How To Protect Yourself From SIM Swapping

Note: The advice herein presumes your mobile device has a baseline level of security established, i.e. no rooting/jailbreaking concerns, etc. and that you haven’t recently been a victim of phishing/spear phishing prior to taking these steps. If you suspect you’ve already been a victim, call your mobile carrier immediately and seek professional mitigation assistance.

What’s a SIM Card?

SIM cards are the heart of our mobile devices where regular phone and communications are concerned. They’re the tiny little cards we don’t often think about that slide inside our mobile device and make our mobile number for phonecalls and data plan for using the Internet work.

SIM is another acronym that stands for Subscriber Identitification Module. This little card is what connects our phone number and data subscriber plan to a carriers network using a private key that’s embedded in the card itself. Why should we have to think about them at all – ever?

What’s SIM Swapping?

This crime is astoundingly on the rise. It’s called “SIM swapping” or “SIM jacking” or “SIM Hijacking” and involves deception known as social engineering

Generally speaking, most of us are good people and want to help whenever we can. Criminals know this and exploit our helpful nature to respond to urgent requests of an extreme naure in order to take control of our account and ultimately our mobile number (SIM card).

It’s a lot easier than it might sound. They’ve already collected enough personal info (physical address, SSN, phone number, date-of-birth, etc. all of these can easily be had) to impersonate us and then – the key ingredient: they add to this a compelling story, like “My dad died and I need to get on a plane in a few hours and to make it all worse I just lost my phone! Can you help???” in order to get the representative to empathize and work around established security protocols to “help” them.

From there, it’s easy for them to show up in a mobile carrier’s store with a fake ID and enough personal info, such as your address, phone number, date-of-birth, etc. to successfully take over your account.

Meanwhile, from our end (we’re holding the phone with the currently active SIM card in it), the attacked experience typically goes something like this:

  • Our phone suddenly receives no signal where the signal is generally fine and instead displays “Emergency calls only” or “No Network”.
  • We’re unable to make or receive calls or send/receive texts when not using WiFi.

Once a criminal has taken control of a SIM and thereby a mobile number, some things start to happen – FAST. Here’s an idea of what typically happens to victims of successful SIM Swap attacks:

  1. Victims notice their phones show “NO SERVICE”. Sometimes victims don’t notice this right away because they’re also connected to WiFi. This means that things like email, social media, and music, continue to work normally until they go somewhere without WiFi. This can be hours or even days later for some victims.
  2. It isn’t until they notice they’re not getting calls or texts that they begin to suspect something is not right but by then it’s too late. 
  3. By then, they’ve already likely begun to see other weird things like requests being sent to reset passwords, losing access to email, social media, etc. It’s a nightmare that seems to happen suddenly, all at once.
  4. Criminals who conduct SIM jack attacks aren’t likely interested in your text messages or phone calls (unless you’re Jess Bezos or someone connected to other valuable assets). Criminals are focused on in taking control of your two-factor authentication (2FA) codes from valuable accounts like primary email accounts that are tied to everything, like banking accounts that sometimes force account holder to use their mobile number to receive private 2FA codes. Once a victim has lost control of their mobile number, Criminals can initiate password resets across these accounts and then intercept these one-time codes when they have control of your mobile number. Then, they use automated and manual tools to initiate password resets across all your accounts quickly, across more and more of your email and social media accounts, banking, insurance, loans, retail accounts, and more.
  5. By the time you realize what’s happening, you’ll panic. But that’s not the end of it. This is only the beginning.
  6. After they’ve successfully taken over your identity, they resell all of your breached information on the Dark Web. That’s when things kick into high gear and make it even more stressful and time-consuming to mitigate and contain.
  7. The criminals who initiate and successfully achieve the attacks don’t often stick around. They sell these compromised accounts to the highest bidder(s) on the dark markets, who often then take the attack to a new level, which involve activities like opening loans and credit cards in your name, new email accounts, and effectively taking over your identity.
  8. There’s going to be a period of damage control that can often take months and even years to clean up depending on how quick and how widespread the criminals activites were, how many account and assets they took control of, and how fast and smart the criminals they sold your identity to are.

