WARNING: SIM Swap Attacks Target Millions of Cell Users
Like most cellular users, you probably know that your phone needs a SIM card to connect to your chosen wireless carrier such as T-Mobile or AT&T. However, most cell phone customers don’t fully understand how a SIM card works or what information is found on this little piece of technology. If you use a cell phone, you need to understand how a SIM swap (also called SIM jacking) can occur and what to do if it happens to you.
Anyone can be a SIM swap victim. This crime is not limited to celebrities or wealthy Americans who are swindled out of millions of dollars or cryptocurrencies. Average citizens have also lost thousands of dollars to hackers who steal, sell, and misuse personal data for their own financial gain.
The incidence of these cyber-attacks is unprecedented in our country.
The stories are frustrating, scary, and downright heart-breaking. Mostly because the companies involved refuse to accept responsibility for protecting their customers. Or even worse, they blame the consumer for not adequately protecting their account.
At Schlanger Law Group we fight for victims of all forms of identity theft including cyber scams like SIM swapping. We are currently working with several SIM swap victims, and we stand ready to help consumers across the country who are facing similar situations.
What is a SIM Card and Why Would Someone Want to Steal it?
When you choose a wireless service provider, you receive a small card called a SIM (Subscriber Identity Module) that must be inserted into your phone to begin your cellular service. All phone calls, messaging, emails, and text messages use the SIM card to send information. If you lose or damage your cell phone or buy a new phone, you will legitimately need to transfer your SIM card to the new phone.
To make the transfer, you must contact your service provider. You’ll need to provide information such as your name, date of birth, billing address, email address, or other personal data to prove your identity. Then the customer service representative can make the switch in a matter of minutes.
But what if a thief has acquired your personal data through a data breach or some other illegal activity? With the right information, they can call your cellular company, pretend they are you, provide the requested information, and have your SIM card information transferred to their phone instead of yours. Instantaneously, your phone is disabled, and you cannot make or receive calls or messages. It’s that easy.
You are now a SIM swap victim, and you need to act quickly.
How do SIM Swaps Start?
SIM fraud attacks can begin with data breaches in companies that gather and maintain a large amount of consumer information. For example, The Washington Post reported T-Mobile has experienced several data breaches (at least five in the past three years) impacting millions of current and former T-Mobile customers from as far back as 2014.
During these breaches, hackers access consumers’ personally identifiable information (PII) through a weak security system and steal the data for criminal use. Identity thieves buy the stolen data which allows them to make unauthorized bank or credit card transactions and commit other financially devastating crimes.
In SIM card scams, hackers gather and sell consumers’ PII, often through the dark web—the place where scammers and hackers exchange stolen information on the internet. For example, after the T-Mobile breaches, 124 million data entries were offered for sale on the dark web and many T-Mobile customers became SIM-jacking victims.
How does SIM Jacking Work?
Using the PII stolen in data breaches, identity thieves contact the wireless carrier, impersonate the victim, claim their phone was lost or damaged, and request a “SIM swap.” When the unsuspecting wireless employee transfers the SIM information to the thief’s phone, the thief takes control of the victim’s cell phone and the data associated with it.
Scammers also use social engineering to steal PII. Some may scour social media accounts for relevant information. More aggressive criminals may contact their target directly by phone call or text pretending to be a bank or credit card representative. The scammer explains there is unusual activity in the target’s account and asks for a password, PIN, date of birth, or other information that will allow them to “fix” the problem. Once the criminal has this information, they contact the wireless carrier and request a new SIM card.
How Can Thieves Use Your Stolen SIM Card?
Once a criminal has control of your SIM card, they can access the apps on your phone, your emails and text messages, and financial information or transactions you have completed through your cell phone. The thief then tries to access your credit card or financial accounts online.
During the takeover, the thief will be prompted to enter a password. By using the “Forgot Password?” option the thief requests a code to change the password. Most companies use two-factor authentication that denies access until the user is verified. However, the second verification step is usually a call, text, or email through the cell phone’s SIM that is now in the thief’s possession. When the company sends a message or calls the phone number on file, the thief receives the message, resets the password, and receives immediate access to your account.
WARNING: An identity thief can empty your accounts in a matter of minutes after a SIM swap attack.
T-Mobile Admitted Data Breaches
After one of the biggest reported data breaches in August 2021, many T-Mobile customers received a letter admitting their PII was exposed to unauthorized and unknown people. In the data breach announcement, T-Mobile confessed that it, “didn’t live up to the expectations we have for ourselves to protect our customers” and, “[k]nowing that we failed to prevent this exposure is one of the hardest parts of this event.”
Unfortunately, this was not the first time, nor the last time, that T-Mobile’s system has been breached. According to an article by Vice.com, following a T-Mobile data breach in 2017, the hacker who broke through the security system boldly posted a tutorial on YouTube. In the video, he explained how other scammers could use the breach to steal customer information.
Sadly, although T-Mobile disclosed its data breaches, it is not taking responsibility for the subsequent nightmares faced by the customers whose PII was stolen. Instead, T-Mobile offered identity protection programs and told the customers to change their passwords and PINs.
