Port-Out Scams and SIM Hijacking: How to Protect Yourself
Fraud and identify theft are nothing new to the cellular carriers and cell phones, but you may not be aware of all the potential dangers you can face through cell phone phishing and other scams, or the preventative measures you can take to avoid getting your information stolen. Below we explain exactly what “port-out” and “SIM-hijacking” scams are and how you can avoid being a victim of one yourself.
Written by Erik Hyrkas
What is a Port-Out Scam?
A port-out scam, or unauthorized mobile phone number porting, is one where a fraudster uses your stolen cellular account information to transfer (or “port”) your phone number and account to another carrier in order to take control of your phone while also shutting down your account.
How Does a Port-Out Scam Work?
Normally when you switch cellular carriers, you bring your phone number with you—a process called “porting.” When you port out your number from one carrier to another, this shuts down your current account and opens another.
With a port-out scam, scammers exploit this process by using phished or stolen account information to do the same without your authorization.
Depending on your carrier, all a scammer needs for a port-out scam is your:
- Phone number
- The last four digits of your social security number
- Your account login information
In 2018, a San Francisco father had $1 million stolen after a hacker successfully ported his phone number, giving him complete access to his information.
The Process of a Port-Out Scam
- After successfully gathering information about your cellular account (acquired from you directly via phishing or found online), a scammer, posing as you, takes your information to another carrier and requests to port your number to a new account and cell phone. The scammer will either report your phone as lost or stolen.
- If the cellular carrier does not require a security PIN number or passcode, or the scammer passes any identity verification measures, the scammer may successfully port your number to a new device and carrier without your knowledge, shutting down your own phone’s cellular service.
- The scammer, now with exclusive access to your phone number, can potentially gain access to your online accounts via two-factor authentication (2FA) codes or keys texted directly to your phone number. This can happen faster than you may think (in just a few minutes or hours), with little time to stop it, find out who is doing it, or contact anyone for help.
What is SIM Hijacking and How Does It Work?
In 2018, T-Mobile warned their customers of ongoing port-out scams after 2.3 million people had their information stolen from their website.
Another way scammers can complete a number porting scam is by requesting a new SIM card from your carrier. This is called SIM hijacking or SIM swapping.
- Like before, a scammer (posing as you) will use your personal information to request the new SIM card, put it into their own device, and effectively disable your current device.
- With sole access to your current phone number, any incoming texts or phone calls will go directly to the scammer.
- In the end, SIM hijacking has the exact same result of a port-out scam. The scammer can now potentially gain access to any online accounts that use your phone number for two-factor authentication via phone calls, one-time passwords, or other temporary keys.
Because online security has changed, having access to your email address and password isn’t enough for a hacker to get into your email, bank account, or Cloud storage. With the advent of two-factor authentication (2FA) security features, scammers need your phone number so they can intercept text messages and phone calls that include security codes granting access your accounts.
With 2FA, or two-step verification, a temporary password or passcode is created when you attempt to reset or to log into a website from an unknown device. These temporary codes are often sent to a designated cell phone number via text message, a phone call, or even through a phone app. If a scammer can gain access to your phone number, they can receive these codes and hack into any of your online accounts.
For example, this is how Google’s “2-step verification” works:
- You, or someone posing as you, attempt to log into Gmail from a computer or phone you haven’t used before.
- Gmail doesn’t recognize your IP address and activates 2-step verification.
- Gmail sends you a text message (or a phone call) with temporary login code in order to verify you are the owner of your email account.
- After Google sends the code, you or a scammer can use this code to login and/or reset your password.
Online marketplaces are one of the most common places to encounter scammers, along with public forums, via scam phone calls, and also through email phishing scams.
Port Scams via Online MarketplacePort Scams via Online Marketplace
If you were to post an ad for a household item on Craigslist or Facebook Marketplace, any included any personal information in your item’s advertisement that includes your name, address, or phone number, can be used by scammers. They’ll use it to either phish for more information when you attempt to coordinate the sale, or simply take your name, address, and phone number to a carrier and attempt to port-out your phone number or request a new SIM card.
Port Scams via Phone Call or Email
Porting scams can also be done over the phone or via email. Someone could call or email you, posing as a customer service representative from your cellular carrier, and ask to verify all of your account information, including your name, address, and account PIN. The fraudster could also request you to retrieve any temporary password texted to your number (two-factor authentication) if they’ve already started to hack into any of your online accounts.
Port Scams via Forums
If you use any consumer forums to ask questions about your smartphone or anything else that may require customer service, scammers may use it as an opportunity to pose as someone with authority who can assist you with your problem. Just like any other phishing scam, the fraudster can attempt to gather information about you that may help them port out your phone number or obtain a new SIM from your cellular carrier.
Many carriers require account PIN numbers or other verification information to port out numbers or give out new SIM cards. However, if your PIN is a birth date, zip code, the last four digits of your social security number, or any information that is easily gathered, scammers can still quickly gain access by trying them all.
It may surprise you to know how much of your information is accessible by hackers. There are databases online that anyone can log into and find your current address, your full name, the names of your relatives, and more.