Minimize Your Risk Of Getting Swapped

Step 1 isn’t enough to protect you so make sure to follow Step 2 and 3 to prevent this from happening to you):

  1. Tell them you’d like to add enhanced security to your account, specifically to prevent a new SIM card with your number from being issues or allowing your number to be ported over to a new carrier. Ask them to put a note in your account that you’ve already been targeted in the past (yes, it’s okay to be dishonest here for the sake of security). Other customer service representative will see this note should someone attempt any of these actions without your consent.
  2. Login to all of your email accounts (eg. Gmail, Hotmail, Yahoo, etc.)
    • Enable 2FA (and we recommend using an app (Authy, Duo, Google Authenticator, or 1Password) to receive codes rather than your mobile number.
    • Remove your mobile number from any and all account recovery settings.
    • Remove any backup or forwarding emails connected to your account.
  3. Login to all of your online banking (anything financially-related), Amazon, and social media accounts linked to your primacy email account and turn on 2FA. If using a 2FA app isn’t an option, use a VoIP number (Google Voice, Ring Central, etc.), rather than your actual mobile number.

When an attack is successful, your mobile number will be ported to a new SIM card. When that happens, the mobile plan you pay for monthly will stop working because the attacker has taken control of it and is using it to recover access to your email accounts and each of your personal accounts that are set to have their passwords reset via email. You are extra vulnerable to these types of attacks if 2FA is not enabled on your accounts.

Authentication Apps Are Better Than SMS/Text

Using SMS or text message via your real mobile number to receive 2FA codes to login to your most valuable accounts might be easy and straightforward but it makes us super-vulnerable to SIM swapping. Use an app instead, like Authy, Google Authenticator, or Duo. This is called an “out-of-band” method and this approach helps insulate you against SIM swapping attacks by diminishing the value of your SIM card (your mobile number) for the purpose of receiving 2FA codes via text message. Whenever possible, look for ways to use something other than your mobile number to receive these codes. It can save you a lot of pain and suffering, while offering you better protection. 

How To Protect Yourself

Step 1 isn’t enough to protect you so make sure to follow Step 2 and 3 to prevent this from happening to you):

  1. Tell them you’d like to add enhanced security to your account, specifically to prevent a new SIM card with your number from being issues or allowing your number to be ported over to a new carrier. Ask them to put a note in your account that you’ve already been targeted in the past (yes, it’s okay to be dishonest here for the sake of security). Other customer service representative will see this note should someone attempt any of these actions without your consent.
    1. Request that a PIN or Passcode and a verification sent via text is first required for any changes whatsoever on your account.
    2. You can also request a “Port Freeze” that prevents your phone number from being migrated over to a different carrier.
  2. Login to all of your email accounts (eg. Gmail, Hotmail, Yahoo, etc.)
    • Enable 2FA (and we recommend using an app (Authy, Duo, Google Authenticator, or 1Password) to receive codes rather than your mobile number.
    • Remove your mobile number from any and all account recovery settings.
    • Remove any backup or forwarding emails connected to your account.
  3. Login to all of your online banking (anything financially-related), Amazon, and social media accounts linked to your primacy email account and turn on 2FA. If using a 2FA app isn’t an option, use a VoIP number (Google Voice, Ring Central, etc.), rather than your actual mobile number.

What To Do If You Get SIM Swapped

Get your hands on a phone that works, call your carrier, and ask them to:

  • Immediately reassign the number back to you (this can take up to a week).
  • Prevent the number from sending/receiving any calls and texts.

Then, make sure you’ve followed and completed all three steps in How To Protect Yourself to make sure it doesn’t happen again immediately after getting control of your number back, making sure to remove text/SMS recovery settings from your accounts.

Next, notify your family, friends, and coworkers. Tell them to be on high-alert for attempts to compromise them coming from your phone, texts, emails, etc.

Last, file a police report. This is crucial (don’t skip this step). Many criminals engage in “swatting” which is calling 911 from your mobile number and reporting a murder or some other serious crime-in-progress that sends SWAT teams to your house. People have been mistakenly killed by police in these situations so don’t let it happen to you.

