Javascript is not enabled.

Javascript must be enabled to use this site. Please enable Javascript in your browser and try again.

Skip to content
Content starts here
CLOSE ×

Search

Leaving AARP.org Website

You are now leaving AARP.org and going to a website that is not operated by AARP. A different privacy policy and terms of service will apply.

How to Protect Yourself and Your Mobile Phone From SIM Swap Scams

Don’t let your smartphone, its data and passwords get hijacked


spinner image person expanding or upgrading memory in a mobile phone
Vitalii Petrushenko/Getty Images

Flight attendant Eunice Lockett Thomas couldn’t understand why her Chase debit card was declined in early June 2021 as she tried to pay a dinner bill while vacationing in Hilton Head, South Carolina.

Thomas’ sisters, who were also at the dinner, planned to pay a portion of the tab. They sent money to Thomas through the Cash App, a payment transfer app that acts like a debit card for small transactions, on her iPhone 11.

spinner image Image Alt Attribute

AARP Membership

Join AARP for $12 for your first year when you sign up for Automatic Renewal. Get instant access to members-only products and hundreds of discounts, a free second membership, and a subscription to AARP The Magazine

Join Now

“While we’re sitting there, I could see the transactions from the Cash App, but I couldn’t do anything about them,” says Thomas, 74. “I had no control over my phone. I couldn’t make calls. I couldn’t receive calls. I could only see kind of what was going on.”

This went on for two days before she returned home to New York and visited her carrier, T-Mobile. A customer service representative replaced her phone’s SIM card.

Thomas was apparently a victim of a SIM swap attack, an all-too-common industrywide scam involving a hijacking of the Subscriber Identity Module chip card found inside smartphones, which links your phone number and account information to your mobile provider.

Thomas’ saga got a lot worse. She learned that requests for money were sent out in her name to her contacts inside Cash App, some of whom sent money. Bitcoins were purchased and sold through her Cash App account as well. Thomas shared documentation of the transactions with AARP.

Thomas then discovered that $21,916.41 had been withdrawn from her Chase checking account, a transaction she insists she didn’t make or authorize. She reached out to Chase and T-Mobile, which acknowledged in writing “unauthorized activity” on her account, and she filed a police report. Citing its own research into her claim, Chase initially sent a letter to Thomas indicating that in its view, “the transaction(s) was processed correctly or was authorized” and that “no adjustment will be made to your account at this time.”

After AARP inquired to confirm her situation, a bank representative again looked into the case. A day later, the bank called Thomas and told her it would credit her account with the missing money, which Chase confirmed to AARP.

SIM cards carry personal information

Thomas says she isn’t sure how her phone got hacked. Some SIM cards can be removed from one phone and placed in another, so the risk of physical theft exists, though that didn’t happen her case.

Not every SIM card is compatible with every device. Newer eSIM types are embedded into the device hardware, which in some instances lets you have two different lines on the same handset.

Either way, here’s how the scam typically unfolds, according to the Federal Communications Commission. Someone posing as you persuades your cellular provider to issue a replacement SIM card or to port your number over from another provider. The scammer may claim that your card was lost or damaged, and having amassed personal details about you from data breaches and leaks, phishing attacks, social engineering, social media and public records easily found on the internet, the thief can make the bogus ploy sound convincing.

Once your SIM has been hijacked, calls, texts and other data that are supposed to go to you are diverted to the impostor’s device. This may include texts with the one-time-use multifactor authentication code that is supposed to provide you with an extra layer of security beyond a passcode. Instead, it may unlock the door for a thief to change or access your email addresses, social media profiles, financial records and bank accounts.

‘You lose complete access to your phone’

“SIM swapping is a real threat,” says Eva Velasquez, president and CEO of the San Diego-based Identity Theft Resource Center, which educates consumers on the risks of identify theft and offers free resources to help victims recover. “It is a tactic that can be used to commit identity theft, and the effects can be very damaging. You will know if your SIM has been swapped if you lose complete access to your phone.”

Technology & Wireless

Consumer Cellular

5% off monthly fees and 30% off accessories

See more Technology & Wireless offers >

In a study published in early 2020, researchers at Princeton University explained how they tested the authentication mechanisms in place for legitimate SIM swaps at AT&T, T-Mobile, Tracfone, US Mobile and Verizon Wireless. They signed up for 50 prepaid accounts, 10 with each carrier, and subsequently called in to request a SIM swap on each account. Their finding: All five carriers used insecure authentication challenges that attackers could easily subvert.

On July 11, the FCC announced proposed rules to help protect consumers from SIM swap scams, as well as port-out fraud in which someone poses as a victim to open an account with a provider other than the victim’s current carrier and then has that person’s number transferred or ported over to a new account the scammer controls.

