Scammers steal millions remotely hijacking smartphones

A Houston man says he learned the hard way that a thief can remotely hijack control of your cell phone and break into your bank account and credit cards.  It left him with a $20,000 debt. 

Sim card swapping is a growing crime.  An identity thief somehow gathers enough personal information about you to call your cell phone provider and switch your phone number to a phone they have with another carrier.  That gives the thief access to every bank account, social media account, email and text message on your phone. 

"Shocked, surprised," said David Johnson about what happened to his phone. 

When David Johnson's phone suddenly stopped working, he says his service provider, AT&T, informed him that his phone number had been ported to another carrier.

"Surprised someone could lift right from under the nose from AT&T my cell phone by being able to provide them with sensitive information. How did they get it?" Johnson wondered.  


He had it switched back.  But he says Bank of America had to block someone from taking $8500 from his account.  And two months later, Johnson says he got a call from Goldman Sachs about an account he says he never opened.  

"And, oh, by the way, the line of credit that was opened was $20,000, and you've charged $19,999," said Johnson, recalling the call. 

James Meadows, a cybersecurity professor at Rice University, tells us, "The crime is growing exponentially, largely for two points.  One, it's easy to do.  Two, it's hard to stop."

Cybersecurity experts say sim card swapping happens when a thief has gathered enough information to pass as you.

Explained Meadows, "Then they can convince your cell phone provider to take your phone number information off the phone you have and move it to a phone that they're in control of."

Allison Nixon, Chief Research Officer with Unit 221b tell us cell phone service employees can also be paid by a crime ring to do it. 

"We've also seen employees getting recruited into the criminal scheme themselves.  And we've also seen where providers of customer service is the flaw from which the attack is able to get in," said Nixon. 

She says hackers first began targetting cryptocurrency investors, but have expanded to hitting people's bank accounts and credit.

"We've seen crypto currently victims hit for hundreds of millions of dollars," said Nixon.  

In fact, a cryptocurrency investor says he lost $24 million in tokens to this scam and is suing AT&T for nearly ten times that amount. Many high profile Twitter and Instagram accounts have also been hacked through sim card swapping.   

We asked AT&T about Johnson's case and what they're doing about sim card swapping.  AT&T sent us a statement saying, "We worked with the customer to fix this" and directed us to a web link with steps consumers can take to try to prevent it.   

The Cellular Telecommunications Industry Association, which represents the wireless telecommunications industry, sent us a statement, reading, "The wireless industry takes SIM swap fraud very seriously.  Wireless providers are constantly improving internal processes to stay ahead of these bad actors while protecting the rights of legitimate customers to transfer their phone number to a new device or wireless provider. While each provider’s tools and practices are different, the industry employs a variety of tactics to stop SIM swap fraud... ."

Johnson says this has changed the way he uses his phone.

"I don't have any account information in it, none what so ever."

To help protect your phone from being hacked, the CTIA recommends setting a pin number to access your sim card.  AT&T says you can add a Primary InterExhange Carrier Freeze to your line from unauthorized changes.

Cybersecurity experts suggest not using two-factor authentication that sends authentication codes to your phone because a hacker can see that code on your phone.  They recommend apps such as Google Authentication or Authy, which send the code to the app instead.  

Experts also say to be careful who you give your phone number to, not to publish personal information on social media accounts, and to consider freezing your credit with all three credit bureaus to prevent a thief from opening debts in your name. 

Helpful links: