How Scammers Can Use SIM Swapping to Steal Your Phone While It's Still In Your Hand

Perhaps the most dangerous thing about SIM swap fraud is how unbelievable it seems. Could a complete stranger convince your phone carrier to give them access to your phone? And get away with it?

According to the FBI, more than 2,000 people were victims of SIM swap fraud in 2022, with losses that totaled north of $72 million.1 Though these are small numbers relative to investment scams or credit card fraud, they are still startling, given that 2022 was the first year of reported SIM swap activity. In what was likely the highest profile case of the scam, former Twitter CEO Jack Dorsey was a SIM swap victim in 2019.2 In that case, the hackers were after access to his social media account, a common use of the scheme for celebrities and high-profile online influencers. But everyday folks should be more worried about what happened to a Colorado man who reported $24,500 stolen from his bank account after his smartphone's SIM card was fraudulently swapped in March.3

Here's what everyone with a mobile phone — which includes 97% of Americans — should know about this unusual form of fraud4 and what protective measures can be taken to feel more secure.

What Is SIM Swap Fraud?

SIM swap fraud is when a cybercriminal manages to transfer control of your incoming calls and texts over to a phone they control. Their goal is often to gain access to your financial accounts by triggering a multi-factor authentication (MFA) text that they receive after they commandeer your phone.

How Does SIM Swap Fraud Work?

SIM swap fraud is a complex scheme that typically begins with a criminal targeting a victim through their online presence.5 They gather seemingly harmless information about the person, from the names of their family members to their phone number to where they were born.

Once they have enough information, they contact the victim's mobile carrier. Using the data they've gathered, they trick the carrier into believing they are the account owner by answering security questions. They tell the carrier that they have lost or damaged their original SIM, or subscriber identity module, card. This is the chip inside your phone that identifies it as yours and routes calls and texts to you. The scammer asks the carrier to fix the issue by activating a SIM card they have on hand as a replacement. When the carrier complies, the criminal receives all future calls and texts.

After all that work, the financial fraud can begin. The scammer attempts to log into the victim's financial accounts, triggering an MFA request, which texts a code to the account owner's phone. The scammer receives the code instead and is then able to log into the account themselves.

How Can You Protect Yourself?

When Dorsey's phone was hacked in 2019, a security professional told the New York Times, "I've been looking at the criminal underground for a long time, and SIM swapping bothers me more than anything I've seen. It requires no skill, and there is literally nothing the average person can do to stop it."2 As frightening as that may be, there are reasons to feel less exposed to SIM swap fraud than to other cybercrimes. The first is that in November 2023, the Federal Communications Commission (FCC) adopted new rules that:

• "require wireless providers to adopt secure methods of authenticating a customer before redirecting a customer's phone number to a new device,"
• "immediately notify customers whenever a SIM change … is made," and
• "take additional steps to protect customers" from SIM swap fraud.6

Avoiding Being Targeted by SIM Swap Scammers

While there may be little an average person can do to entirely stop a cybercriminal from stalking them online, there are actions you can take to lower your odds of being targeted including:

• Avoid responding to or clicking on links in emails or texts from anyone you don't know or aren't expecting. Phishing is one way hackers gather the data they need to access your phone's account.7
• Don't talk about your financial life or personal assets online, which can attract scammers.
• Avoid sharing your phone number, address, or other identifying information on social media.
• Set up a PIN number for your phone's account with your carrier, and make sure it's a strong PIN that someone who knows a lot about you couldn't guess.
• Check with your carrier about SIM swap fraud protections. Some have security services you can enable to provide you with an extra layer of protection.8

Protecting Your Finances When SIM Swapping Occurs

There are also steps you can take to minimize the damage to your financial accounts if someone were to gain access to your phone, including:

• Enable MFA that doesn't rely on texts. Depending on the financial services provider, you can request MFA codes be sent directly to an app or your email, or even use a separate device to generate your own codes.7
• Ask your financial providers about behavioral analysis technology, which can analyze customer behavior and avoid texting login credentials when behavior seems off.8

How to Know If You're a Victim

Signs that you may be a victim of SIM swap fraud include:

• Calls and texts aren't working on your phone. This can mean that your SIM card has been fraudulently deactivated.
• You receive a message from your carrier about a new SIM card activation.
• Suspicious activity appears on your financial accounts, from unauthorized transactions to the inability to log in.

What to Do If You're a Victim

If you believe your SIM card has been fraudulently swapped, the Federal Trade Commission recommends that you:7

• Contact your mobile carrier immediately to regain access to your phone and change your account credentials.
• Check all financial accounts for authorized charges, report them to the financial institution and change all login credentials.
• If you see any signs that a criminal may have access to your account number or personal information, visit IdentityTheft.gov to find specific actions to take for the loss of each type of data compromised.

More You Can Do With Synovus

The best way to protect yourself is to learn to identify common red flags, listen to your gut and take action. Remember: No bank, including Synovus, will ever call or email you to ask for your personal information.

Things to look out for:

• You receive a call or text from a bank, but the person doesn’t have basic information you’d expect them to have, like your social security number, account number, or mailing address.
• The caller claims they’re from a bank you do business with, but something doesn’t sound right. They may mispronounce things or have an extreme sense of urgency to get you to act quickly. Caller ID may be used to convince you the call is legitimate. DO NOT trust that the person on the other end is who they say they are. Call the organization back so you know the call is credible.
• If you think you’ve been a victim of fraud, call 888-SYNOVUS (796-6887) immediately.

While the odds of becoming a victim of SIM swap fraud are low and companies and regulators are clamping down on the scam, every mobile phone user should still be aware of this alarming crime. While many other forms of cybercrime share similar prevention and detection techniques, the unique nature of SIM swap fraud reminds consumers that there are always new threats and new steps to take to protect themselves from fraud.

Enroll in Credit and Identity Protection Services

As a Synovus Plus, Synovus Inspire, or Synovus Private Wealth customer, you can enroll in complimentary Credit and Identity Protection services. With this service, Synovus will monitor your credit reports and notify you any time any changes are made. Synovus will also scan the web to make sure your personal information hasn't been compromised by checking websites, blogs and peer-to-peer networks. Synovus also offers full-service identity restoration if you become a victim of identity theft.

Want to know more about how you can achieve peace of mind as a Synovus customer? Learn more.