The SIM you use is tied to your phone number. If you get a new phone and want to keep using the same phone number, as is the norm, you’ll have to undergo a SIM swap. This could happen in various ways, such as inserting your SIM card to the new device or scanning a QR code provided by your mobile carrier.
But any attempt to swap your SIM without your authorization should be considered malicious. An illicit SIM swap can give an attacker access to personal information, allow them to impersonate you, and allow entry into numerous digital accounts that could be tied to your phone number—even defeating 2FA security. Read on to learn all about SIM swapping, including how to spot, report, and prevent future threats.
Jump to…
What is SIM swapping?
How do SIM swaps work?
Red flags of a SIM swap
The role of data leaks in SIM swaps
How to check if your data has been leaked
How to protect important data against leaks
What to do if you’re the victim of a SIM swap
Protect your mobile devices from SIM swaps
What is SIM swapping?
SIM-swap fraud is often referred to simply as SIM swapping or SIM-hijacking. It is used to describe an attacker attempting to transfer your phone number to another physical SIM or electronic SIM (eSIM) without your authorization. If the transfer is successful the attacker can use your SIM information to help them infiltrate your sensitive personal and financial accounts that require 2FA like an OTP via SMS.
How do SIM swaps work?
The attacker attempts to get your mobile provider to transfer your number to a SIM card on a device they hold. Once the SIM number transfers, calls and texts are routed to the attacker’s device, including OTP security codes from social media platforms, financial services, and other sensitive accounts.
This means the attacker can have access to accounts that rely on your phone number for authentication.
Signs of a SIM swap attack
It may not be easy to spot if you’ve become a victim of a malicious SIM swap, but it does throw up a few red flags. Contact your mobile provider immediately if you spot any of the following:
- Difficulty or inability to make/receive calls and texts
- Account locks due to unauthorized access attempts
- Alerts via email or prompts from accounts about access attempts
- Receiving OTPs you didn’t request via text or email
The role of data leaks in SIM swaps
A SIM swap doesn’t start when the attacker tricks your mobile provider into swapping your SIM; it begins with them scouring the web for any information they can find on you. The swap won’t work without the attacker knowing about accounts you hold, personal details, and other sensitive information—which is where data leaks come in.
For attackers planning a SIM swap attempt, people-search engines, social media profiles, and the dark web are treasure troves of personal information. They can find out your name, address, phone number (landline and mobile), email, workplace, and more. If that doesn’t work they can always use phishing, vishing, or smishing to try to obtain information about your accounts.
In the case of SIM swaps, the attacker is looking for information about your mobile carrier, account with them, and device information. Once they have enough information to trick the mobile carrier into believing the request is legitimate, they can attempt the SIM-swapping attack.
How to check if your data has been leaked
The easiest way to see if you are the victim of a data leak is to use a monitoring service. Most of these services will scan for changes in your credit, known data leaks for companies you hold an account with, and anywhere your data is found on the internet – including the dark web.
One such set of tools is ExpressVPN’s ID Defender (currently available to new U.S. subscribers). The ID Defender suite includes four identity theft protection tools, and which tools you get is determined by your ExpressVPN plan.
ID alerts
Monitors your information and notifies you of any suspicious activity including unauthorized address or phone number changes to data leaked on the dark web. That way you can take action to prevent further exposure.
ID theft insurance
Provides reimbursement for eligible losses if you become a victim of identity fraud.
Data removal
Our data removal service combs data brokers and people-search sites to find your data and takes the appropriate steps to remove it. We also fill out applicable data removal request forms and follow up on them to ensure your data doesn’t reappear on the sites.
Credit scanner
Easily monitor your credit and observe the activity influencing your credit score. Catch signs of misuse early so you can place a credit freeze or dispute the activity.
How to protect important data against leaks
Create strong passwords
Strong passwords contain 10-12 characters, including capital and lowercase letters, special characters, and numbers. Never use your first or last name or any other easily obtainable information like your nickname on social media. Avoid using sequential letters and numbers when creating passwords as they’re easy to guess.
Monitor your accounts
Regular monitoring of accounts can help you stay on top of ID, credit, and financial theft attempts. Watch your bank and credit card statements for signs of theft and alert the provider immediately if you think your account has been compromised. You may also want to consider purchasing ID theft insurance to help cover some losses if you become a victim of identity fraud.
Limit the amount of information you share online
Oversharing on social platforms like LinkedIn, Facebook, Instagram, and TikTok, is one of the main ways data gets leaked online. You put your name, hometown, high school, relatives, partner, pets, job, and plenty of other information on these sites. If you don’t limit the amount of information you put on these sites, use available privacy and security measures, and opt out of personalized content you’re essentially sharing that personal data with the entire internet.
