A SIM swap scam (also known as port-out scam, SIM splitting, simjacking, and SIM swapping) is a type of account takeover fraud that generally targets a weakness in two-factor authentication and two-step verification in which the second factor or step is a text message (SMS) or call placed to a mobile telephone.

Method

The fraud exploits a mobile phone service provider's ability to seamlessly port a phone number to a device containing a different

subscriber identity module A typical SIM card (mini-SIM with micro-SIM cutout)A SIM card or SIM (subscriber identity module) is an integrated circuit (IC) intended to securely store an international mobile subscriber identity (IMSI) number and its related key, which are u ...

(SIM). This mobile number portability feature is normally used when a phone is lost or stolen, or a customer is switching service to a new phone. The scam begins with a fraudster gathering personal details about the victim, either by use of

phishing Phishing is a form of social engineering and a scam where attackers deceive people into revealing sensitive information or installing malware such as viruses, worms, adware, or ransomware. Phishing attacks have become increasingly sophisticate ...

emails, by buying them from organised criminals, directly socially engineering the victim, or by retrieval from online

data breach A data breach, also known as data leakage, is "the unauthorized exposure, disclosure, or loss of personal information". Attackers have a variety of motives, from financial gain to political activism, political repression, and espionage. There ...

es. Armed with these details, the fraudster contacts the victim's mobile telephone provider. The fraudster uses social engineering techniques to convince the telephone company to port the victim's phone number to the fraudster's SIM. This is done, for example, by impersonating the victim using personal details to appear authentic and claiming that they have lost their phone. In some countries, notably India and Nigeria, the fraudster will have to convince the victim to approve the SIM swap by pressing 1. Once they have a victim's personal information, attackers commonly impersonate them while contacting

technical support Technical support, commonly shortened as tech support, is a customer service provided to customers to resolve issues, commonly with consumer electronics. This is commonly provided via call centers, online chat and email. Many companies provid ...

services for their

telecommunication Telecommunication, often used in its plural form or abbreviated as telecom, is the transmission of information over a distance using electronic means, typically through cables, radio waves, or other communication technologies. These means of ...

provider and attempt to convince the employees to switch the victim's phone number to their SIM card. In some cases

telephone company A telecommunications company is a kind of electronic communications service provider, more precisely a telecommunications service provider (TSP), that provides telecommunications services such as telephony and data communications access. Many t ...

employees have been bribed by attackers to directly change SIM numbers. Attackers have sought out employees of companies including

T-Mobile T-Mobile is the brand of telecommunications by Deutsche Telekom Deutsche Telekom AG (, ; often just Telekom, DTAG or DT; stylised as ·T·) is a partially state-owned German telecommunications company headquartered in Bonn and the largest telec ...

and

Verizon Verizon Communications Inc. ( ), is an American telecommunications company headquartered in New York City. It is the world's second-largest telecommunications company by revenue and its mobile network is the largest wireless carrier in the ...

through social media or employee directories in attempts to hire them, sometimes promising money in

cryptocurrency A cryptocurrency (colloquially crypto) is a digital currency designed to work through a computer network that is not reliant on any central authority, such as a government or bank, to uphold or maintain it. Individual coin ownership record ...

for each phone number they transferred. Once this happens, the victim's phone will lose connection to the network, and the fraudster will receive all the SMS and voice calls. This allows the fraudster to intercept one-time passwords sent via text or telephone calls to the victim's number and thus subvert two-factor authentication methods relying on them. Since so many services allow password resets with only access to a recovery phone number, the scam allows criminals to gain access to almost any account tied to the hijacked number. This may allow them to directly transfer funds from a bank account, extort the rightful owner, or sell accounts on the black market for further identity theft and fraud.

Incidents

A number of high-profile hacks have occurred using SIM swapping, including some on the social media sites

Instagram Instagram is an American photo sharing, photo and Short-form content, short-form video sharing social networking service owned by Meta Platforms. It allows users to upload media that can be edited with Social media camera filter, filters, be ...

and

Twitter Twitter, officially known as X since 2023, is an American microblogging and social networking service. It is one of the world's largest social media platforms and one of the most-visited websites. Users can share short text messages, image ...

. In 2019, former Twitter CEO

Jack Dorsey Jack Patrick Dorsey (born November 19, 1976) is an American businessperson, who is a co-founder of Twitter, Inc. and its CEO during 2007–2008 and 2015–2021, as well as co-founder, principal executive officer and chairman of Block, Inc. (deve ...

's Twitter account was hacked via this method. In May 2020, a lawsuit was filed against an 18 year old Irvington High School senior in

Irvington, New York Irvington, sometimes known as Irvington-on-Hudson, is a suburban Administrative divisions of New York#Village, village of the Administrative divisions of New York#Town, town of Greenburgh, New York, Greenburgh in Westchester County, New York, Un ...

, Ellis Pinsky, who was accused with 20 co-conspirators of swindling

digital currency Digital currency (digital money, electronic money or electronic currency) is any currency, money, or money-like asset that is primarily managed, stored or exchanged on digital computer systems, especially over the internet. Types of digital cu ...

investor Michael Terpinthe founder and chief executive officer of Transform Groupof $23.8 million in 2018, when the accused was 15 years old, through the use of data stolen from smartphones by SIM swaps. The lawsuit was filed in federal court in

White Plains, New York White Plains is a city in and the county seat of Westchester County, New York, United States. It is an inner suburb of New York City, and a commercial hub of Westchester County, a densely populated suburban county that is home to about one milli ...

and asked for triple damages. In early 2022, the US FBI reported a sharp increase in money losses to consumers in 2021, and continuing into 2022, from this type of fraud. The losses in 2021 alone were five times larger than the three prior years summed: “The FBI says that victims lost $68 million to this SIM-card based scam in 2021, compared to just $12 million in the three-year period between 2018 and 2020.” The FBI received 1,600 complaints about SIM-swapping in 2021, a sharp increase from the three previous years. The swaps happen quickly once the scammers have sufficient information to persuade a mobile phone carrier to assign a stolen phone number to their phone; the thefts of money happen when the thieves then receive the two-factor codes sent to the proper owner of the phone number. In

South Korea South Korea, officially the Republic of Korea (ROK), is a country in East Asia. It constitutes the southern half of the Korea, Korean Peninsula and borders North Korea along the Korean Demilitarized Zone, with the Yellow Sea to the west and t ...

, alleged incidents of SIM swapping attacks have been documented since the beginning of 2022. The common pattern includes victims facing abrupt disruptions in their mobile services, coupled with a notification suggesting a change. As a result, affected individuals discover that their bank and

accounts have been compromised.

References

{{Scams and confidence tricks Fraud in India Confidence tricks Mobile security