SIM swap scam
A SIM swap scam (also known as port-out scam, SIM splitting, Smishing and simjacking, SIM swapping) is a type of account takeover fraud that generally targets a weakness in two-factor authentication and two-step verification in which the second factor or step is a text message (SMS) or call placed to a mobile telephone.
The fraud exploits a mobile phone service provider's ability to seamlessly port a phone number to a device containing a different subscriber identity module (SIM). This feature is normally used when a customer has lost or had their phone stolen, or is switching service to a new phone.
The scam begins with a fraudster gathering personal details about the victim, either by use of phishing emails, by buying them from organised criminals, or by directly socially engineering the victim.
Once the fraudster has obtained these details, they then contact the victim's mobile telephone provider. The fraudster uses social engineering techniques to convince the telephone company to port the victim's phone number to the fraudster's SIM. This is done, for example, by impersonating the victim using personal details to appear authentic and claiming that they have lost their phone. In some countries, notably India and Nigeria, the fraudster will have to convince the victim to approve the SIM swap by pressing 1.
In many cases, SIM numbers are changed directly by telecom company employees bribed by criminals.
Once this happens, the victim's phone will lose connection to the network, and the fraudster will receive all the SMS and voice calls intended for the victim. This allows the fraudster to intercept any one-time passwords sent via text or telephone calls sent to the victim and thus allows them to circumvent many two-factor authentication methods of accounts (be they bank accounts, social media accounts, etc.) that rely on text messages or telephone calls. Since so many services allow password resets with only access to a recovery phone number, the scam allows criminals to gain access to almost any account tied to the hijacked number. This may allow them to directly transfer funds from a bank account, extort the rightful owner, or sell accounts on the black market for identity theft.
A number of high-profile hacks have occurred utilizing SIM swapping, including some on the social media sites Instagram and Twitter. In 2019, Twitter CEO Jack Dorsey's Twitter account was hacked via this method.
In May 2020, a lawsuit was filed against an 18 year old Irvington High School senior in Irvington, New York, Ellis Pinsky, who was accused with 20 co-conspirators of swindling digital currency investor Michael Terpin – the founder and chief executive officer of Transform Group – of $23.8 million in 2018, when the accused was 15 years old, through the use of data stolen from smartphones by SIM swaps. The lawsuit was filed in federal court in White Plains, New York and asked for triple damages.
- admin (2014-05-09). "Alert – how you can be scammed by a method called SIM Splitting". Action Fraud. Retrieved 2018-08-22.
- "NPR Search : NPR". www.npr.org.
- Tims, Anna (2015-09-26). "'Sim swap' gives fraudsters access-all-areas via your mobile phone". the Guardian. Retrieved 2018-08-22.
- "Many Bengalureans lose cash to sim card swap fraud - Times of India". The Times of India. Retrieved 2018-08-22.
- "Experts Finger Insiders in Telcos for Rising SIM Swap Fraud – Nigerian CommunicationWeek". nigeriacommunicationsweek.com.ng. Retrieved 2018-08-22.
- "You will be requested to press 1 or authenticate this Swap | Gadgets Now". Gadget Now. Retrieved 2018-08-22.
- Franceschi-Bicchierai, Lorenzo (2019-05-13). "AT&T Contractors and a Verizon Employee Charged With Helping SIM Swapping Criminal Ring". Vice News. Retrieved 2020-01-23.
Among the alleged criminals were also two former AT&T contract employees and one former Verizon employee, who helped the alleged criminals by providing private customer information in exchange for bribes, according to court documents.
- "How to Protect Your Phone Against a SIM Swap Attack" – via www.wired.com.
- Brandom, Russell (August 31, 2019). "The frighteningly simple technique that hijacked Jack Dorsey's Twitter account". The Verge.
- Stempel, Jonathan (7 May 2020). "U.S. cryptocurrency investor sues suburban NYC teen for $71.4 million over alleged swindle". Reuters. Retrieved 4 January 2021.
- Nadeau, Barbie Latza (May 8, 2020) "15-Year-Old From Suburbs Led ‘Evil Computer Geniuses’ in $24M Cryptocurrency Heist: Lawsuit" Daily Beast