Install a VPN
A simple, effective way of protecting your data is to install a VPN on network-connected devices – including smartphones. A VPN won’t protect against a SIM swap directly, but it hides your IP address and scrambles your traffic making it harder to track your devices and steal your data.
What to do if you’re the victim of a SIM swap
Step 1: Contact your mobile provider to report the scam and get help securing your account. Verizon, AT&T, T-Mobile, and most other major mobile carriers offer scam reporting online and have an SMS number that works even if your device has been deactivated (e.g. Verizon’s is *611). You can reach them even if the SIM swap has compromised your device. Ask them to deactivate the SIM number and remove it from your account. They can then issue your device a new physical or e-SIM.
Step 2: Disassociate your phone number from your account until the fraudulent SIM has been resolved. Try to log in to all your accounts and change your passwords, while removing 2FA if it uses your phone number for authentication. If possible, temporarily change your 2FA method from your phone number to something else, such as your email.
Step 3: Inform other relevant parties. If you have experienced losses because of the SIM swap, report it to your bank or credit card provider. If the attacker has impersonated you to friends and family members, let them know so they don’t fall for scams.
Step 4: Once the fraudulent SIM has been removed, check if your service provider offers a SIM lock PIN. This PIN will be needed to swap your SIM in the future and works like a password.
Step 5: Report the incident to authorities in your area so they can notify others of a new SIM-swapping threat, investigate it further, and provide you with additional guidance if needed.
Protect your mobile devices from SIM swaps
SIM-swapping has become one of the most pervasive attacks targeting consumers and businesses. In 2023, SIM-swapping resulted in approximately $50 million. The rise in attacks has led the FCC to consider increasing regulatory protections surrounding SIM swaps. But waiting for regulations to catch up with the times could mean you get protection too late.
Follow our simple steps for protecting your data, and what to do if you fall victim, for the best chance of preventing SIM-swapping attacks. Always report any unauthorized attempts to access your mobile account or suspicious activities. Use identity protection tools to stay on top of identity theft attempts, and protect your online data with a VPN. That way, you can regain control of your data, making it hard for attackers to get the information they need to perform a SIM swap.
FAQs about SIM swapping
What are the risks of SIM swapping?
If an attacker engages in fraudulent SIM swapping using your phone number, they can intercept calls and texts meant for you. This makes it possible for the attacker to request one-time codes for sensitive accounts that require 2FA, like banking or credit cards. This is why you must set strong passwords even if you use the enhanced protection of 2FA. Some accounts, like shopping sites, let you log in by verifying your phone number alone, making SIM swapping a significant threat.
Can you protect yourself from SIM swapping?
Yes. Never respond to suspicious data requests. Your mobile carrier will never call you requesting your account password or SIM lock PIN, they already have everything they need to access your account if required.
SIM swapping starts with attackers collecting any data they can find about you online, including your phone number. Use a VPN with strong encryption like ExpressVPN and limit the personal data you share online. VPN encryption scrambles your traffic to make it unreadable to anyone who may intercept it, helping to prevent online data leaks that could be used in cyberattacks like SIM swaps.
Does SIM lock prevent SIM swap?
A SIM lock prevents changes to the SIM without a dedicated PIN. If you put a SIM lock on your mobile device it can help prevent anyone without the PIN from making unauthorized changes, but it isn’t foolproof. SIM swapping is still possible if you have an eSIM or by using phishing to discover your SIM lock PIN. You should never give this PIN to anyone and your mobile carrier will never call you and ask for it.
How can I tell if I’ve been SIM-swapped?
The two biggest SIM swap red flags are the inability to make or receive calls and receiving OTPs you didn’t request. If you notice either of these issues, contact your mobile carrier immediately to resolve the issue before it gets out of hand.
What can I do if I’ve been SIM-swapped?
The first thing you need to do is contact your mobile provider to alert them of the scam and get the SIM number deactivated and removed from your account. At this time they can also issue a new SIM number to your device. Then continue to follow the steps in the What to do if you’re a victim of a SIM Swap section of this article.
What is a SIM swap text message threat?
A SIM swap text message threat is an unsolicited message claiming to be from your mobile carrier advising you that a new SIM card or device has been activated on your line. Don’t respond. Instead, change your mobile account password immediately. Then contact your mobile carrier and inform them you received the request. They can help you ensure your SIM and account aren’t compromised, give you additional information if necessary, and alert other consumers to the threat.
30-day money-back guarantee
