How to Protect Yourself and Your Mobile Phone From SIM Swap Scams

‘You lose complete access to your phone’

“SIM swapping is a real threat,” says Eva Velasquez, president and CEO of the San Diego-based Identity Theft Resource Center, which educates consumers on the risks of identify theft and offers free resources to help victims recover. “It is a tactic that can be used to commit identity theft, and the effects can be very damaging. You will know if your SIM has been swapped if you lose complete access to your phone.”

In a study published in early 2020, researchers at Princeton University explained how they tested the authentication mechanisms in place for legitimate SIM swaps at AT&T, T-Mobile, Tracfone, US Mobile and Verizon Wireless. They signed up for 50 prepaid accounts, 10 with each carrier, and subsequently called in to request a SIM swap on each account. Their finding: All five carriers used insecure authentication challenges that attackers could easily subvert.

On July 11, the FCC announced proposed rules to help protect consumers from SIM swap scams, as well as port-out fraud in which someone poses as a victim to open an account with a provider other than the victim’s current carrier and then has that person’s number transferred or ported over to a new account the scammer controls.

If the proposed regulation goes into effect, wireless carriers will be required to adopt secure methods of authenticating a customer before redirecting that person’s number to a new account or provider. A provider also will have to notify the customer whenever a SIM change or port-out request is made.

“Every consumer has the right to expect that their mobile phone service providers keep their accounts secure and their data private,” FCC Chairwoman Jessica Rosenworcel said in a statement. “These updated rules will help protect consumers from ugly new frauds while maintaining their well-established freedom to pick their preferred device and provider.”

Carriers have been bolstering internal processes to combat this criminal activity, according to the CTIA, a wireless industry trade group that changed its name from the Cellular Telecommunications Industry Association in 2004. That includes setting up the ability to lock or freeze your account, working with law enforcement and training employees to look out for the fraud.

Some carriers allow only in-store changes

In some instances, a company may restrict customer accounts so changes can only be made in the store with a government-issued ID, says research scientist Kevin Lee, coauthor of the Princeton report.

T-Mobile says that its account holders must choose a 6- to 15-digit PIN and that a customer’s phone number cannot be ported without verification of that PIN. T-Mobile offers what it calls Account Takeover Protection, which adds security to accounts by blocking unauthorized users from transferring lines to another wireless carrier. AT&T similarly lets you create a unique passcode you’ll have to provide before account changes can be made, including port requests that another carrier initiates.

Cash App, which is owned by financial services company Block Inc., formerly Square Inc., and not a bank, has unleashed an artificial intelligence-driven feature that it says flags potential spam or scams for payments in the app.

But you can take steps as a smart consumer to minimize the risk. Here’s what experts suggest.

Don’t give out personal info

• Don’t reply to calls, emails or texts that request personal information. If you get such a request for account or personal information, contact the company directly on your own, using a phone number or website you know to be genuine.
• Use multifactor authentication. As noted, two-factor authentication, 2FA for short, will be useless if the code to verify your identity arrives on the crook's phone and the swindler already knows your passcode.

“A knee-jerk reaction may be to turn off 2FA altogether, and that is actually even more dangerous,” Lee says. Enabling this extra layer of security “only adds to the username and password requirements, potentially making it tougher for attackers to hijack. At the end of the day, it’s still better than nothing.”

David Strom of the Avast digital security firm is among experts who recommend switching your second authentication factor from SMS texting to an authenticator app such as Authy or Google Authenticator.

Protect your phone and SIM

• Protect the physical device. This means using facial recognition or fingerprint scanning options common in smartphones, Velasquez says, along with a PIN.
• Protect the physical SIM. You can lock your SIM with a numerical PIN you'll have to enter every time you restart a device or remove a SIM. You can create such a PIN inside the settings on your iPhone or Android device.
• Be careful what you post online. This generally means avoiding the kind of information often prompted by security questions, including birth dates, the name of your pet, your best friend’s first name and high school mascot.
• Keep your email inbox clean. Wipe out messages that don’t need to be there, including any with passcodes, PINs, Social Security numbers and billing statements that may reveal some or all of these details if your device is ever hacked.

Share landline, not mobile number

• Don’t overshare your mobile number. AT&T recommends using your landline when sharing a number with a dry cleaner, grocery store or other businesses. Unless you have business reasons to do otherwise, don’t include your number on social media or as part of your email signature.

You can get a free phone number to give to businesses or acquaintances that you don’t want to have access to your real number, and it will ring on your phone. This “burner” number is something that can protect your privacy and is easily disposable if you want a different one later.

• Report suspicious activity. If you notice something unusual, contact your mobile provider, bank and credit card company right away, and make sure your account credentials haven’t been changed. You may want to file an identity theft report with the Federal Trade Commission.

In its letter to Thomas acknowledging that her phone had been compromised, T-Mobile offered other sound advice: Consider placing a fraud alert with any of the three major credit bureaus — Equifax, Experian or TransUnion — which signals creditors to get in touch with you before opening an account in your name.

This story, originally published Sept. 27, 2021, was updated with proposed federal regulations to make SIM swap scams more difficult.

AARP’s Fraud Watch Network can help you spot and avoid scams. Sign up for free Watchdog Alerts, review our scam-tracking map or call our toll-free fraud helpline at 877-908-3360 if you or a loved one suspect you’ve been a victim.