Imagine sitting at the dinner table, and your fancy new Google Pixel 7 Pro suddenly comes alive with debit alert after debit alert. You see the transactions pouring in and your account balance trickling away, but you can't do anything about it. You call for help, but the line won't connect. Texting isn't an option either.

You've become the latest victim of a SIM (Subscriber Identity Module) swap attack, and you're trapped. It's a horrific experience. Read on to find out what a SIM swap is and what you can do to prevent it from happening to you.

What is SIM swapping, and how does it work?

SIM swapping, also known as SIM jacking, is a fraudulent way of gaining access to someone's mobile number. It happens when a criminal convinces your cellular provider to transfer your phone number to a different SIM card, usually one in their possession. If they succeed, calls, texts, and internet capabilities are automatically transferred to the new card, and the old one stops working.

You would imagine something this serious would be difficult to do, but that's not entirely the case. Fraudsters can swap your SIM from the comfort of their homes, provided they have a SIM card and a phone call to your provider and your personal data. Personal data can be collected from your social media accounts, bought on the black market from hackers, or stolen via phishing sites, which are fake sites that resemble legit sites, tricking you into entering your personal information.

Once they've gathered enough info, cybercriminals call the carrier in question and present them with key details only you are supposed to know. Once they've convinced the mobile service employees they're you, they can claim they misplaced the original SIM card and request the carrier to switch the number to the SIM card in their possession.

After the swap completes, it disconnects your line, preventing you from making calls, sending texts, or accessing the internet. Plus, you can't reach your carrier and reclaim the number until you visit them in person and prove you are the account owner. It's safe to say that several of your applications and profiles would likely have been breached by then.

With SIM swapping, it doesn't matter what phone you use — although the e-SIM-only iPhone 14 may be less vulnerable to SIM-swap attacks — as the entire process takes place through your carrier.

What do fraudsters stand to gain from swapping your SIM?

In a word: Access.

Your SIM is a gate pass to many essential services. You use it to receive calls and texts, and it's most likely tied to your bank, email, and social media accounts for two-factor authentication (2FA) requests. With access to your SIM and, consequently, your profiles, fraudsters could log in to these accounts and empty them. They can also access your contacts and scam friends and family.

What about two-factor authentication?

Two-factor authentication (2FA) is designed to increase security on the internet. Rather than logging in to online accounts with a password, 2FA requires you to enter a time-limited code before gaining full entry. It has been widely adopted in the industry for the extra security it provides. It makes it harder for attackers to infiltrate your accounts since they need both your password and your phone.

However, the system's strength is also part of its weakness. Authentication codes are usually sent via emails, mobile numbers, and authentication apps, meaning whoever possesses your card or phone can gain entry. This is unlike fingerprint or face IDs, which require your physical presence. Cybercriminals know this and leverage that loophole when they access your mobile phone or SIM card.

What's being done?

Government entities and carriers are working to combat SIM swapping. The FCC announced in October 2021 that it was drafting rules to fight SIM swapping and port-out fraud. While that's in the works, T-Mobile has implemented some in-house protocols to improve the system. Changing a SIM card now requires SMS verification or approval from two carrier employees instead of one manager alone. It's not foolproof. Still, it's a step in the right direction.

What are the signs of SIM swap fraud?

During a SIM swap, the earlier you reverse the changes to your accounts, the better. If you notice any of the following warning signs, contact your cellular provider immediately, as you might be under attack.

  • Strange calls or texts about an unexpected change to the service. Pay attention to this and contact the carrier immediately.
  • You are locked out of your phone's online accounts, such as a bank or social app.
  • Your phone loses service, or you cannot receive calls or texts, even with good reception.
  • You receive phone service notifications for actions you didn't take.

What to do when you suspect a SIM swap

If you see any of the signs mentioned above, get through to your carrier as soon as possible. Every minute wasted provides the attacker more time to exploit you. A simple call to your service provider will reveal if any changes were made to your account. You can take appropriate measures from there.

However, in case of a successful swap, your line won't have cellular service, making it impossible to reach your provider. It's recommended to have a backup number you can use to make the necessary call in that case.

How to prevent SIM swapping

The cost of a SIM swap could be catastrophic. Your best bet is to take precautions to avoid falling victim in the first place. Here are a few steps you can take to stay safe.

1. Protect your phone and SIM

Most phones ship with several protection methods, including PINs, passwords, patterns, fingerprint scanners, and facial recognition. The latter two are standard in modern devices, so enable them to add another layer of security.

Aside from your phone, you should also protect your physical SIM. You can lock it with a numerical PIN that you must enter every time you restart your device. Your Android device or iPhone should allow you to create a PIN in Settings. Just make sure you don't use your birthday or that of someone important to you.

2. Lock your phone number with your service provider

Many network service providers offer Port Freeze or Number Lock to protect your mobile number from unauthorized transfer. Once activated, you can't port your number to another line or carrier unless you remove the lock, either with a PIN or by walking into the store. If your carrier allows this feature, it's an excellent way to beef up your SIM protection.

3. Use strong passwords and security questions

If you use your birthday or middle name as a password, it's time to stop. You need to use a strong password that is nearly impossible to guess. Passwords should contain at least 12 characters, including upper and lower case letters, numbers, and special symbols. It's also good practice to use different passwords for different accounts so that a breach of one doesn't become a breach to all.

But how do you remember so many passwords? You don't. Instead, store them in one of the numerous password managers available. Aside from passwords, some services let you set security questions. In that case, select queries that even close acquaintances would struggle to guess.

4. Turn on two-factor identification

2FA is another way to add an extra layer of security to your accounts. Log in to platforms that enable 2FA, such as Google, turn it on, and that's it. You can make it more secure by eliminating the risk associated with SMS-based authentications. Instead, use 2FA applications like Google Authenticator or Authy whenever possible.

5. Enable biometric authentication on your device

Passwords, PINs, and 2FAs are great. But face and touch IDs offer a level of protection that exceeds those because they require your physical presence to work.

Whenever possible, use mobile apps and services that support two-factor biometrics. That way, even if thieves get their hands on your phone number, they won't be able to bypass the biometric barrier.

6. Limit how much personal information you share online

Fraudsters can take advantage of the most minute details to convince your carrier that they are you. So avoid posting your full name, address, phone number, and date of birth on public platforms. Also, resist the urge to overshare details of your personal life, like your pet's name, best friend's location, and favorite food, on social media. You may have included them in some online security questions to verify your identity.

7. Be wary of phishing emails, texts, and calls

Phishing is almost as old as the internet. It's a social engineering attack that's often used to steal login credentials, credit card numbers, and other user data. Phishing usually involves criminals trying to impersonate reputable institutions, such as banks, government institutions, and health offices, assuming you won't hesitate to answer their questions or scrutinize their emails because you trust these organizations.

However, your bank, the government, and reputable health offices will never ask for your personal information online. If you receive such calls or messages, hang up or delete them, even if they seem legitimate. You can always contact the agency to confirm the outreach.

Protect yourself online

Make a note of these seven tips and implement as many as possible to reduce the chances of your SIM card being swapped. Most especially, enable 2FA on all your accounts, preferably using a good 2FA app, and set up biometric locks where supported. You should also consider checking your accounts to ensure none of your passwords have been leaked.