SIM swapping (or SIM jacking) is one of the nastier hacks you can fall victim too. It essentially reroutes your cell number to another SIM, and another phone. Not only does it mean all of your texts and calls are going somewhere else, it also means your two-factor codes—often essential for logging into online accounts like your email and bank—are being redirected too.
The scam is pulled in the same way that you yourself would register a new SIM (Subscriber Identity Module) if you were changing carriers but wanted to keep your number, or if you had somehow misplaced your original SIM and needed a new one—only it’s not you requesting the change, it’s someone pretending to be you.
As potentially dangerous as a SIM-swap attack can be, there are ways to protect against it—and ways to try and recover access to your phone number and your accounts if you think you’ve been targeted by this specific form of hack.
How a SIM-swap attack works
The key to a SIM-swap attack is tricking your cellular service provider into swapping your existing cell number to a new SIM. Different carriers have different security checks in place to prevent this, but essentially, a scammer will need access to some sensitive information so that they can impersonate you. It could be an address, a password, or an answer to a security question.
There are a variety of ways hackers can get hold of this information—and all the usual strategies might be involved: You could be sent a phishing link over email or social media, your details might be exposed in a data breach that there’s little you can do about, or someone might spot them while looking over your shoulder in a coffee shop.
Scammers will try and move your number to a new phone.
Credit: Michelle Ehrhardt / Lifehacker
Sometimes the swap might be attempted in a physical store, sometimes over the phone via a call center, and sometimes online—it really depends on the information the scammer has managed to obtain, and how the phone company operates. Per the FBI, it can even be done by bribing someone on the inside to transfer your details.
Not every SIM-swap hack is successful, so you might find you notice suspicious behavior even though nothing has happened, such as an email from your phone carrier asking you to confirm that you want your number transferred somewhere else. Even if the scam hasn’t been fully successful, you should still take precautions in case there’s a subsequent attempt (perhaps after more data has been stolen).
How to protect against a SIM-swap attack
The techniques used to obtain personal data for a SIM-swap attack are fairly conventional, which means so are the precautions you can take to guard against it. Just being aware SIM swapping is a potential threat (and what it involves) is a good start in terms of keeping yourself safe and minimizing the risk of your own number getting stolen.
As always, to protect your data, be wary of following any links you get over email, social media, or messenger apps—double-check with the source, and where possible, head directly to a site (such as your bank’s website) to log in rather than following a link. Keep your web browser and other software up to date to get the latest security protections, and make sure your passwords are long, complex, and impossible to guess.
Use an authenticator app rather than relying on SMS codes.
Credit: Google
It’s also worth checking with your cell service provider about the precautions they have in place to stop a SIM swap. Most are now well set up to block fraudulent attempts to switch numbers. Doing an audit on the security steps needed to get into your bank account can help too. If you know the sort of details and security information needed to get into your accounts, you’re better able to spot when someone is trying to steal this data.
To make it harder for a scammer to access your digital accounts, you should have two-factor verification enabled wherever possible. As we’ve explained before, if you get the option, you should always use an authentication app for this, rather than your phone number—that way, you’ll still be able to control access to your accounts even if someone manages to steal your cell number.
Signs you’re the victim of a SIM sap attack
There are some tell-tale signs that a SIM swap has happened: Calls and texts not reaching you, you have no cell signal, and you receive alerts about suspicious activity in your accounts (for example, your bank account or your email account). It can be scary when all of these problems start to mount up, but it’s important not to panic, and to work methodically to retake control of your number.
What to do next
The sooner you start to take action after a suspected SIM-swap attack, the better. For any accounts you are still able to access, change the passwords where possible, and follow the steps for logging all other devices out of your accounts (here’s how to do that for your Apple account, for example).
Check the devices you’re currently logged into.
Credit: Lifehacker
Get in touch with your cell carrier as soon as you can—though you may have to borrow someone else’s phone to do it. As you are in fact you, you should be able to prove your identity and get something done about what’s happened. Getting in touch with your bank makes sense too; focus on recovering and securing the most important accounts first, before turning your attention to the others.
The good news is that the more widespread use of biometrics and passkeys is making it more difficult for other people to pretend to be you—though it’s by no means impossible. If you have other verified devices besides your phone, such as tablets or laptops, get these up and running as quickly as possible to report breaches and recover access to your accounts.