Flight attendant Eunice Lockett Thomas couldn’t understand why her Chase debit card was declined in early June 2021 as she tried to pay a dinner bill while vacationing in Hilton Head, South Carolina.
Thomas’ sisters, who were also at the dinner, planned to pay a portion of the tab. They sent money to Thomas through the Cash App, a payment transfer app that acts like a debit card for small transactions, on her iPhone 11.
“While we’re sitting there, I could see the transactions from the Cash App, but I couldn’t do anything about them,” says Thomas, 74. “I had no control over my phone. I couldn’t make calls. I couldn’t receive calls. I could only see kind of what was going on.”
This went on for two days before she returned home to New York and visited her carrier, T-Mobile. A customer service representative replaced her phone’s SIM card.
Thomas was apparently a victim of a SIM swap attack, an all-too-common industrywide scam involving a hijacking of the Subscriber Identity Module chip card found inside smartphones, which links your phone number and account information to your mobile provider.
Thomas’ saga got a lot worse. She learned that requests for money were sent out in her name to her contacts inside Cash App, some of whom sent money. Bitcoins were purchased and sold through her Cash App account as well. Thomas shared documentation of the transactions with AARP.
Thomas then discovered that $21,916.41 had been withdrawn from her Chase checking account, a transaction she insists she didn’t make or authorize. She reached out to Chase and T-Mobile, which acknowledged in writing “unauthorized activity” on her account, and she filed a police report. Citing its own research into her claim, Chase initially sent a letter to Thomas indicating that in its view, “the transaction(s) was processed correctly or was authorized” and that “no adjustment will be made to your account at this time.”
After AARP inquired to confirm her situation, a bank representative again looked into the case. A day later, the bank called Thomas and told her it would credit her account with the missing money, which Chase confirmed to AARP.
SIM cards carry personal information
Thomas says she isn’t sure how her phone got hacked. Some SIM cards can be removed from one phone and placed in another, so the risk of physical theft exists, though that didn’t happen her case.
Not every SIM card is compatible with every device. Newer eSIM types are embedded into the device hardware, which in some instances lets you have two different lines on the same handset.
Either way, here’s how the scam typically unfolds, according to the Federal Communications Commission. Someone posing as you persuades your cellular provider to issue a replacement SIM card or to port your number over from another provider. The scammer may claim that your card was lost or damaged, and having amassed personal details about you from data breaches and leaks, phishing attacks, social engineering, social media and public records easily found on the internet, the thief can make the bogus ploy sound convincing.
Once your SIM has been hijacked, calls, texts and other data that are supposed to go to you are diverted to the impostor’s device. This may include texts with the one-time-use multifactor authentication code that is supposed to provide you with an extra layer of security beyond a passcode. Instead, it may unlock the door for a thief to change or access your email addresses, social media profiles, financial records and bank accounts.