Cybercriminals have grown adept at developing clever methods to gain access to your data in order to steal from you. One such way takes advantage of our ability to keep the same phone number we’ve always used when we get a new smartphone—even if we’re changing to a new mobile carrier.
SIM Swapping: How It Works
Also known as SIM hijacking, SIM Swapping is a type of identity theft where criminals gain access to your phone number and personal information by impersonating you and convincing your mobile carrier to transfer your phone number to a new SIM card, which is installed in a phone in the scammer’s possession.
Although your smartphone physically remains in your hands, the SIM swap disconnects it from the mobile network. It allows the thief to intercept and receive all incoming calls and text messages being sent to your phone number—including multi- or two-factor authentication codes you’ve set up to protect your bank, credit card, payment app, social media or email accounts.
Before you know what’s happened, you might see email notifications of new account logins, changed passwords, cash transfers, or credit and loan accounts newly created in your name! Meanwhile, you have no cell service to report the fraud in real time.
In case you’re wondering, SIM stands for Subscriber Identity Module, which is a small chip that stores your phone’s identity and lets it connect to a mobile network. Similar to the smart chips in credit cards, a SIM card is about the size of a fingernail with an embedded chip. Mobile phone companies link a phone number to a SIM card. Putting the SIM card into any mobile phone allows you to make and receive calls and text messages with that phone number.
Protect Yourself from SIM Swapping Scams
One simple and key step in safeguarding your identity is enabling port-out protection for your mobile phone number. This feature prevents cybercriminals from transferring (or “porting”) your number to another device, SIM card, or carrier without your permission, which can lead to identity theft or fraud.
Here’s How:
- Request a Port-Out Lock: Some carriers, like Verizon, T-Mobile, AT&T, and Spectrum Mobile, offer this feature. You may need to set up a PIN or password to activate it. Call customer service or visit your carrier’s website to learn about port-out protections.
- Confirm Protection is in Place: Make sure your mobile number is locked by periodically verifying with your carrier that your protection is active.
This protection is already in place for those with a device provided under the university-managed contract, and no further action is necessary.
An additional and closely related way to protect yourself against fraud is to opt for app-based push authentication methods instead of less secure text or phone call authentication methods. Your risk of falling victim is greatest if your authentication codes are texted or called to your mobile phone number!
For example, at the University of Rochester and UR Medicine, if you are one of the few remaining people who have your Duo authentications texted or called to your phone number – instead of the more secure method of using the Duo app to receive authentication prompts – then you are at a greater risk of your work accounts becoming compromised if anyone ever intercepts your phone calls or text messages.
Additionally, Duo can be a powerful tool outside of protecting your work accounts. Many account service providers now offer the option to verify your identity by using a unique code from an authenticator app, such as Duo, installed on your device. The Google Authenticator app is another popular option for account providers that may not offer their own app-based push authentication.
Taking these proactive simple steps can significantly reduce your risk of falling victim to SIM swap scams and identity theft.