What is SIM Swapping?

Imagine this scenario. Your SIM card is 'swapped' by an attacker who has deceived your mobile operator, and you lose control of your phone number. The hacker receives all incoming calls and SMS messages, including two-factor authentication codes. This opens the floodgates for infiltrating your email accounts, social media, banking apps, crypto exchange platforms... and emptying your assets or stealing your digital identity. It's not hard to imagine as it occurs often and is very difficult to recover from.

How does SIM swapping work?

SIM swapping, also known as 'SIM hijacking' or 'SIM splitting', is a formidable hacking technique that involves taking control of a victim's phone number by obtaining a duplicate of their SIM card. To achieve this, the fraudster impersonates the victim when contacting their mobile operator, claiming to have lost their phone or had it stolen. Their goal is to obtain a new SIM card that allows them to receive all calls and SMS messages intended for the victim, which includes valuable two-factor authentication (2FA) codes. Once in possession of these codes, the hacker can reset passwords and take control of their victim's most sensitive accounts: email, social media, online banking, and cryptocurrency exchange platforms. The consequences can be catastrophic: theft of personal data, emptied bank accounts or cryptocurrency wallets, blackmail, etc.

How do you know if you've been a victim of SIM swapping?

There are several telling signs that should alert you if someone is using your SIM card without your knowledge following a SIM swap:

Sudden loss of mobile network

You no longer receive a signal despite being in an area with normally good coverage. You can't make calls or send SMS messages, even after restarting your phone. This indicates that your SIM card has been deactivated and your number transferred.

SMS or calls made without your knowledge

When checking your call log and SMS history, you notice activities you didn't initiate. SMS messages have been sent from your number to unknown recipients. Calls have been made to foreign numbers. There’s likely a second device using your number.

Suspicious login notifications

You receive emails or alerts informing you of new logins to your email accounts, social media, banking apps, or crypto-trading platforms. The problem is that you haven't logged in at that time, or the login comes from an unusual device or location (another country, for example).

Failed SMS authentication

When trying to log into an account protected by SMS two-factor authentication, you don't receive the code needed to validate the login. Either the SMS never arrives, or it's rejected. This means the hacker is receiving and using the code instead of you to infiltrate the account.

Contacts reporting strange requests

Your friends, family, or colleagues contact you, puzzled by odd messages supposedly from you. They've been asked for money, confidential information, or questionable favours by someone pretending to be you. This is the signature of an impersonator trying to exploit your identity and relationships.

Individually, each of these events might have an innocent explanation. However, if several of these signs accumulate, particularly the loss of network coupled with suspicious notifications, urgent action is needed. There's little doubt - you should contact your mobile operator to block your line and any compromised accounts.

How does a SIM swap scam work?

A SIM swapping attack can last from a few minutes to several hours, depending on the fraudster's speed and determination to take control of their victim's accounts. This timeframe is often sufficient to empty bank accounts and crypto wallets or extort money from contacts whilst impersonating the victim. Here's how hackers operate.

Step 1: Digital stalking

Everything begins with an in-depth reconnaissance of the victim. The hacker methodically gathers personal information about their target by exploiting different sources:

• Social networks (particularly Facebook, Instagram, and LinkedIn) where many people unknowingly over-expose their private lives. Birth dates, addresses, phone numbers, names of pets or children.

• Social engineering techniques targeting the victim's personal or professional contacts. By posing as a service provider, a friend of a friend, or a colleague, the hacker cleverly extracts new information, cross-referencing until they build a very complete profile.

• Purchasing data from leaks and hacks, sold on the dark web. Many sites and companies regularly have their customer databases stolen. A real treasure trove for SIM swappers.

• Hacking the target's devices (computer, mobile, tablet) using malware to retrieve photos, passwords, and login credentials. Access to the victim's email inbox is their preferred method. This relentless digital stalking allows the attacker to gather sufficient credible identity elements to take action.

Step 2: Retrieving the number from the mobile operator

Armed with credible identity elements, the fraudster contacts their target's mobile operator whilst impersonating them. The objective is toconvince them to transfer the victim's number to a new SIM card in their possession. To achieve this, the fraudsters claim to have lost their phone or had it stolen and persistently demand a new card. To make their story credible and overcome any potential hesitation from the advisor, the bad actors use several "social engineering" techniques:

• They overwhelm the agent with personal information (name, surname, date of birth, address) and contract numbers to prove they are indeed the legitimate line holder.