After the attack, when it’s all over and you’ve gotten your mobile number back, reset all your accounts to new, long and strong passwords (ideally using a password manager), and 2FA enabled and sending codes to a 2FA app (wherever possible), the very last thing is to check the bill from your mobile carrier and verify you weren’t charged for costs you did not incur.

Set A PIN On Your Physical Device

If you frequently lose your phone or accidentally leave it places, you should consider enabling a PIN on your SIM card in your phone. By this I don’t mean a code that you use to login to your phone. Instead, in addition to the code you might use to get into your phone, there’s an option to put a PIN, a code, to prevent someone from activating and using your SIM card. 

Imagine this: some criminals steal phones. Even if they can’t crack the code to get into your phone they can simply remove the SIM card and take control of your mobile number. But not if you’ve put a PIN on that, too.

Here are some steps to do this on different devices:

Enable PIN for your SIM on iPhone or iPad: https://support.apple.com/en-us/HT201529

Enable PIN for your SIM on Android: https://www.digitalcitizen.life/how-change-or-remove-sim-pin-android-2-steps

Doing so offers you greater peace-of-mind, especially if you’re famous for forgetting your phone places.

Avoid Using Your Real Mobile Number

If you don’t have to share your real mobile number – don’t. For example, remove it from your social media accounts. “What does that mean?” you might ask. We don’t always need to offer a mobile number but sometimes do anyway out of habit. Verify that accounts need this information. 

If an account your signing up for requires a mobile number, we can use any VoIP service, such as Google Voice, Ring Central, etc. to instead create an online “phone number” that can be used in place of our real mobile numbers, offering us a great level of protection. We should avoid using our actual numbers whenever possible. If your number is tied to a business it may be even more important to consider. Yes, I imagine this is not great advice to hear for many of you but I hope you won’t regret ignoring it and at least consider it.

Removing and abstracting your real mobile number from your most valuable online accounts vastly reduces your risks in a successful SIM swap, especially where you have to associate a mobile number to an account.

For example, sign in to the Google Account page and edit your mobile number in the Personal Info section. If you see your mobile number there, replace it with a VoIP number like Google Voice, Ring Central, etc. or remove it altogether (as long as you have another option for receiving 2FA first!).?

Google Personal Info Settings Erase Phone Number

Remove your mobile number from the Security section, in the Ways we can verify it’s you – this is another good spot to use a VoIP number and not your real mobile. Note that 2FA is turned off in this screenshot. Be sure to re-enable it once you’ve set up authenticator or are using a VoIP number to receive those 2FA codes so you don’t lock yourself out.?

Google Security Settings Erase Phone Number

Here’s another example using Amazon: In Your Account, select Login & Security. Remove your mobile and/or add a VoIP number here.?

Amazon Security Settings Erase Phone Number

PayPal is another regular target for criminals. Do the same thing here by clicking the settings (gear icon) in the upper-right-corner of the page once you login. Click Phone and remove your real mobile and add a VoIP number instead to sleep much better at night.?

PayPal Security Settings Erase Phone Number

Likewise, consider removing your real mobile number from all your social media, retail, and especially your financial accounts.

Look Sharp!

Don’t go changing too much after reading any of this! Continue to be your kind, sensitive, and helpful self but don’t let the baddies take advantage of you. Be kind but skeptical about anyone asking for your personal info in person, via email, and/or text and don’t be afraid to ask for verification, call them back using a legit number.

Try thinking of it this way: trust but verify. No one will fault you for due diligence and it might save your identity someday.

If  you fear you’ve been a victim to SIM swapping, seek professional guidance in order to properly mitigate and make good, informed choices against the future. Once you’ve been compromised, you’re predisposed to future issues especially if you don’t handle the first incident in a comprehensive and intentional way.

Thanks for  reading – please share these tips with your loved ones to help ensure  their continued success and safety in the new year.

Gratitude to Motion Mela for the rad gif featured in this post!