While a relatively recent innovation, SIM swap scams have quickly become one of the most rampant and hard-to-trace forms of online fraud.
Fortunately, there are concrete steps we as consumers can take to minimise any kind of data breach on our mobile devices. Here we outline how some common SIM scams work, including SIM swaps, and how to protect yourself from them.
What is a SIM Swap Scam?
SIM swap scams are a type of SIM fraud where a scammer gains access to the victim's phone number and use it to access their online accounts.
In a SIM swap, the scammer contacts the victim’s mobile network provider and persuades them to swap or ‘port-out’ the victim’s phone number from the current SIM to one in the hands of the scammer. Once this is achieved, the perpetrator can use their own device, under the victim’s name and phone number, to send messages, log into their online accounts, and otherwise upend the life of their target.
Also known as SIM swapping, these attacks are one of the most notorious and widespread methods hackers use to gain access to mobile devices. SIM swaps are a popular choice among scammers as they’re hard to detect and can be carried out completely remotely.
SIM swaps are so difficult to spot as the deception focuses on the phone company, not the victim.
In order to successfully convince the network provider to port-out a number, the scammer needs to provide personal information or passwords from the target – these are often obtained themselves through separate scams like phishing attacks, or purchased on the dark web.
Minimise the risks of a SIM swap by staying alert to any potential phishing attacks. Use a reliable mobile provider, avoid unsecured networks and make sure you set up device-based two-factor authentication on your smartphone, laptop, iPad, or any other devices you own with a SIM card or eSIM.
Are eSIMs Safer Than SIM Cards?
It’s important to note that neither eSIMs nor SIM cards are 100% safe from outside attack. SIM swap attacks can affect devices with eSIMs as well as SIM cards. No matter how modern your device, the most effective way to protect your data is to take the steps outlined below.
In a smartphone, the removable nature of the SIM card is itself a risk factor. It makes it incredibly easy for someone to strip the device of its connectivity and its old profile by simply discarding the original owner's SIM.
This is simply not possible with an embedded chip. An eSIM cannot be removed, and unless the person trying to change the profile knows a specific security key, they won't be able to overwrite the current profile. Not only does this make reselling stolen devices much harder, it also ensures that recovering them is easier than ever. The moment an eSIM-enabled smartphone is switched on it will have connectivity and could potentially be traced. This tracking capability would also be extremely useful on a larger, industrial scale. Vehicles, equipment, and any other hardware with eSIM connectivity are easier to locate, so accidental loss or deliberate theft can be solved faster.
As eSIM usage becomes more normalised, these benefits will be increasingly evident. Security comes from connection – from being able to keep track, stay in touch, and protect our devices. That's exactly what embedded SIMs aim to do.
Hackable Non-Phone Devices
Of course, the scams aren’t just limited to phones. Any internet-connected device can be hacked if needed. Cellular smartwatches, tablets, laptops – even cars and kitchen appliances can be equipped with eSIMs. ‘IoT’, or the Internet of Things, is an umbrella term that refers to this network of wirelessly connected appliances and gadgets.
Almost any device we think of as ‘smart’ - smart fridges, smart watches etc. - is a part of the Internet of Things and has the potential to be hacked. Where before, this technology was considered highly technical and complex to implement, today we are seeing a spike in IoT connectivity across a multitude of sectors and use cases, largely down to the rapid improvements brought about by IoT eSIMs and SIM cards.
The Role of Social Media in SIM Swap Scams
Part of the reason SIM Swaps have become so widespread is due to the ready availability of personal information on social media. In order to persuade phone companies to port-out a number, hackers first need to impersonate a customer.
Social media has enabled the rise of SIM swaps in two key ways: it provides more publicly-available personal information, and makes it easier for hackers to convincingly impersonate others and coerce their victims into sharing private information.
An essential part of the scam requires the hacker to contact the phone company and pass themselves off as the victim. To do this, they need personal details like dates of birth, home addresses, and social security numbers. Some of these can be found on public social media profiles like Facebook or LinkedIn. Others can be coaxed out of the victim via phishing attacks or social engineering tactics. Sometimes, scammers use personal details to guess their victims' passwords.
