FBI Las Vegas Federal Fact Friday: SIM Card Swapping
The FBI Las Vegas Field Office wants to educate the public about SIM Swaps and their potentially devastating consequences.
According to complaints made in the last year to the Internet Crime Complaint Center, there have been over 1,650 victims of SIM Swaps with a loss amount of over $86M across the country. Nevada stands in the top ten with 42 victims losing up to $500,000. All major mobile providers were used.
What is a SIM?
A SIM, or Subscriber Identity Module is the small memory card inserted into your mobile device that allows you to make calls, send texts, and store contacts. It is unique to your telephone number. If you remove this chip, insert it into a different phone, and call your number, that phone would ring.
What is an eSIM?
An eSIM, or Embedded Subscriber Identity Module, is a piece of software installed on your device, eliminating the need for a physical SIM chip.
What is a SIM Swap?
SIM Swaps happen daily and are not always malicious. Have you ever lost your phone? If you have, you most likely walked into your mobile carrier, purchased a new phone, and were able to keep your same telephone number. Congratulations, you just completed a SIM Swap. Criminals, however, assumed their victim’s identity through social engineering to either deceive or pay-off a “plug” at the mobile carrier to port the victim’s telephone number to a SIM card and phone in control of the criminal. While eSIMs add some level of extra security, “plugs” at mobile carriers continue to aid in this crime.
How many accounts are connected to your telephone number? How many accounts have Multi-Factor Authentication? How many of those accounts have SMS Multi-Factor Authentication? A cyber criminal only needs one to assume complete control of your life. Equipped with your telephone number, a criminal can reset your email password.
Forgot Password > Text Code > Click Here to Reset Password > Log In Success
Now with access to both your inbox and telephone number, a criminal can access your bank account, cryptocurrency wallet, social media accounts, cloud storage, sensitive documents, etc. Most criminals engage in SIM Swapping for the end game of stealing a victim’s cryptocurrency, but once emptied, they pivot to other traditional financial accounts and then sell your PII to be used for other types of identity theft.
What Can I Do?
- Set a Pin. Most mobile carriers will allow you to set a pin or password that is required for changes to your account.
- Adopt strong and unique passwords across your accounts
- Stop Posting Everything. We know you were excited when SmellyCat hit it big, but posting a screenshot of your epic wallet growth damaged you more than SmellyCat’s demise. That single post showed criminals which wallet you use, how much cryptocurrency is in there, and potentially your username.
- Move cryptocurrency to cold storage
- Use Non-SMS Multi-Factor Authentication for Accounts. Instead, opt for application-based authenticators.
- Are You in a Dead Zone, or Did You Just Get SIM Swapped? Be cognizant of unexplained service lapses.
Uh Oh, I’ve Been Swapped
If you suspect that you are a victim of SIM Swapping:
- Contact your mobile carrier immediately to regain control of your phone number. This most likely will require an in-person visit.
- Place an alert on your financial accounts
- Early Notification. Once the first few cryptocurrency transfers occur, it is extremely difficult to regain these assets. Early notification to law enforcement can aid in the recovery process and investigation. Report activity to the FBI's Internet Crime Complaint Center at www.ic3.gov.