We’ve previously recommended two-factor authentication (2FA) as a useful tool for protecting your online accounts on this very blog. When enabled, 2FA requires a second verification after you enter your username and password, and it helps prevent anyone who has stolen your login credentials from gaining access to your accounts. Many organizations including banks, credit card issuers and shopping websites now offer 2FA as a standard feature to customers.

Typically, the second verification comes in the form of a temporary passcode, which is sent to your mobile device. But scammers have been using a relatively new, sophisticated scam to steal phone numbers and use 2FA to access their victim’s accounts: we’re talking about SIM swapping.

According to the Federal Trade Commission, SIM swapping is on the rise, and you need to be diligent. Here’s how SIM swapping works and what you can do to protect yourself.

How SIM Swapping Works

The goal of the SIM swap scam is simple: thieves want to transfer your phone number to a new SIM card, moving your number to a phone in their possession. To do this, they will try to gather the personal information they need to successfully impersonate you to your wireless provider; this information may include your name, Social Security Number, street address, and of course your phone number.

There are many ways to get this information. Your personal data could be stolen in a data breach and sold on the dark web. Thieves may try to trick you into providing your information by impersonating a legitimate company in an email phishing scam. They may even call you, pretending to be your wireless provider.

No matter how they gain your information, scammers will use it to contact your wireless provider and impersonate you. They will ask the provider to transfer your phone number to a new SIM card, which gives them control of your number. Most wireless providers will require answers to security questions, but the SIM scammer will be prepared with information they’ve already collected.

Once your number is ported to a new SIM card, the thief will try to access your accounts – including bank accounts, social media accounts, shopping websites, and more – by resetting your password at the point of login. Companies that send 2FA verification codes via SMS will message the codes directly to your number, and scammers can use that information to get into your account. Losing service to your existing phone will be your first indication that something is wrong, and by then it might be too late.

The potential damage is enormous. A scammer could gain access to your bank accounts and use your credit cards. They could take over your social media accounts and try to scam your friends and family, or hold your accounts for ransom. They can even steal additional personal information from your accounts and use it to commit further identity theft, wrecking your credit in the process.

How to Protect Yourself

It’s important to note that SIM swapping is not a reason to stop using 2FA. As long as you aren’t the victim of a SIM swap scam, 2FA is a very useful security feature that protects your accounts. That said, there are some steps you can take to better protect yourself:

  • Don’t share personal information: be careful with the personal information you share. That goes for social media accounts, links from emails that appear legitimate, and phone calls from people claiming to work for your wireless provider. If you must share information, verify that the third party is really who they claim to be.
  • Avoid using your cell number: you should avoid linking your cell phone number to online accounts, as it leaves your number vulnerable to hackers and data breaches. You should also limit who you share your cell phone number within your personal life. When you must share a phone number, try to use a landline or Google Voice number, both of which aren’t tied to SIM cards. Also, consider removing your cell number from any accounts that currently keep it on record.
  • Use a PIN with your wireless provider: many major wireless providers like Verizon and AT&T now require a separate PIN that must be used when you contact their support team and request changes to your account. Other providers may offer this service as an optional feature; if they do, you should opt in.
  • Don’t use SMS for 2FA: the easiest way for SIM swap scams to work is if you receive authentication codes via SMS (text message). For accounts that allow it, you should consider using an app (like Google Authenticator) or a secure authentication key (like Yubikey or Google Titan). These authentication tools don’t rely on SMS and aren’t vulnerable to SIM swapping.
  • Watch your accounts: keep a close eye on all your accounts, especially your bank accounts and credit cards. Inaccurate or erroneous information landing on your credit report could be a sign of identity theft, and you’ll want to respond as quickly as possible to prevent further damage. Credit and Identity theft monitoring services can help. Regularly checking your credit report can help alert you to suspicious activity.