SIM swap scams are nothing new.

Telecommunications providers such as Verizon, AT&T, T-Mobile, and Sprint have been aware for over ten years that unauthorized third parties regularly attempt to obtain access to customer subscriber accounts to gain control over a customer’s SIM card.

Hackers Gaining Account Control

By gaining control over a customer’s SIM card, a hacker can then take control of a subscriber’s telephone number. Once the hacker has control over the subscriber’s telephone number, he or she can use two-factor authentication, which often sends a text message to the subscriber’s mobile phone, to reset the passwords associated with the subscriber’s email account, bank account, cryptocurrency exchange account, and investment accounts.

In an age where telecommunications providers like Verizon, AT&T, T-Mobile, and Sprint outsource their customer support obligations to third parties, hackers know that employees at these companies do not always follow company protocol. In some cases, the companies themselves may not follow industry best practices to secure subscriber accounts from unauthorized access.

Hackers have become adept at finding and exploiting weaknesses in cell provider security. And some providers may even allow known exploits to continue to be used by hackers even after their security and fraud departments have identified them.

SIM Swap Scams Targeting Cryptocurrency Investors

The most recent of these scams targets cryptocurrency investors, such as those who invest in Bitcoin or Ethereum.

Hackers mine data, often from Twitter, LinkedIn, Reddit, and other sources to identify those individuals most likely to have cryptocurrency. Once they have identified a target, they obtain personal information concerning the target in a number of ways. They may pretend to be the target and obtain an account number at an authorized retailer, or they may obtain account information from a prior data breach at a telecommunications provider.

Once this information is in their possession, they call the telecommunications provider’s customer support number. From here, they often attempt to convince the customer support representative that they’ve forgotten their secure PIN number and need to perform a SIM swap with just an account number or some other information. If they are successful, they obtain control over the target’s accounts and either ransom them for payment in cryptocurrency or simply steal cryptocurrency from the target’s account.

Telecom Arbitration Clauses

Telecommunications providers know that these SIM swap scams are happening, yet many appear to not take the threat, or their duties to secure personal and personally identifiable information, seriously.

Since most cell phone subscribers agree to an arbitration clause when signing up for an account, telecommunications providers force these subscribers into arbitration in an attempt to keep these grossly negligent vulnerabilities hidden from the public.

If you are the victim of a SIM swap scam, contact a data breach attorney immediately.

Revision Legal offers a wide array of legal services related to data breach and Internet law matters.  We can be reached by using the form on this page or by calling us at 855-473-8474.

Image credit to Flickr user mroach

Your Legal Rights When a SIM Swap Scam Drains Your Cryptocurrency

Victims of SIM swap attacks are not without legal recourse, even when telecommunications carriers invoke arbitration clauses to block litigation. Understanding the full legal landscape—including your claims, your carrier’s duties, and how to preserve evidence—is essential to any recovery strategy.

Negligence Claims Against Telecommunications Carriers

A SIM swap attack occurs because someone at the carrier—an employee, an authorized retailer, or a third-party contractor—failed to follow account security protocols before transferring a customer’s phone number to a new SIM card. This failure may give rise to a negligence claim. To prevail, a plaintiff must establish that: (1) the carrier owed a duty of care to protect the subscriber’s account from unauthorized access; (2) the carrier breached that duty by failing to follow its own security procedures; (3) the breach caused the SIM swap; and (4) the plaintiff suffered damages as a result.

Courts in several cases have found that carriers owe their subscribers a duty to maintain reasonable security over subscriber accounts. In Kattula v. T-Mobile USA, Inc. and similar cases, courts have examined whether carriers failed to implement reasonable authentication measures—particularly where the carrier had knowledge of rampant SIM swap fraud targeting cryptocurrency holders and failed to take remedial action.

The Arbitration Problem—and How to Address It

Nearly all wireless service agreements contain mandatory arbitration clauses that require disputes to be resolved before a private arbitrator rather than a court, and that prohibit class action proceedings. Carriers enforce these clauses aggressively because they keep individual SIM swap cases out of public court records and prevent victims from aggregating claims against systemic security failures.

However, arbitration clauses are not always enforceable. Courts have found arbitration clauses unconscionable when they are buried in adhesion contracts, when the terms are substantially one-sided, or when the costs of individual arbitration effectively deny the claimant a meaningful remedy. Additionally, some states have stronger consumer protection laws that may limit the enforceability of certain arbitration provisions. An experienced data breach attorney can evaluate whether the specific arbitration clause in your carrier agreement is challengeable.

Even where arbitration is required, individual arbitration remains a viable path. Carriers that must defend each case individually may be more willing to settle claims at fair value than to fight every arbitration. The key is building a well-documented claim with preserved evidence from the outset.

What Evidence to Preserve Immediately After a SIM Swap

Time is critical in a SIM swap case. Carriers maintain call logs, account access records, and authentication event logs—but these records are routinely purged on retention schedules that may be as short as 90 days. If you have been victimized by a SIM swap, take these steps immediately:

• Screenshot and save all communications from your carrier regarding account changes or SIM swap notifications.
• Contact your carrier immediately and request that they preserve all records relating to any account changes made on or around the date of the attack, citing potential litigation.
• Request the full account activity log for the relevant time period.
• Document all cryptocurrency losses with transaction histories, exchange records, and wallet addresses.
• File a report with your local police department and the FBI’s Internet Crime Complaint Center (IC3) at ic3.gov.
• Contact an attorney before communicating further with the carrier about the incident.

Federal Law Protections: CPNI and CFAA

Beyond common law negligence, two federal statutes are relevant to SIM swap cases. First, the Federal Communications Act’s Customer Proprietary Network Information (CPNI) rules, 47 U.S.C. § 222, require carriers to protect the confidentiality of subscriber account information. Failure to implement adequate CPNI safeguards may create regulatory exposure for the carrier and support arguments that the carrier’s security practices were deficient as a matter of law.

Second, the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030, provides both criminal penalties and a civil cause of action for unauthorized access to protected computers. Where a hacker uses the hijacked phone number to access cryptocurrency exchange accounts and steal funds, the CFAA claim lies against the hacker—not the carrier—but documenting the unauthorized access is important for any comprehensive legal strategy.

If you have been the victim of a SIM swap scam, contact a data breach attorney at Revision Legal promptly. The clock is running on evidence preservation and applicable statutes of limitations. Reach out today.