Just by being aware of the dangers of hacking and by being smart about sharing your information, you can protect yourself from a port-out or SIM hijacking scam.
XFINITY Mobile customers have fallen to SIM hacking because the carrier set a default PIN of "0000" for all accounts, making it easy for hackers to port phone numbers.
Some tips for protecting yourself from port-out scams and SIM hijacking scams include:
Use Strong Passwords
Use strong account passwords with a variety of characters (symbols, numbers, and capital letters) for any and all online accounts. Do not repeat passwords for separate accounts.
Use 2-Factor Authentication
If your cell phone carrier allows, sign up for dual-factor authentication (not always the same as an account PIN or passcode) upon logging into your account. In addition, if there’s an option, consider listing an alternative email for authentication instead of a phone number.
Use Obscure Answers
If your carrier uses security questions for logging in, such as “What street did you grow up on,” try to use obscure answers you won’t be able to find out in a simple address directory search.
Most carriers allow you to create a PIN or passcode required to make changes to your account. Make a strong and random PIN number or passcode to access your account in addition to your online password. T-Mobile has a port validation feature specifically for this purpose.
Public Forum Safety
Avoid leaving personal information online in public forums or on social media such as your phone number, address, or any other personally identifiable info.
Online Marketplace Safety
When dealing with online marketplaces or forums, be careful not to give out personal information unless absolutely necessary or you can verify their identity first.
Keep it to Yourself
Never give out information on your cellular account over email, online, or over the phone unless you are certain you are speaking with your carrier’s customer service representative. You can double check phone numbers and email addresses with online reverse directories. Many times, people will have already reported a scammer’s contact information online.
If you find your smartphone suddenly stops making calls or sending texts, or says “Emergency calls only,” your phone number may have been stolen and ported out. Immediately notify your carrier. Report Scam Activity: Report any scams you encounter to local police, your cellular carrier, the Federal Trade Commission, or the Better Business Bureau. Keep a record of any information given to you or sought by the scammer.
Keep Track of Your Mail
Not all identity theft begins digitally. Make sure you keep track of your mail and shred any important documents that could be taken from trash or recycling. Your cell phone, bank, utility, and cable bills all have information that could be used to get a criminal closer to porting a number your phone number.
AT&T gives customers pre-selected PIN numbers when they create their account. AT&T allows customers to add two-factor authentication which includes a unique passcode required to make any account changes. This is not the same for accounts, however. Prepaid customers only can make a four-digit PIN while others can use an up to 24-digit alphanumeric PIN.
Sprint requires all customers set up a 6-10 digit PIN number when they create their account, and that information is required for porting out numbers. You may also establish secondary security questions.
T-Mobile was the most notable carrier recently taken advantage of by port-out scamming. In fact, it was such a large problem, they had to address the issue in February 2018 by warning customers about the scams. Now T-Mobile encourages customers to create a 6-15 digit passcode to keep their account safe from such scams. You can call 1-800-937-8997 for T-Mobile Customer Care
Verizon requires all customers create a 4-digit account PIN number when they set up their account. Their rules on creating a PIN are written as follows:
- Cannot be the last four digits of your Social Security number.
- No sequential or repeated numbers.
- Cannot be the last four digits of your phone number.
Security Measures and Porting Policies at MVNOs
Smaller carriers or mobile virtual network operators (MVNOs), also have features that include creating PIN numbers and passcodes during account creation. Some also give customers specific PINs that may only be less secure, such as the last four digits of your social security number or phone number.
Rather than list all of the PIN information for every carrier and interested scammers to glean, we recommend researching and calling your own carrier to find out their specific security options.
Below is a list of websites where you can file complaints about internet-related scams, fraud, and crime. Just don’t forget to call your cellular carrier and local police first.
- Your local law enforcement’s fraud or cybercrime division.
- File a scam complaint with the Better Business Bureau Scam Tracker.
- File a complaint with the Department of Justice (DOJ).
- File a complaint about online or related transactions with EConsumer.gov.
- Federal Trade Commission: Call 1-877-FTC-HELP or file a complaint online.
- File a complaint with the Internet Crime Complaint Center (IC3) (IC3 is partnered with the FBI).
- FBI: FBI Tips
- File a report on Fraud.org.
Two-factor mobile authentication (2FA) security measures are used by cellular carriers, banks, email services, and other online businesses to reset passwords and verify your login via text message or phone call. If two-factor authentication is triggered, you will receive a temporary code or password required to verify your identity and login with one of these services.
With many porting scams, the entire goal of stealing access to your phone number is to obtain two-factor authentication information directly. This is how a number port scam can be used to steal the money in your bank account and hack into your emails or cloud storage.
Phishing is any attempt to gather sensitive information like your name, birth date, address, credit card numbers, passwords, account numbers, and PIN numbers/passcodes via electronic means (i.e. via phone, email, online chat, forums, or through texting).
Transferring a phone number from one cellular carrier to another. You usually do this by verifying your account information and asking the second carrier to port your number over. People port phone numbers when they switch cell phone carriers but want to keep the same phone number.