SIM Card Fraud Strikes Financial Accounts Next
After the cell service providers, financial institutions are the next targets of these fraudulent schemes. Banks, mobile payment apps, and credit card issuers have allowed SIM jackers to make large withdrawals from customers’ accounts that should have been flagged, delayed, and confirmed before the money left the accounts. Some of these companies have refused to reimburse the victim’s stolen money and may even blame the account holder for not protecting the account.
While consumers continue to lose thousands of dollars in SIM swap schemes, some wireless carriers and financial institutions are not following the laws and Federal Trade Commission guidelines that protect these innocent victims. When companies refuse to accept legal responsibility, an experienced consumer protection law firm can help.
Signs Your SIM Card Information has been Stolen
With so many forms of identity theft, you should regularly monitor your financial accounts for unusual activities. We created this checklist of Seven Ways to Detect Identity Theft and 17 Steps to Reduce its Impact to address general forms of ID theft.
However, in SIM card hijacking cases, look for these specific warning signs that might occur when a scammer takes control of your SIM card:
- A sudden loss of mobile phone signal and the inability to use your phone to make or receive calls or messages.
- Unusual phone or text messages that your cell service has been changed and asking if you made the change. However, if your SIM card is then deactivated, you won’t be able to contact your cell carrier to address the problem.
- Unfamiliar social media activity that appears to be from you, but you did not create the posts.
- A notification from your cellular company that your SIM card has been reassigned or newly activated on a different device,
- Your access is denied to financial accounts such as your online bank account, credit card account, mobile payment app, or other places where you must use login details to enter the site, and
- If your sign-in details (such as a password, PIN, or answer to a security question) are rejected, they may have been changed by a SIM thief.
If any of these problems arise, follow these six steps:
- Contact your cell phone carrier, bank, credit card companies, mobile payment apps, and any other financial entities IMMEDIATELY.
- Close your cell account and consider changing service providers. Verify the status of your SIM card as soon as possible.
- Place a fraud alert on all accounts and freeze any accounts that have already been attacked.
- Change your existing passwords, PINs, and security questions to thwart future attacks.
- Request your credit reports from the three major credit reporting agencies—Experian, Equifax, and TransUnion. Thoroughly review each report for unauthorized activity and dispute any problems directly with the reporting agency immediately.
- If you have already lost money and the companies involved won’t help, contact an experienced consumer protection lawyer at Schlanger Law Group.
How to Reduce the Risk of a SIM Card Swap
No one is immune to cyber scams. And SIM card jacking can happen to anyone. But if you are extremely careful with your personal information, you may reduce your chances of falling victim to consumer fraud scams. In general,
- Never give your personal information by phone or text to someone who contacts you first. Legitimate businesses will never request this information over the phone or through a text message.
- If you have doubts about the person requesting information, contact the business directly to confirm the request. Phishing (via email) or smishing (via text) messages are common social engineering tactics that can compromise your PII quickly.
- Reduce your online activities and the number of companies you interact with via the internet.
- Create strong passwords and PINs and unique personal security questions that hackers won’t guess. Don’t use a high school mascot, mother’s maiden name, or first pet’s name since that type of information may be easily available on social media.
- If possible, avoid using your phone number as the second step in two-factor authentication. Instead, use an independent authentication system such as Google Authenticator.
- Ask your carrier to create a separate PIN for your personal communications. Never use an obvious PIN such as your birthdate, anniversary, or street address. Store your passwords and PINs in a password manager.
- Ask your wireless company to send alerts about any unusual activity and before a SIM card is issued for another device.
- Improve your two-factor authentication to include a physical aspect such as a token or other item you must have in your possession to complete the access process.
- Safeguard printed personal information, shred documents to destroy them, promptly gather your mail from an accessible mailbox, and don’t leave important documents in public view.
Schlanger Law Group is Fighting for SIM Swap Victims
When you contact Schlanger Law Group’s team of identity theft attorneys, we will listen to your story and determine your legal options. We can explain whether you have the right to pursue your cell phone company, bank, credit card issuer, or other financial entity if they are not following the law.
Our consumer fraud lawyers have already initiated several SIM swap fraud cases, and we are currently accepting new clients in this emerging area of law. Because many wireless carriers include arbitration clauses in their customer contracts, we are prepared to bring arbitration cases on behalf of SIM-jacking victims in addition to filing lawsuits nationwide.
If You are a SIM Swap Victim and Your Carrier or Bank Won’t Help, Let’s Talk
Identity theft and consumer fraud schemes are two of SLG’s core practice areas. Several SIM swap victims have already entrusted us to bring arbitration or litigation claims against wireless carriers and financial companies to address their financial losses and protect against future problems.
We regularly litigate against leading financial institutions, such as TD Bank, Citibank, Wells Fargo and others in cases regarding unauthorized bank account access. We are proud of the excellent outcomes we have achieved on behalf of victims..
Call (212) 500-6114 or click the button below to schedule your free case consultation today.