For many years, mobile phones have enabled people to stay in touch while out and about. The ease of sending important work e-mails before taking off on a plane, sharing photos, videos, and thoughts with followers on social media while eating dinner at a restaurant, or chatting and sending funny memes to your friends from any location in the world have long surpassed our need for privacy. Within the last decade, our banks and phone service providers have even allowed us to link our bank and investment accounts to our phones and use them to authenticate and verify our access to our online accounts. The only thing that has not taken off yet are smart-locks which would turn our phones into house keys. But maybe keys will also become obsolete soon, just like watches and wallets. We tend to forget where we left our keys all the time anyway.
Two-factor authentication and verification give us a sense of security; that our online bank accounts are particularly secure and protected because no one else has control over our phones but us. After all, only we can unlock our phones with a passcode, our thumbs, or our faces. Scammers, however, can bypass two factor authentication and verification simply by swapping the SIM card. A subscriber identity module or a SIM card is a small card that contains a chip, which you insert into your phone to send texts and receive calls. Without a SIM card you can only use your phone on a Wi-Fi network to use the internet or to take photos.
How does a SIM Swap work?
A SIM card swap happens when scammers take over control of your phone by contacting your phone service provider and tricking them into connecting your phone number to a new SIM card in their possession. They will first gather as much personal information about you as they can, and then call your phone provider and impersonate you, usually claiming that they have lost or damaged their (your) SIM card and that they need to activate a new SIM card. Once your phone service provider complies with that request and activates the new SIM card, all phone calls and text messages will be redirected to the scammer’s phone. Meanwhile, you are left with a cell phone with a SIM card that does not function. You may not even realize you have lost control of all of the information on your phone unless you try to use it.
As already mentioned, in order to implement this scheme, scammers first need to gather a lot of personal information about you to be able to impersonate you. Now, you might suspect that the only person with this much information is someone close to you, but before you start accusing your spouse of any wrongdoing, the scammer is rarely someone we know and trust. In most cases, scammers collect your personal information through so-called phishing attacks, malware, or social media research. Phishing attacks are e-mails or text messages sent by scammers to lure sensitive information from you by disguising themselves as a trustworthy source. For example, a scammer may send you an e-mail or a text message pretending to be your bank and warning you that it will freeze your account unless you verify your personal information. These schemes are often difficult to detect because the person or persons launching the attack seem so trusting and the email itself seems so real.
All of us are constantly being targeted by phishing attempts. In fact, as I am writing this article, I received a text message from an unknown number, allegedly from the USPS warning me that a package could not be delivered to me and that I needed to update my address through a link with a strange looking domain name. Of course, I was not expecting a package, and I was immediately suspicious when I looked at the domain name of the sender. It did not appear to be a USPS domain. But what if someone who was anxiously awaiting an important package that just wouldn’t show up receives a text message like this? It is important to remember that anybody can become the victim of a phishing attack.
Similarly dangerous are emails which will trick you into clicking on links that will fill your computer with malware which records and transmits to the scammer your keystrokes, including any passwords and security question answers which you type. Scammers also frequently use your social media profiles to gather information about you. For example, a scammer may be able to discover information such as your mother’s maiden name, the name of the high school you attended, your pet’s name, etc. This is information that we frequently share with our social media connections and also happens to be common security questions. However, even if we set our social media accounts to private settings, we can still become victims of data breaches through our social media accounts, such as when dozens of former Meta employees granted access to users’ accounts for bribes.
Once scammers gain access to your personal information, they can then convince your phone service providers that they are talking to you and that you are authorizing the phone service provider to activate a new SIM card. In most cases, you will not even know about what happened until you are missing money in your accounts, or you are no longer able to access any of your accounts because scammers have reset your passwords.
You may ask how these scammers can transfer money from your account to theirs without being detected? With the information they have gathered about you, scammers may set up a second bank account in your name at your bank where security checks may be less robust because you are already a customer there.
SIM Swap Attacks on the rise.
In an effort to combat SIM swapping attacks, phone service providers have been working closely with law enforcement, implementing new policies, and training their employees to better recognize impersonation attempts. Despite these efforts, SIM swap scams are on the rise.
In September 2021, the Federal Communications Commission (FCC) announced that it was beginning to work on rules that would put the brake on SIM swapping after it received numerous complaints from consumers who have suffered significant distress, inconvenience, and financial harm as a result of SIM swapping. Following this announcement, in a February 2022 public service announcement, the FBI stressed an increase in SIM swapping scams, reporting that in 2021 alone the FBI received 1,611 reports of SIM swaps with losses of more than $68 million. In one prominent case, ten members of a criminal group aged 18-26 were arrested in multiple European countries after they illegally gained access to the phones of well-known social media influencers, sports stars, musicians and their families in the United States and stole more than $100 million. The attacks orchestrated by this criminal group targeted thousands of victims. In another case, 106 scammers were arrested, primarily in Spain and Italy, after they defrauded hundreds of victims through a wide network of money mules and shell companies. Remarkably, this large criminal network was well organized in a pyramid structure, which included different specialized areas and roles and was connected to the Italian mafia. Among the members of the criminal group were computer experts, who created the phishing domains and carried out the cyber fraud; recruiters and organizers of the money muling; and, money laundering experts, including experts in cryptocurrencies.
In another fascinating case, a 25-year-old crypto scammer, Nicholas Truglia, was recently sentenced to 18 months in prison for his role in a scheme to hack a blockchain consultant’s phone by swapping his SIM and stealing $22 million in cryptocurrency. Truglia pled guilty to conspiracy to commit wire fraud and agreed to pay more than $20 million in restitution. What makes this case unique were the actions the victim took after he discovered that his account had been drained. Michael Terpin, the founder and chief executive officer of the blockchain consulting company, Transform Group, and a former journalist, immediately enlisted the services of an attorney to track down the scammers and was able to locate a 15-year-old teenager in New York, Ellis Pinsky. Pinsky, or “Baby Al Capone” as Terpin put it, was the alleged leader of a group that hacked his phone and stole his money.
After Terpin’s lawyers contacted the mother of the teen, he later surrendered cash, cryptocurrency, and an expensive watch (together worth $2 million) to Terpin and told him that three other individuals, including Truglia, were also involved in the scam. Terpin proceeded to file a lawsuit against Truglia and won a judgment of more than $75 million against him—at that time, one of the largest court judgments awarded to an individual in the cryptocurrency space. According to an affidavit by Truglia’s former friend, Truglia lived a life of luxury before his arrest, including private jets, sports cars, and Rolex watches. Pinsky, the teen who helped Terpin find Truglia, was never charged with a crime. Terpin has since sued his phone provider AT&T for failing to protect his personal information; trial in that case is set for this year.
Despite the U.S. and European governments’ constant efforts to combat SIM swap attacks, recent cases show that scammers have not relented and continue to target victims. An ongoing SIM card-swapping campaign by a Chinese threat actor called “Scattered Spider” is just the latest example of that trend. As reported by the cybersecurity technology company, CrowdStrike, “Scattered Spider” has deployed a financially motivated “extremely persistent intrusion campaign” targeting telecommunications and business process outsourcing companies. The impact of this SIM swapping attack is not yet clear, but it can be said with certainty that many individuals will be affected by it.
SIM swapping has been an issue for years in part because scammers keep finding people to defraud and because the proliferation of technology manifested on carrier networks present catalysts for more attacks. As long as phone numbers carry so much power, SIM swapping will remain prevalent in our society and scammers will continue to look for ways to use our phones and our personal information against us.