This article was written in conjunction with a student studying risk management at Old Dominion University (ODU).
While several terms could be used to identify the act of SIM-card swapping (portout scam, SIM splitting, SIMjacking, and swim swapping to name a few), the act generally culminates in a single result: a perplexed victim left wondering what just happened.1
SIM-Card Swapping: What Is It?
A Subscriber Identity Module (SIM) card is a tiny electronic module that typically stores an individual's cellular account data and enables their mobile device to connect to a carrier's network. SIM-card swapping is an account takeover in which a hacker gains access to an individual’s mobile account by targeting a weakness in two-factor authentication or a two-step verification.2 The hacker generally does so by obtaining of a copy of the victim’s SIM card via their mobile carrier.
Back in January 2020 an academic study found that five major U.S. prepaid wireless carriers are vulnerable to SIM-card swapping attacks.3 Additionally, of the 140 websites and online services that the study examined, 17 were reportedly determined to be vulnerable to a SIM-card swap used to hijack a user’s account.
Given these vulnerabilities, the heavy use of smartphones across the world, and the creation of various financial applications It may come as no surprise that the practice of SIM swapping is becoming more common.4
How do criminals execute these schemes?
One technique that a criminal could employ would be to acquire an individual’s personal information, whether through a direct phishing attack or the acquisition of this info on the dark web5, to successfully execute a SIM card scam.
A perpetrator can utilize an individual’s personal information in various ways.6 One route could involve the requesting of a new SIM card under the victim’s name, a scheme that can be executed with the victim’s stolen personal information. At this juncture, the criminal can activate the new SIM card on a cell phone of their choice. While the victim may ultimately receive a text message from their mobile carrier stating something along the lines of, “the new SIM card has been activated and if this change was not authorized call said number”, it is likely too late, and the scammer may have already accessed a wide dataset, ranging from saved passwords to the numbers and texts an individual had on their prior phone.
Other SIM scams are more sophisticated.7 In this scenario, the scammer has an individual on the inside that works for the victim’s mobile carrier. This employee could either gain access to one’s account information and pass it along, or they can take a more direct role deactivating one SIM card and subsequently activating the other. Regardless of their chosen path to gain access to one’s stored information, the criminal(s) may be able to secure access to the victim’s mobile banking and other financial applications. This could grant the criminal sole access to move the money around, and from that point they have usually achieved their main goal.8
Risk management techniques that could reduce the chances of a SIM card swap
The implementation of effective risk management techniques can help insulate individuals from being afflicted by this scam. An article drafted by the Federal Trade Commission (FTC) described various measures that can be undertaken to mitigate or avoid the chance of a SIM-card swap, including: :
- “Don’t reply to calls, emails, or text messages that request personal information. These could be phishing attempts by scammers looking to get personal information to access your cellular, bank, credit or other accounts. If you get a request for your account or personal information, contact the company using a phone number or website you know is real.
- Limit the personal information you share online. If possible, avoid posting your full name, address, or phone number on public sites. An identity thief could find that information and use it to answer the security questions required to verify your identity and log in to your accounts.
- Set up a PIN or password on your cellular account. This could help protect your account from unauthorized changes. Check your provider’s website for information on how to do this.
- Consider using stronger authentication on accounts with sensitive personal or financial information. If you do use Multi-Factor-Authentication (MFA), keep in mind that text message verification may not stop a SIM card swap. If you’re concerned about SIM card swapping, use an authentication app or a security key.”9
Another tool reportedly used to help strengthen the protection of personal and commercial accounts is a two-factor security method that requires a physical device, such as a hardware token, rather than SMS-based verifications that have reportedly become prone to being hacked.10 The additional security enhancement is derived from the fact that the hardware authenticator will be in an individual’s possession, thus eliminating the possibility of a cyber breach.11
First-hand experience: ODU student Brandon Flores details his risk management journey
Fortunately, various websites offer different layers of protection and security to help ensure an individual’s personal and financial safety, one example being the creation of a pin number both through individual sites as well as one’s mobile provider.
How do I know this? I fell victim to a phishing e-mail that compelled me to assess my security options. After doing some research, I ultimately ended up adding a pin number to my bank account to enhance the security. This extra layer of verification came in the form of a code word that needed to be mentioned any time I called my bank with questions or requests for service. Empowered by the additional peace of mind this security granted me, I then proceeded to add a pin and code word to my account with my cellphone carrier as well (different codes than my bank account, of course!).
As these SIM-card swapping schemes show, criminals continue to display high levels of creativity and resourcefulness when it comes to exploiting technology for their gain. However, prudent risk management could help mitigate the possibility of these attacks being successful.
Old Dominion University Student Contributor: Brandon Flores
- Catherine Lennon, “SIM Swap Attack – the New Hijack,” Guard Well, October 31, 2019, < https://guardwellid.com/sim-swap-attack-the-new-hijack/ >, accessed on May 12, 2020.
- Brian Barrett, “How to Protect Yourself Against a SIM Swap Attack,” WIRED, August 19, 2010, > https://www.wired.com/story/sim-swap-attack-defend-phone/ >, accessed on May 12, 2020.
- Kevin Lee et al., “An Empirical Study of Wireless Carrier Authentication for SIM Swaps,” Is SMS 2FA Secure?, January 2020,
< https://www.issms2fasecure.com/assets/sim_swaps-01-10-2020.pdf >, accessed on May 12, 2020. - Jason Cipriani, “SIM swap fraud: What it is, why you should care and how to prevent it,” CNET, March 30, 2020,
< https://www.cnet.com/how-to/sim-swap-fraud-what-it-is-why-you-should-care-and-how-to-prevent-it/ >, accessed on May 12, 2020. - Dan Patterson et al., “We found our personal data on the dark web. Is yours there, too?”, CBS News, March 25, 2019,
< https://www.cbsnews.com/news/we-found-our-personal-data-on-the-dark-web-is-yours-there-too/ >, accessed on May 12, 2020. - Martin Kaste, “’SIM-Swap’ Scams Expose Risks of Using Phones for Secondary I.D.,” NPR, October 25, 2019,
< https://www.npr.org/2019/10/25/773199525/sim-swap-scams-expose-risks-of-using-phones-for-secondary-i-d >, accessed on May 12, 2020. - Ibid
- Ibid
- Alvaro Puig, “SIM Swap Scams: How to Protect Yourself,” Federal Trade Commission, October 23, 2019,
< https://www.consumer.ftc.gov/blog/2019/10/sim-swap-scams-how-protect-yourself >, accessed on May 12, 2020. - David Murphy, “Secure Your Accounts and Passwords With a Hardware Token,” Life Hacker, October 29, 2018,
< https://lifehacker.com/secure-your-accounts-and-passwords-with-a-hardware-toke-1830063430 >, accessed on May 12, 2020. - Ibid