Scam Alert! Watch Out for SIM Swapping & Port Out Scams

In 2018, Rob Ross lost a total of one million dollars.

The culprit?

A new scam, called SIM swapping. Hackers used Ross’s private information to hijack his cellular account. With direct access to his text messages, the hackers leveraged two-factor authentication to gain access to his financial accounts.

Within hours, Ross’s life savings went from $1M to a zero balance.

While this particular story is extreme, it highlights a growing trend across the United States – SIM swapping and port out scams. Both techniques leverage your phone number to take over your financial accounts. In this article, we’ll explain what these scams are and the different methods you can use to protect your money.

Here’s How SIM Swapping & Port Out Scams Work

Although their impact is devastating, SIM swapping and port out scams are fairly simple in action.

First, the scammer gets a hold of your personal information, such as your name, email, and password. This can happen in a number of ways: credential stuffing from data breaches, phishing, man-in-the-middle, etc.

Once the hacker has your information, they will steal access to your phone number. If the hacker uses the port out method, they will contact a new phone company to set up an account. Then, they will request to keep the same number as before. (This, of course, is a common customer request.) To comply, the phone company will port the number from the old company to the new company and shut down your current phone account in the process.

If the hacker uses the SIM swapping method, they will instead contact your current phone company to report your SIM card as lost or damaged. The hacker will “confirm” that they are the account owner by using your stolen information. After the company confirms your identity, they will activate a new SIM card – one that the hacker has access to. During the process, your SIM card will be deactivated, and the hacker will have complete control of your phone number.

Why Hackers Want Your Phone Number

While it’s scary to think of a stranger having access to your private calls and messages, the reason hackers want access to your phone number is more insidious.

Because of two-factor authentication (2FA), it’s no longer enough for hackers to steal your login credentials. They also need access to your phone in order to get the one-time passcodes that unlock your sensitive accounts. With your login credentials and phone number, hackers can access just about any account that you have – including the ones that manage your money.

How to Protect Yourself Against SIM Swapping & Port Out Scams

The best way to prevent SIM swapping and port out scams is to ensure hackers cannot get access to your sensitive data in the first place. This means using strong passwords, changing them regularly, avoiding public wi-fi, and keeping your sensitive data as private as possible. That being said, if your primary defenses fail, the following techniques will help you protect yourself:

Add a PIN to your cellular account. An easy way to protect your phone number is to add a PIN to your account. This extra layer of security makes it much harder for anyone to access your account without permission. If hackers cannot confirm your identity with your secret PIN, they will be unable to make any account changes. Make sure that your PIN is difficult to guess – your birthdate and last four digits of your SSN are far too easy for hackers to crack.

Choose an alternative to SMS two-factor authentication. SMS-based two-factor authentication (2FA) is a great idea in theory, but if a hacker has access to phone number, 2FA will not protect you. Instead, opt for physical authentication, such as biometrics, security keys, and authentication apps (which, although digital in nature, are linked to your physical mobile device). By adding a physical layer to your security, you will make it much harder for online hackers to access your accounts.

Don’t overshare online. Data breaches tend to get blockbuster media coverage for exposing sensitive consumer data. However, a topic that’s not discussed as often is how much we sabotage our own security by oversharing. When we publicly share personal information, criminals don’t need fancy hacking skills to steal our information. A simple Google search can serve up personal data that will confirm our identity.

For example, can you guess why the following social media captions might be a security issue?

• “Here’s a photo of my wife and me on our first date in San Diego.”
• “So proud of my high school alma mater for making it to the state championships. Go bulldogs!”
• “Dallas, TX – born and raised!”
• “Happy Mother’s Day to my loving mother, Kathryn Janeway, who raised my siblings and me as a single mother.”

Each of these statements provides an answer to one of the most common security questions. These questions – such as “Where were you born?” “What is your mother’s maiden name?” and “What was your high school mascot?” – are used to confirm your identity.

This doesn’t mean that you cannot share any personal information. However, it’s important to do so with caution. Consider making this information only viewable to people in your immediate circle, instead of the entire web. Or, just keep it offline altogether.

Use obscure answers for security questions. For many of us, our personal information is already publicly available. Getting rid of this information is difficult, as the internet never forgets. However, we can be more strategic by selecting uncommon security questions or choosing obscure answers to common security questions. For example, when answering the common security question, “What street did you grow up on?” choose an answer that most people cannot guess or easily search online.

Use unique passwords for each account. If your login credentials get exposed by hackers, unique passwords will ensure the damage is contained to one account. When you reuse the same password across multiple accounts, you make it easier for hackers to wreak havoc to your identity. Use a password manager, such as LastPass or Zoho Vault, to keep track of your unique passwords, and be sure to change them regularly.

Main Takeaways