{"url":"https://www.clear.sale/blog/sim-swapping-how-to-protect-against-this-emerging-scam","title":"SIM Swapping: How to Protect Against This Emerging Scam","tldr":"SIM swapping is costing customers millions. Here","markdown":"As smart technology gets smarter, so do fraudsters.\n\nIn one of the latest strategies for defrauding innocent customers, fraudsters are eyeing mobile phones. As it turns out, SIM card swapping attacks present an enticing opportunity for [account takeover](https://blog.clear.sale/account-takeover-fraud-all-that-e-commerce-merchants-must-know).\n\nDuring these attacks, fraudsters take control of a victim’s phone number, bypass SMS-based account authentication, and steal credentials and cash.\n\nWhile not everybody has heard of these attacks, they’re still responsible for major losses. People in the cryptocurrency space appear to be popular targets for this kind of attack. Just last year, more than 50 victims in California [were drained](https://www.ccn.com/teen-hackers-pinch-35-million-in-california-sim-scam-crypto/) of more than $35 million, with one blockchain consultant losing his entire life savings.\n\nBecause so many e-commerce and financial sites today rely on phone-based authentication and require customers to link phone numbers to accounts, fraudsters are increasingly attracted to the account access opportunities SIM swapping offer. Here’s what e-commerce merchants and their customers need to know about the risk.\n\n## What Is SIM Swapping?\n\nSIM swapping is an account takeover fraud variation that takes advantage of a [mobile phone provider’s ability to port a telephone number](https://en.wikipedia.org/wiki/SIM_swap_scam) to a device containing a different SIM card. Because cellphones use SIM card cards for storing user data and authenticating telephone numbers and cellphone subscriptions, fraudsters can access the data on stolen cards to access sensitive accounts.\n\nOnce the cards are swapped, the dirty work happens fast. The victim may see their phone lose service, get logged out of key accounts and see bank accounts quickly drained.\n\nEven more frustrating for customers is that they think they’re taking all the right precautions to prevent this kind of fraud, like enabling two-factor authentication on apps, locking cell phones and using secure passwords.\n\n## How SIM Swapping Works\n\nIn many cases, a fraudster begins the SIM swapping scam by gathering personal data on their often-wealthy target. They’ll use phishing emails or purchase information on the [dark web](https://blog.clear.sale/what-is-the-dark-net-anyway) to trick victims into revealing information like birth dates, Social Security numbers and passwords. Fraudsters might also scour social media and public websites to harvest personally identifiable information.\n\nOnce the fraudster has enough information on the victim, they take over the victim’s identity, contacting the victim’s cellphone provider, impersonating the victim and requesting the phone company port the victim’s number to a SIM card the fraudster controls.\n\nSIM swapping may also occur directly in cell phone stores, with corrupt store employees stealing a customer’s SIM card and replacing it with a new one.\n\nWith the stolen card in hand, the fraudster can circumvent websites’ security features by intercepting texted passwords, resetting those passwords and gaining access to bank and investment accounts. Some fraudsters will cash out accounts by investing balances in bitcoins, while others create new bank accounts under the customer’s name to mask withdrawals. Attackers will likely reset passwords on other accounts as well, including those for social media, email and cloud storage sites.\n\n## How to Protect Against SIM Swapping\n\nBecause it’s so hard for customers to spot SIM swapping while it’s happening — and even harder for victims to undo the damage — it’s important for customers to be able to know how to protect their accounts.\n\n### Confirm an Email’s Legitimacy\n\nBefore they click on a link in an email that requests sensitive information, customers should hover their mouse over that link to ensure they’re being directed to a trusted source. If the link isn’t legitimate, they should report suspicious emails directly to the company from whom the email allegedly came. Many companies, like PayPal, even have a [dedicated email address](https://www.paypal.com/us/selfhelp/article/How-to-spot-fake-emails-FAQ2340#!) for customers to send suspicious communications.\n\n### Watch Your Browsing\n\nEnter sensitive data only on [secure websites](https://blog.clear.sale/post/5-Easy-Ways-to-Protect-Your-Small-Business-from-E-Commerce-Identity-Theft). Customers should look for website names that begin with “https,” have the lock symbol or have a certificate from a company like Verisign.\n\n### Set Up Alerts\n\nCustomers should ensure they have notifications set up on their phones to alert them when account information or passwords change. Some banks can link SIM card numbers to a phone’s International Mobile Subscriber Identity, ensuring one-time codes are sent only to the device on file.\n\n### Assign a PIN to Cellular Accounts\n\nThe major service providers let customers assign PINs or passwords to their accounts, reducing the risk of a hacker making unauthorized changes. It’s important to remember, though, that this approach isn’t foolproof. Store employees may have access to these numbers and can put a customer account at risk.\n\n### Protect Personal Information\n\nWhile using [two-factor authentication](https://blog.clear.sale/should-you-require-two-factor-authentication-for-your-online-store) can help customers protect accounts, text message verification may not be adequate during SIM swapping. Authentication apps or security keys may be more effective.\n\nCustomers should also avoid posting personal data online — and that includes participating in social media quizzes whose answers can help fraudsters compromise accounts.\n\nWhen it comes to fraud prevention, customers have a responsibility to monitor their accounts and information. But merchants should also put the solutions in place that can stop fraud before it does serious damage to a merchant’s reputation and revenue.\n\nIf you’re not sure you’ve got the right fraud solution in place, [contact a ClearSale analyst today](https://www2.clear.sale/contact). They can help you analyze the different [fraud protection solutions](https://www.clear.sale/resources/fraud-protection-merchant-guide) available to you and demonstrate why ClearSale’s robust hybrid approach is the solution of choice for vendors worldwide."}