Thieves are targeting something just about all of us have in our pocket or purse - our cell phone. It’s called SIM swap fraud. KPRC 2 Investigates explains how criminals can steal your phone, your personal information, and your money, without ever touching your device. We’re also going to explain what you can do to help make your phone more secure.
Phones can be closed, locked and password protected, but none of that will protect a device from SIM swap fraud. A Jacksonville man, who only wants to be identified by his first name, said he lost control of his phone.
“In the middle of my workday, my phone stopped working out of the blue,” said Matt.
How does SIM swap scam work?
There are various ways a SIM swap scam can work. In Matt’s case, he took his phone to the closest T-Mobile store when it stopped working. Workers popped in a new SIM card and got it working again.
But in the short time it was inactive, thieves managed to cash checks totaling $30,000 from Matt’s bank account.
“They tried to cash three checks total of $15,000 each,” said Matt. “They were successful in getting two of those checks cashed at two different branches and luckily, on the third branch, one of the tellers had recognized the ID the gentleman was using was a fake ID.”
Special Agent David Ko of the FBI’S Cyber Criminal Squad has investigated several SIM swap cases in Houston.
“It is a very complex organization,” said Ko. “There’s tons and tons of gangs that are out there doing the exact type of thing.”
How do thieves get phone information for a SIM swap?
A SIM swap scam usually starts with some sort of data breach or hack. Emails sent from companies alerting consumers of a security breach happen so often they’re like white noise. However, experts say thieves get just enough information from those breaches to prepare to take control.
“They’ve already done a lot of research beforehand to make sure that they know what accounts you have, what email accounts you use, which banks you bank at,” said Matt.
The man told T-Mobile employees he was Matt and that he had lost his cell phone. This fake “Matt” asked employees to switch his account to a new device. It was at that moment the real Matt’s phone stopped working.
“So absolutely no function as far as calling out or receiving phone calls, text messages. Nothing worked at all,” said Matt.
That’s because all of Matt’s calls and texts were now going to the thief’s phone. As soon as the thief walked out of the T-Mobile store, he told his partners on standby at three Wells Fargo branches it was go time.
The thieves gave tellers forged checks they had made ahead of time. When bank employees called Matt’s phone to confirm he wrote the checks, the thieves answered and confirmed it was okay to cash it.
“What’s happening is all of their communication is getting routed to a different phone,” said Agent Ko. “They’ll send you a text message to verify you are who you say you are.”
Why two-factor authentication won’t stop SIM swap scam
SIM swaps essentially transfer a person’s phone to the thieves own device. Two-factor authentications will then be approved by the thieves who can change passwords to your accounts.
“Really changed the way I operate online completely,” said Matt.
But Special Agent Ko says even the most careful consumer can be a victim if cell phone companies aren’t protecting customers’ accounts.
“It would be great if more cell phone companies would have restrictions on their employees in order to make those changes,” said Ko.
We asked T-Mobile about the SIM swap that originated when this man got employees to switch Matt’s account to a new device. The company wouldn’t discuss the case, but T-Mobile confirmed it had a customer data breach earlier in 2021.
T-Mobile representatives acknowledged that SIM swap fraud “is an industry-wide problem” and encouraged customers “to contact us to discuss security measures available to them.”
“It’s a very intricate scam. And I think, you know, people need to be alert to it,” said Matt.
Matt has reported his case to the Houston Police Department, but officials say they’re still more than two months away from assigning the case to an investigator. Wells Fargo did return Matt’s money. They would not comment on Matt’s specific case but did send this information about security and fraud.
How you can prevent SIM swap scam
There are a few things you can do to make your accounts more secure so you will be less likely to become a victim if thieves swap your SIM card.
- Use a different form of communication for password confirmation
Agent Ko recommends using a Google Voice number for your 2-factor authentication, NOT the actual cell number assigned to your device.
When possible, have the 2-factor authentication go to your email instead of your cell by text or a phone call.
- Secure your google accounts
In Matt’s case and many others, thieves get into google accounts to gain access to all stored passwords. To help protect that account, Security Expert Tom Gorup with Alert Logic recommends using Google Authenticator.
This two-step verification provides stronger security for your Google Account by requiring a second step of verification when you sign in. In addition to your password, you’ll also need a code generated by the Google Authenticator app on your phone.
- Use a password manager
Besides having the same exact password for all accounts, the other really bad thing you can do is to have a document with a list of all of your passwords typed out. Gorup says using a password manager will help. This way, you don’t even have to remember the passwords, the manager will keep track and store information in a secure way.
Examples of password managers include:
Bitwarden - Your private information is protected with end-to-end encryption before it ever leaves your device.
1Password - Share logins, passwords, credit cards and more, with the people that matter most. Go ahead, forget your passwords - 1Password remembers them all for you.
LastPass - Secure every one of your passwords and store them across all of your devices.
Other tips: If you’re going to get on a public Wi-Fi network while on your phone, experts suggest using a VPN. A virtual private network keeps your data from being seen by other people using the same network.
You’ll also need to be careful about permissions you are allowing for all of your apps or websites you visit. KPRC 2 Investigator Bill Spencer explains how to protect yourself from being tracked on your phone.