• They don't hesitate to raise their voice, cry, and apply intense emotional pressure.

• In some cases, the hacker will have prepared false identification documents to support their request. Increasingly sophisticated counterfeit papers are in circulation, often ordered on the dark web.

• Finally, the attacker might resort to corruption, securing the services of an operator employee willing to fraudulently process the transfer for payment.

Step 3: locking the victim's access

Once the new duplicate SIM card is obtained and activated, all calls and SMS messages intended for the victim will be redirected without their knowledge to the hacker's mobile. They also receive the crucial two-factor authentication (2FA) codes by SMS. As soon as they receive these first 2FA codes on their phone, the hacker knows the impersonation has worked. They can now infiltrate the victim's accounts one by one by requesting password resets via SMS and validating the procedure using these codes. This allows them to quickly take control of their target's email accounts, social media, banking applications, cryptocurrency wallets, and lock access by changing passwords and recovery mechanisms. Meanwhile, the real owner finds themselves without mobile network coverage, and thus unable to receive any calls or SMS alerts about suspicious login attempts. The trap closes.

What are the consequences for victims?

SIM swapping is a genuine digital fragmentation bomb and its damage is often felt for a long time.

Direct and indirect financial losses

The immediate damage is financial. By taking control of their target's bank accounts and cryptocurrency wallets, attackers naturally seek to steal as much money as possible. And the stolen amounts can be substantial, especially if the victim held significant sums in crypto assets. Several SIM swapping cases have resulted in the theft of millions of dollars, such as crypto investor Michael Terpin, who was robbed of 24 million dollars. But beyond these direct losses, victims often suffer indirect losses too such as an inability to access their accounts,, costs of procedures to prove identity theft and regain control, legal fees to seek compensation, and the ability to continue working.

Identity theft

Beyond the financial aspect, one of the most distressing consequences for victims is the long-term loss of control over their digital identity. This begins a real uphill battle, often lasting several weeks or months, trying to prove legitimacy to telecom operators and various platforms. Without the phone number associated with the account, recovery procedures are complex. Victims must accumulate evidence (bills, statements, official documents), chase multiple sometimes uncooperative contacts, face rejections, etc. During this time, the victim's data remains at the mercy of hackers, and their contacts observe abnormal behaviour on their accounts, which can be very damaging to their reputation.

Psychological and reputational consequences

The psychological impact of this new form of cybercrime should not be underestimated. It's an extremely violent intrusion into private life. Seeing one's most intimate data (photos, messages, documents) stolen, conversations spied upon, or identity usurped. It's a trauma that can permanently affect one's relationship with digital technology and self-confidence. Many victims report post-traumatic stress, anxiety, and insomnia. This is particularly true as the consequences can also affect reputation, especially when hackers use compromised accounts to spread embarrassing content or make problematic statements in the victim's name. It's not uncommon for them to attempt to extort contacts using intimate photos or to scam close ones by impersonating the victim in need. Difficult-to-erase rumours and suspicions can emerge, particularly in professional settings.

Why is the damage often so difficult to prove and repair?

One of the most frustrating aspects for many SIM-swapping victims is the difficulty in obtaining justice and compensation after suffering damages. Indeed, taking legal action against telecom operators or banks for negligence and security failures often resembles a legal nightmare. First, one must succeed in proving their good faith and lack of responsibility. When scammers are based in uncooperative foreign jurisdictions, tracking stolen funds, often quickly laundered and dispersed through multiple cryptocurrencies and tax havens, is frequently an impossible mission for individuals. As for obtaining decent compensation from operators or banks, it's often another war of attrition, with little hope of resounding victory. In short, the remedies are limited and the procedures are discouragingly lengthy and complex.

The Michael Terpin case

In 2018, crypto investor Michael Terpin had 24 million dollars in Bitcoin and other cryptos stolen. Hackers convinced his operator AT&T to transfer his line to their phone, thus intercepting his authentication SMS messages. Terpin only realised the SIM swap too late, once his accounts were emptied. Despite two years of legal battle and 200 million in damages awarded against AT&T, the funds were never recovered. An emblematic case of SIM-swapping devastation.

