The FBI Warns SIM Swapping Attacks Are Rising. What’s That?

March 18, 2023 • Zachary Amos


In February 2022, the Federal Bureau of Investigation (FBI) issued Alert Number I-020822-PSA. It’s entitled “Criminals Increasing SIM Swap Schemes to Steal Millions of Dollars from US Public” and it comes amid a general increase in cybercrime across the globe.

Cybercrime is the gravest threat to business of all fraud types, according to the World Economic Forum. The Insurance Information Institute says that 47% of American citizens experienced some kind of financial identity fraud or theft in 2020. Globally, cybercrime is expected to carry a $10.5 trillion price tag per year by 2025.

The SIM swapping attack is just one kind of cybercrime, but 2022 saw them increasing in frequency along with most other kinds of digital fraud. Here’s what you need to know.

Why Are SIM cards Useful in Hacking Attacks?

This kind of cybercrime is also called a SIM swapping hack. So what’s a SIM swapping hack?

Actually – first – what’s a SIM card? You probably have an idea of its function, but what does it actually do and why would a hacker be interested in it?

The acronym “SIM” stands for “subscriber identity module.” This small chip contains information about your phone and its capabilities, including:

  • Its phone number
  • The type of data it can send and receive
  • The network infrastructure it’s authorized to connect to.

If you remove the SIM card from your phone, you won’t be able to connect to your cellular network – only Wi-Fi. Now, suppose you replaced the SIM card in somebody’s phone with an altered SIM card. What kind of risk would that carry? What could you do with that kind of access?

What Is a SIM Swapping Attack?

A SIM swapping attack is as simple as it sounds, at least in theory: Whether by stealth or by social engineering (convincing you to do it, or to let them do it), the hacker will replace the authorized SIM card in your phone with an altered one.

With this accomplished, the phone would then begin forwarding all received text messages, calls, and requested mobile data to the hacker’s phone.

There’s another danger, too, concerning two-factor authentication (“2FA”), also known as multi-factor authentication (“MFA”).

Because the target’s calls and text messages get diverted, so do any requests for one-time 2FA codes. In other words, a SIM swapping attack is a perfect way for hackers to circumvent “Forgot My Password” features.

The ultimate result of this level of access could be multiple compromised accounts. Once the criminal uses 2FA to get into the victim’s online accounts, they can change the passwords and lock out the authorized user. They might repeat this process for as long as the fake SIM card goes undiscovered.

What Does This Mean for Smartphone Users?

Microsoft has been warning consumers that using phone numbers for 2FA and account recovery is no longer safe for precisely this reason. The FBI has now echoed those sentiments in its February 2022 PSA.

Everybody who owns a smartphone should know how to protect themselves. Here’s how, according to the FBI:

  • Do not reveal details about financial or cryptocurrency assets anywhere online, like forums or social media.
  • If somebody on the phone requests passwords, phone numbers, PIN numbers, or similar credentials, decline to do so. Verify on the official website for the party you’re trying to reach that the number you’ve called (or been called by) is legitimate.
  • Use unique passwords for all of your online accounts.
  • If anything looks off or suspicious about the way SMS connectivity is functioning in your smartphone, take it to an authorized location to get it evaluated.
  • For 2FA/MFA purposes, use biometrics, physical tokens, and third-party authentication apps instead of phone numbers for the most robust security possible.

If you suspect that you’ve been successfully targeted by a SIM swapping attack, get in touch with your mobile carrier right away to take back control of your phone number.

You’ll also want to change the passwords for all of your online accounts. It’s going to be a hassle, but err on the side of absolute caution. You don’t know what might’ve been accessed.

Because SIM swapping begins a physical act, the FBI also requests that you contact a local field office to report the event. Every report makes it likelier that the perpetrator will be found and stopped.

What About the Newest iPhones and Smartphones Without SIMs?

The iPhone 14 series has no physical SIM card slot. Instead, it uses eSIM, or electronic SIM. eSIM embeds into the phone the data that would otherwise reside on the physical SIM card.

There are some advantages to eSIM – including what we’re talking about today. eSIM is more secure because it can’t be removed. The lack of a physical SIM tray means hackers have nothing to tamper with.

Switching carriers and adding extra lines is easier, too, because you can have multiple eSIMs (on compatible phones) instead of needing a smartphone with more than one SIM tray.

Some carriers don’t support eSIM yet. And eSIM can be a problem for travelers bound for countries with just one compatible carrier. In such cases, the cost of an eSIM activation and subsequent service plan could be far higher than the normal prices for carrier service.

Technologists predict that smartphones without physical SIM cards could present a headache for users and carriers for a while before things become standardized and prices for eSIM activations achieve parity with normal carrier services.

Know You Know About SIM Swapping Attacks

Maybe you’ve upgraded already and you don’t need to worry about SIM swapping attacks. For the rest of us, it’s worth heeding the FBI’s warning. Don’t leave your smartphone unattended. Be on the lookout for strange SMS behavior. Use strong passwords and don’t give them to anybody. Know how to spot phishing attempts. As always, an ounce of prevention is more valuable than a pound of cure.

Recent Stories

Follow Us On