Whereas a text from an unknown number often sets alarm bells ringing, fraudulent social media messages are harder to spot. Perpetrators can spend weeks creating legitimate-seeming social media profiles, or buying pre-made ones on the dark web, and using them to lure victims into a conversation. These can be under the guise of a new friend, a love interest (so-called "romance scams"), or even by impersonating someone known to the victim. Once they have the required details, the offender can contact the mark’s mobile provider and take control of their phone number.
Despite ongoing cleanup efforts, platforms like Facebook and Instagram are filled with fake accounts, bots and scam profiles.
To minimise the risk of scammers leveraging your social media accounts:
- 1
Make sure all social media profiles are set to private
- 2
Only accept friend or follower requests from people you genuinely know
- 3
Never share personal details or documents like social security numbers, addresses, or phone numbers in a DM or private message, even with someone you know – there's always a risk their account has been compromised.
- 4
Ensure all online passwords are random, secure and don't include private or personal information (e.g. date of birth, names of pets etc.)
Spotting a SIM Swap Scam
One of the reasons for the sudden prevalence of SIM Swaps is how tricky they are to spot – the actual SIM swapping is conducted between the scammer and the victim’s phone company, not the victim themselves.
Unlike many traditional online scams, SIM swap victims often consider themselves computer-literate and well-versed in online crime. Tech journalists, high-profile crypto investors and Twitter Founder Jack Dorsey have all fallen victim to SIM swaps.
The victim-side phase of the scam can take place weeks or months before the swap itself, where the perpetrator extracts enough personal details to successfully persuade their phone company. Usually, these details are acquired through the aforementioned phishing attacks, texts (known as ‘smishing attacks’) or fraudulent messages on social media. They can also be recovered from data breaches or purchased from the dark web - in which case the victim has even less culpability.
In the event of a SIM swap, it can often a while for the victim to realise they’ve been hacked, if at all.
In most cases, though, there are some common warning signs:
Your password for certain accounts no longer works
Your signal drops out entirely and you can no longer send SMS messages, make phone calls, or access mobile data
You are unable to log into accounts (e.g. email accounts) with two-factor authentication
Banking or credit card apps show transactions you have not made
What to do if You Fall Victim to a SIM Swap Attack
If you suspect your SIM has been swapped, the first step is to contact the phone company and explain the situation.
The second step is to contact any banking or financial services, such as credit cards, and get them to freeze all transactions until your phone number is returned. This will limit any damage and provide some breathing room while you regain control of your phone number.
The third step is to change any passwords to accounts that may have been compromised. Make sure to use secure, random and impersonal passwords.
Keep a careful note of any transactions made during the scam. Some banks and credit card providers will reimburse these costs, provided with sufficient evidence they were made by scammers.
What Can Consumers Do to Protect Their Data?
Thankfully, there are actionable steps consumers can take to minimise the risks of SIM swaps, theft, scams or hacks. While no phone is 100% secure, following these steps will immediately bolster your online security and deter thieves.
- 1
Turn on 2-factor authentication. Specifically, a device-based service like the Google, Microsoft or Apple Authenticator apps. This means that if your SIM is stolen, or someone attempts to log in to your Google, Microsoft or Apple account, it will need to be verified first on your physical handset.
Authentication via SMS is better than nothing, but not nearly as secure as a device-linked service. - 2
Add a passcode to your SIM card. Whether you have an eSIM or a physical SIM card, you have the option to add a passcode to it. This means that if you have a physical SIM card and it gets lost or stolen, the card will need to be unlocked with a numerical passcode before the data inside can be accessed. Loss or theft of the SIM is of course not an issue for eSIM users, but it’s still a step worth taking. Just be sure to remember your PIN.
- 3
Remotely erase your phone. If you suspect your phone, tablet or smartwatch is compromised, you can remotely wipe it and lock the device. Android and Apple devices both offer this service.
- 4
Use a secure network. If you travel often, make sure you’re not relying on unsecured or unfamiliar networks. BetterRoaming eSIMs are part of the 1GLOBAL network, which is GSMA-certified to meet the highest industry security standards in 160+ countries.
Using a Travel eSIM
Discover the ease of use, low costs and improved security of an eSIM for yourself with BetterRoaming.
We offer eSIM plans for iPads in 60 countries around the world, and phone plans in over 160. Discover our range of eSIMs here and find the perfect plan for your next journey.