If the proposed regulation goes into effect, wireless carriers will be required to adopt secure methods of authenticating a customer before redirecting that person’s number to a new account or provider. A provider also will have to notify the customer whenever a SIM change or port-out request is made.

“Every consumer has the right to expect that their mobile phone service providers keep their accounts secure and their data private,” FCC Chairwoman Jessica Rosenworcel said in a statement. “These updated rules will help protect consumers from ugly new frauds while maintaining their well-established freedom to pick their preferred device and provider.”

Carriers have been bolstering internal processes to combat this criminal activity, according to the CTIA, a wireless industry trade group that changed its name from the Cellular Telecommunications Industry Association in 2004. That includes setting up the ability to lock or freeze your account, working with law enforcement and training employees to look out for the fraud.

Some carriers allow only in-store changes

In some instances, a company may restrict customer accounts so changes can only be made in the store with a government-issued ID, says research scientist Kevin Lee, coauthor of the Princeton report.

T-Mobile says that its account holders must choose a 6- to 15-digit PIN and that a customer’s phone number cannot be ported without verification of that PIN. T-Mobile offers what it calls Account Takeover Protection, which adds security to accounts by blocking unauthorized users from transferring lines to another wireless carrier. AT&T similarly lets you create a unique passcode you’ll have to provide before account changes can be made, including port requests that another carrier initiates.

Cash App, which is owned by financial services company Block Inc., formerly Square Inc., and not a bank, has unleashed an artificial intelligence-driven feature that it says flags potential spam or scams for payments in the app.

But you can take steps as a smart consumer to minimize the risk. Here’s what experts suggest.

Don’t give out personal info

  • Don’t reply to calls, emails or texts that request personal information. If you get such a request for account or personal information, contact the company directly on your own, using a phone number or website you know to be genuine.
  • Use multifactor authentication. As noted, two-factor authentication, 2FA for short, will be useless if the code to verify your identity arrives on the crook's phone and the swindler already knows your passcode.
spinner image membership-card-w-shadow-192x134

Get instant access to members-only products and hundreds of discounts, a free second membership, and a subscription to AARP The Magazine.

“A knee-jerk reaction may be to turn off 2FA altogether, and that is actually even more dangerous,” Lee says. Enabling this extra layer of security “only adds to the username and password requirements, potentially making it tougher for attackers to hijack. At the end of the day, it’s still better than nothing.”

David Strom of the Avast digital security firm is among experts who recommend switching your second authentication factor from SMS texting to an authenticator app such as Authy or Google Authenticator.

Protect your phone and SIM

  • Protect the physical device. This means using facial recognition or fingerprint scanning options common in smartphones, Velasquez says, along with a PIN.
  • Protect the physical SIM. You can lock your SIM with a numerical PIN you'll have to enter every time you restart a device or remove a SIM. You can create such a PIN inside the settings on your iPhone or Android device.
  • Be careful what you post online. This generally means avoiding the kind of information often prompted by security questions, including birth dates, the name of your pet, your best friend’s first name and high school mascot.
  • Keep your email inbox cleanWipe out messages that don’t need to be there, including any with passcodes, PINs, Social Security numbers and billing statements that may reveal some or all of these details if your device is ever hacked.

Share landline, not mobile number

  • Don’t overshare your mobile number. AT&T recommends using your landline when sharing a number with a dry cleaner, grocery store or other businesses. Unless you have business reasons to do otherwise, don’t include your number on social media or as part of your email signature.

You can get a free phone number to give to businesses or acquaintances that you don’t want to have access to your real number, and it will ring on your phone. This “burner” number is something that can protect your privacy and is easily disposable if you want a different one later.

  • Report suspicious activity. If you notice something unusual, contact your mobile provider, bank and credit card company right away, and make sure your account credentials haven’t been changed. You may want to file an identity theft report with the Federal Trade Commission.

In its letter to Thomas acknowledging that her phone had been compromised, T-Mobile offered other sound advice: Consider placing a fraud alert with any of the three major credit bureaus — Equifax, Experian or TransUnion — which signals creditors to get in touch with you before opening an account in your name.

This story, originally published Sept. 27, 2021, was updated with proposed federal regulations to make SIM swap scams more difficult.

AARP’s Fraud Watch Network can help you spot and avoid scams. Sign up for free Watchdog Alerts, review our scam-tracking map or call our toll-free fraud helpline at 877-908-3360 if you or a loved one suspect you’ve been a victim.

Discover AARP Members Only Access

Join AARP to Continue

Already a Member?