or misappropriate sensitive customer or vendor information, delete critical information, compromise financial data, steal trade secrets, or install ransomware from within.
Like all cyberattacks, SIM swapping fraud can cripple a company’s operations, damage its public reputation, and expose it to legal liability.
How to Identify SIM Swapping Attacks
Merchants who require customers to sign in with 2FA don’t have to be blindsided by SIM swapping fraud.
By paying close attention to certain telltale signs, merchants can be alerted while they are still in the early innings of a SIM swapping attack. Here are several red flags to watch out for:
#1 | You Can’t Place or Receive Calls or Texts
If your phone suddenly stops working, it may be because your phone number has been swapped over to a fraudster’s SIM card.
If you can’t receive or make outbound calls or texts, or if you suddenly lose access to cellular data, you should be on high alert. Notify your telecommunications provider immediately.
#2 | You get Emails or Push Notifications About Suspicious Activity
Be on the lookout for security alerts. If you receive an email from your bank, for example, alerting you that your password has been changed. Or, if you receive a push notification from PayPal saying that your phone number has been altered.
#3 | You Get Overwhelmed By Notifications
A scammer may inundate you with constant phone calls and text messages from different numbers. The goal is to get you to either turn off your phone, or simply stop paying attention to notifications. This way, you’ll be less likely to notice when you get a notice from your bank or another service provider about suspicious activity.
These alerts typically mean that at least one security factor has already been compromised. If your second factor is secured by SMS, it may be just a matter of time before scammers compromise it as well.
How to Avoid SIM Swapping Attacks
Merchants can take proactive steps to protect their customers’ accounts and prevent SIM swapping attacks. We recommend the following best practices:
1. Require Users to Change Passwords Regularly
Mandating that users change their passwords at least once every 60 to 90 days can help keep accounts secure and fraudsters at bay. In particular, requiring that users change their passwords in the event of a security breach or data leak is a wise and a low-cost way to ensure that usernames and passwords do not remain permanently compromised.
Merchants should also encourage users to set strong passwords (at least 8 characters, using a variety of letters, numbers, and special characters). Doing so enhances security and makes passwords harder to crack.
2. Limit the Number of Login Attempts Per Session
Merchants can enhance the security of user accounts by limiting the number of login attempts possible. Once a user exceeds a certain number of failed logins, they should be locked out of their account and be required to reset their password.
This may be a frustrating security feature for legitimate users who simply forgot their passwords. But, it’s an easy way to deter SIM swapping fraudsters who rely in part on brute force tactics to hijack accounts secured by 2FA.
3. Use Fraud Prevention Tools to Verify SMS-Based Security Code Requests
Banks and merchants can obtain users’ phone and SMS activity from telecommunications providers as a way to prevent SIM swapping fraud. Performing real-time checks every time a user requests a one-time SMS-based security code, for instance, can help merchants ensure the request is legitimate.
Meanwhile, SMS-based second-factor authentication attempts that are flagged by the phone fraud monitoring solution as suspicious can be automatically denied so that accounts whose first factors have been compromised can remain secure from SIM swapping fraudsters.
4. Ditch SMS-Based Second Factors For Authenticator Apps
Authentication apps — like Google Authenticator, Microsoft Authenticator, Authy, and others — are widely considered by security experts to be more secure than SMS-based authentication. This is because authenticator apps generate one-time passcodes locally. Scammers would have to steal an account holder’s physical device, rather than their phone number, to successfully defeat an authenticator app-based second factor.
Suffice to say, merchants who wish to enhance the security of their users’ accounts should swap out SMS-based second factors for authenticator app-based second factors. This eliminates the possibility of SIM swapping fraud entirely and reduces the risk of account takeover fraud.
Protect & Defend Yourself Against SIM Swapping Fraud
Although SIM swapping fraud is on the rise, it doesn’t mean that attacks are inevitable. There are numerous precautions and proactive measures that individuals and merchants can take to thwart potential attacks.
For starters, familiarizing yourself with SIM swapping red flags can help you re-secure your sensitive information before it falls into the hands of fraudsters. Engaging in good security practices, like changing passwords frequently, can also help keep your accounts secure.
Individuals can also circumvent the weaknesses of SMS-based second-factor authentication by opting for more secure second factors, like authenticator apps. Merchants can likewise encourage their use by supporting app-based two-factor authentication.
Finally, securing the key vulnerability at hand — the SIM card itself — is also a good practice. Set up alerts and notifications with your telephone provider so that you can stay informed about suspicious activity, and request a PIN so that attackers cannot easily port out your phone number to another SIM card.
FAQs
How does SIM swapping work?
SIM swapping occurs when a fraudster uses social engineering tactics to convince your telephone company to switch your phone number over to a SIM card under the fraudster’s control. Gaining access to your telephone number gives the fraudster the ability to read and intercept your text messages in real time. This allows them to defeat two-factor authentication measures that use text-based codes as the second factor.
How do you know if you were SIM swapped?
One sign that you may have been the victim of a SIM swapping scam is if you can longer make calls, send text messages, or use cellular data on your current phone. Other signs include receiving alerts that your phone number was activated elsewhere, or receiving text-based security codes without having first requested one.
Is SIM swapping still a threat?
SIM swapping is definitely still a threat. Data from the FBI’s Internet Crime Complaint Center (IC3) shows that SIM swapping attacks increased by 400% between 2018 and 2021. Losses to SIM swapping fraud currently total $68 million, and is expected to rise as text-based two-factor authentication measures become more ubiquitous.
How often does SIM swapping happen?
SIM swapping fraud has become more common in recent years. Between 2020 and 2023, complaints filed with the Federal Communications Commission (FCC) about the scam doubled from 275 to 550 reports. The FBI also investigated 1,075 SIM swapping complaints in 2023.
Can you stop SIM swapping?
Yes, you can take preventative measures to thwart SIM swapping attacks. For example, you can use a SIM PIN, a code that locks your SIM and prevents unauthorized access. Instead of making text messaging your second factor in two-factor authentication security measures, you can also use authenticator apps, which are more secure than SMS-based authentication methods.