The FTX hack 

In November 2022, the FTX platform suffered a 400-million-dollar hack during its collapse. According to the FBI, a gang of SIM swappers allegedly impersonated a female executive by taking control of her AT&T line. One of the hackers, a woman named Emily Hernandez, went to an AT&T shop in Texas. Using a fake ID in the name of an FTX employee using Hernandez's photo, she managed to take control of this employee's mobile account. They were thus able to intercept her 2FA codes and empty FTX's wallets. The funds were then allegedly laundered through Russian accomplices. The   case illustrates the growing sophistication of SIM swappers, capable of targeting even the largest crypto players.

How to protect yourself against SIM swapping?

Protect your sensitive information

The first precaution is to never communicate sensitive information over the phone. If a supposed advisor asks for it, hang up and call the company's official number back. Also, be wary of SMS messages urging you to call a service number.

Improve your two-factor authentication

Whenever possible, favour two-factor authentication (2FA) methods other than SMS. In other words, prefer: Authentication apps like Google Authenticator, Authy or LastPass. Physical security keys like YubiKey or Google Titan. Biometric face recognition (like FaceID) or fingerprint recognition.

Strengthen your number security

Check with your operator that your phone number has adequate protection. Add a password to your account, set up a secret question, and request systematic identity verification before any changes. Also,  regularly check your customer file to spot any anomalies (SIM change or number transfer).

Limit public access to your profile Be vigilant about personal information you publish online. The less fraudsters know about you, the harder it will be for them to impersonate you. Remember to lock your social media profiles.

What to do if you have doubts?

First thing to do: immediately contact your mobile operator. Check your SIM card status and report the fraud. Insist on having your number blocked and obtain a new SIM card in person. Then, log into all your sensitive accounts: emails, social media, banks, exchanges, etc. Systematically change your passwords. Opt for strong and unique passwords for each account. If possible, activate two-factor authentication (2FA) via an app like Google Authenticator, rather than SMS. Also file a complaint with the authorities without delay. Build a case file with all evidence of fraud to support your complaint: conversations with the operator, screenshots, statements, in particular. Also contact your banks and crypto asset managers (exchange platforms and wallets) to report the scam. Block your cards and unauthorised transfers. Change recovery phrases and activate robust 2FA if possible. Finally, closely monitor your accounts in the following weeks. Be alert to any suspicious movement. And don't hesitate to communicate with your contacts if they receive dubious requests in your name.

Does blocking the SIM card prevent SIM swapping?

The PIN code associated with your SIM card is a 4-digit code requested each time you start your phone. Its role is to prevent anyone who gets hold of your mobile from using your SIM card, making calls or sending SMS messages in your name without knowing this code. However, this measure is completely ineffective against SIM swapping. Indeed, the main characteristic of this attack is that the fraudster obtains a duplicate of your SIM card directly from your operator. They convince the telecom operator, often through social engineering techniques and fake documents, to deactivate your SIM card and activate a new duplicate card, but in their possession.

Can banks detect a SIM swap?

Technically, banks have the ability to detect certain telltale signs of SIM swapping on their customers' accounts. Anti-fraud monitoring systems can be alerted by a sudden change in the phone number associated with the bank account, used for two-factor authentication. The same applies to login attempts from a new device never used before by the customer, especially if followed by unusual transfer requests. The remote IP address is also analysed. However, in practice, these suspicious events often fly under the radar for several reasons: at some online banks, verifications for number changes are insufficient. A simple call or online form may suffice, without ID. Worse, the SIM swapper can bypass detection by using a device already known to the victim (obtained through malware) and connecting from their usual IP address via a VPN. Even when an alert is triggered, the response isn't always quick enough to block the first fraudulent transactions initiated by the hacker.

Conclusion

As you will have understood, SIM swapping victims often suffer an avalanche of devastating consequences on financial, practical, psychological and reputational levels. And remedies are often slim. This is why prevention remains the watchword against this protean threat of SIM swapping. If you're a crypto investor, you need to ensure the security of your cryptocurrencies even more carefully! 

Using a secure exchange platform doesn't directly protect you against SIM swapping itself. Indeed, SIM swapping targets your telephone operator, not the platform itself. However, choosing an exchange platform with Bitpanda's level of security provides several security guarantees. You are notified by email of any password reset request, and can react with one click (or call) if you suspect something suspicious. The list of your open sessions also allows you to keep an eye on all devices and browsers connected to your account.

Stay safe and informed with Bitpanda Academy

Crypto scams are constantly evolving, but knowledge is your best defence. The Bitpanda Academy offers many resources to help you stay secure in the crypto world, covering common crypto scams, the biggest risks in investing and more.