For years, mobile phones have kept us connected on the go—whether it's shooting off work emails mid-flight, sharing moments on social media during dinner, or exchanging funny memes with friends from anywhere on the planet. Our phones have become more than just personal gadgets; they now link to our banks and investment accounts, allowing us to authenticate and manage online access with ease. While smart locks turning phones into house keys may not be a reality yet, the prospect of keys, watches, and wallets becoming obsolete looms.
The comfort of two-factor authentication and verification tricks us into feeling secure, thinking that our online bank accounts are safeguarded because only we control our phones. We unlock them with passcodes, our thumbs, or our faces. However, cybercriminals can sidestep these security measures by simply swapping out the SIM card. The subscriber identity module (SIM card) is a small chip-containing card inserted into phones for calls and texts. Without it, a phone can only function on Wi-Fi for internet access or photo-taking.
How does a SIM Swap work?
A SIM card swap occurs when scammers gain control of your phone by contacting your phone service provider and deceiving them into linking your phone number to a new SIM card in their possession. They begin by collecting substantial personal information about you, then proceed to impersonate you when contacting your phone provider. Typically, they claim to have lost or damaged their (your) SIM card, insisting on activating a new one. Once your phone service provider complies and activates the new SIM card, all calls and text messages redirect to the scammer's phone. Meanwhile, your cell phone is left with a non-functional SIM card, and you may not realize the loss of control over your phone's information until you attempt to use it.
As mentioned earlier, scammers need a significant amount of personal information to execute this scheme, and this information is often obtained through phishing attacks, malware, or social media research. Phishing attacks involve scammers sending emails or text messages, posing as trustworthy sources, to trick you into divulging sensitive information. For instance, a scammer might impersonate your bank, claiming your account will be frozen unless you verify personal details. These attacks can be challenging to detect because the perpetrators seem trustworthy, and the communication appears authentic.
Everyone is susceptible to phishing attempts. As I write this article, I received a text message from an unknown number, supposedly from USPS, warning me of an undelivered package and prompting me to update my address through a suspicious link. Since I wasn't expecting a package, I grew suspicious, especially after examining the sender's domain name, which didn't resemble a USPS domain. Imagine if someone eagerly awaiting an important delivery receives such a message; it emphasizes that anyone can fall victim to a phishing attack.
Equally perilous are emails that entice you to click on links, introducing malware to your computer, recording and transmitting your keystrokes, including passwords and security answers. Scammers also exploit your social media profiles to gather information, such as your mother's maiden name, high school attended, or pet's name—data often shared on social media and commonly used as security questions. Even with private account settings, data breaches can occur, as seen when former Meta employees accessed user accounts for bribes.
Once scammers access your personal details, they can convincingly communicate with your phone service providers, asserting they are you and authorizing the activation of a new SIM card. In most cases, you remain unaware until money is missing from your accounts or you can no longer access them due to scammers resetting passwords.
But how do these scammers transfer money without detection? With the gathered information, they may set up a second bank account in your name at your bank, where security checks may be less stringent since you are an existing customer.
SIM Swap Attacks on the rise.
In the fight against SIM swapping attacks, phone service providers have collaborated closely with law enforcement, introducing new policies and enhancing employee training to better identify impersonation attempts. Despite these measures, SIM swap scams are on the rise.
In September 2021, the Federal Communications Commission (FCC) revealed its intention to develop rules addressing cybercrimes in the U.S., and particularly SIM swapping following numerous consumer complaints about significant distress, inconvenience, and financial harm caused by such incidents. In a February 2022 public service announcement, the FBI highlighted a surge in SIM swapping scams, reporting 1,611 incidents in 2021 alone, resulting in losses exceeding $68 million. Notably, a criminal group comprising ten individuals aged 18-26 was apprehended across multiple European countries. They unlawfully accessed the phones of well-known figures, including social media influencers, sports stars, musicians, and their families in the United States, stealing over $100 million. This organized criminal network, linked to the Italian mafia, employed computer experts for cyber fraud, recruiters for money muling, and money laundering experts, including those well-versed in cryptocurrencies.
In another case, Nicholas Truglia, a 25-year-old crypto scammer, received an 18-month prison sentence for his role in a scheme that involved hacking a blockchain consultant's phone through SIM swapping, resulting in the theft of $22 million in cryptocurrency. Truglia, who pleaded guilty to conspiracy to commit wire fraud, agreed to pay over $20 million in restitution. Notably, the victim, Michael Terpin, took swift action by hiring an attorney to identify the perpetrators, leading to the exposure of a 15-year-old alleged leader, Ellis Pinsky, who surrendered cash, cryptocurrency, and a valuable watch to Terpin. Terpin successfully sued Truglia, winning a judgment of over $75 million, one of the largest in the cryptocurrency space at that time. Terpin also filed a lawsuit against his phone provider AT&T, accusing them of failing to protect his personal information.
Despite consistent efforts by U.S. and European governments to combat SIM swap attacks, recent cases indicate that scammers persist in targeting victims. A current SIM card-swapping campaign conducted by a Chinese threat actor known as "Scattered Spider" serves as the latest example. According to cybersecurity technology company CrowdStrike, "Scattered Spider" has launched a financially motivated and highly persistent intrusion campaign, targeting telecommunications and business process outsourcing companies. While the full impact of this SIM swapping attack remains unclear, it is certain that numerous individuals will be affected by it.
Conclusion
SIM swapping persists as a longstanding issue primarily due to scammers consistently identifying individuals to defraud. The escalating presence of technology embedded in carrier networks serves as a significant catalyst for an increasing number of attacks. As long as phone numbers wield substantial influence, SIM swapping will persist in our society, providing scammers with an ongoing avenue to exploit our phones and personal information to their advantage. Engaging the services of seasoned legal representation is the most effective course of action for any victim aiming to retrieve their assets.