New scam alert: SIM swapping on the rise

Your phone holds a lot of value as a way of connecting to friends and family—but it can be even more valuable to scammers. Through a scam called "SIM swapping," or SIM port hacking, cybercriminals gain access to your phone number and take it over, which can result in steep consequences.

SIM swapping is a form of identity theft that allows criminals to intercept calls and texts to your phone number. This means that if you have protections on your accounts—such as two-factor authentication with SMS texts—that these bad actors can gain access to your logins including your bank accounts.

"We saw an uptick in this kind of scam when the U.S. passed a law that said phone carriers had to let you take your phone number with you to another carrier," said Kris Jackson, director of cybersecurity engineering and operations at BOK Financial^®. "This created a gap for porting numbers from one carrier to the next using information that was gathered through data breaches or social engineering."

In 2023, more than $48,798,103 in losses were reported due to port jacking or SIM swapping scams, according to the FBI's Internet Crime Report. Jackson said some of these instances can be traced back to an uptick in data breaches, which may provide criminals with personal information.

"If you're over 30, your info is pretty much public record," Jackson said. This is a result of the Equifax breach in 2017 where hackers stole sensitive, personally identifiable information of nearly half of all American citizens—more than 150 million people. Scammers can then use this information to convince a cell phone provider to transfer your phone number to another carrier and a phone in the criminal's possession. This includes information like your mother's maiden name, Social Security number, address and much more.

How SIM swapping works

First, cybercriminals target mobile carriers using personal information to gain access to their victim's account, usually collected by engaging in social engineering, insider threat or phishing techniques. These criminals often impersonate their victim and trick the mobile carrier into transferring the mobile number to a SIM card owned by the criminal.

"Every carrier handles this differently," Jackson said. "There are some who will port your number with almost no information because of a lack of training, no formal process, etc. Others are more formal about it, and it directly relates to the size and maturity of the organization to make sure this happens more securely."

Next, once they've ported the number, the criminals will use the victim's calls or texts to gain access to online accounts associated with the mobile phone number.

At this point, the criminals can gain control of online accounts, change passwords or use codes to access even more sensitive information.

"It's worth nothing that if your phone stops working or you're suddenly unable to make calls or send texts, that might be what's happening to you," Jackson said. "In that case, immediately take steps to change your passwords, keep an eye on your accounts and monitor your credit closely."

How to protect yourself

Jackson suggested a few ways that consumers can protect themselves from port-jacking, including:

1. Taking your mobile carrier's security into account. "Outside of which carrier you elect to use, there's little you can do to protect yourself," Jackson said. Look for carriers that have additional security protocols in place, such as having a pin requirement to make account changes.

2. Avoiding using SMS/text messages for authentication. "With these new threats, SMS and voice one-time passwords are not strong enough," Jackson said. Instead, he recommends using hard tokens or passkeys to verify accounts. Hard tokens allow users to access software and verify identity with a physical device rather than relying on authentication codes or passwords. A passkey is a digital credential that allows users to sign into websites and apps without a password—using biometric verification, like a fingerprint or face scan. Both options can offer better protections for consumers.

3. Creating strong, complex passwords that you don't repeat across multiple accounts. "You know you've created a password that's effective when you can't memorize it," Jackson said. Password protection software can help you create and manage your account passwords.

4. Placing freezes at credit bureaus. "Doing this can help protect you from identity theft and fraud," Jackson said. When you need to use your credit, you can then temporarily unfreeze it.

"Ultimately, it's a good idea to move away from using SMS as an authentication method," Jackson said. "As criminals get smarter, consumers need to be better able to protect themselves by changing the way they manage and protect their accounts."