SIM swap scams are nothing new, and are back in the news with high profile SIM swap attacks on Twitter’s CEO.

Telecommunications providers such as Verizon, AT&T, T-Mobile, and Sprint have been aware for over ten years that unauthorized third parties regularly attempt to obtain access to customer subscriber accounts to gain control over a customer’s SIM card.

Hackers Gaining Account Control

By gaining control over a customer’s SIM card, a hacker can then take control of a subscriber’s telephone number. Once the hacker has control over the subscriber’s telephone number, he or she can use two-factor authentication, which often sends a text message to the subscriber’s mobile phone, to reset the passwords associated with the subscriber’s email account, bank account, cryptocurrency exchange account, and investment accounts.

In an age where telecommunications providers like Verizon, AT&T, T-Mobile, and Sprint outsource their customer support obligations to third parties, hackers know that employees at these companies do not always follow company protocol. In some cases, the companies themselves may not follow industry best practices to secure subscriber accounts from unauthorized access.

Hackers have become adept at finding and exploiting weaknesses in cell provider security. And some providers may even allow known exploits to continue to be used by hackers even after their security and fraud departments have identified them.

SIM Swap Scams Targeting Cryptocurrency Investors

The most recent of these scams targets cryptocurrency investors, such as those who invest in Bitcoin or Ethereum.

Hackers mine data, often from Twitter, LinkedIn, Reddit, and other sources to identify those individuals most likely to have cryptocurrency. Once they have identified a target, they obtain personal information concerning the target in a number of ways. They may pretend to be the target and obtain an account number at an authorized retailer, or they may obtain account information from a prior data breach at a telecommunications provider.

Once this information is in their possession, they call the telecommunications provider’s customer support number. From here, they often attempt to convince the customer support representative that they’ve forgotten their secure PIN number and need to perform a SIM swap with just an account number or some other information. If they are successful, they obtain control over the target’s accounts and either ransom them for payment in cryptocurrency or simply steal cryptocurrency from the target’s account.

Telecom Arbitration Clauses

Telecommunications providers know that these SIM swap scams are happening, yet many appear to not take the threat, or their duties to secure personal and personally identifiable information, seriously.

Since most cell phone subscribers agree to an arbitration clause when signing up for an account, telecommunications providers force these subscribers into arbitration in an attempt to keep these grossly negligent vulnerabilities hidden from the public.

Legal Claims Available to SIM Swap Victims

Victims of SIM swap attacks have pursued several legal theories against telecommunications providers. The primary claim is negligence: the telecom provider owed the subscriber a duty of care to protect their account from unauthorized access, breached that duty by failing to implement adequate security protocols, and that breach caused the subscriber’s financial losses. Courts have allowed negligence claims against telecom companies to proceed to trial, particularly where the provider failed to follow its own stated security procedures.

Additional claims include negligent misrepresentation — where the telecom provider made representations about account security that were not accurate — and violation of state consumer protection laws that prohibit unfair or deceptive trade practices. In California, for example, a major carrier paid a multi-million dollar settlement to a cryptocurrency investor who lost Bitcoin as a result of a SIM swap facilitated by the carrier’s own employee.

Federal claims are also available in some circumstances. The Federal Communications Commission (FCC) has rules governing the protection of Customer Proprietary Network Information (CPNI) under 47 U.S.C. § 222, which require carriers to protect subscriber account information from unauthorized disclosure. Violations of CPNI rules can support civil claims and regulatory enforcement actions. In 2023 and 2024, the FCC strengthened its rules specifically to address SIM swapping and port-out fraud, requiring carriers to use additional authentication methods before processing SIM change requests.

The Arbitration Problem: Overcoming Mandatory Clauses

Most wireless subscriber agreements contain mandatory arbitration clauses and class action waivers. Under these provisions, a subscriber who is harmed by a SIM swap attack is typically barred from filing a lawsuit in court and must instead pursue their claim in private arbitration — a process that favors repeat players like large telecom companies.

However, mandatory arbitration clauses are not always enforceable. Courts have found arbitration clauses unconscionable in certain circumstances, particularly where the clause is buried in fine print, where the subscriber had no meaningful opportunity to negotiate, or where the arbitration process is so one-sided as to deprive the subscriber of any meaningful remedy. An experienced data breach attorney can evaluate whether the arbitration clause in a specific subscriber agreement is enforceable and advise on strategies for challenging it.

Additionally, some states have enacted laws limiting the enforceability of arbitration clauses in consumer contracts, though many of these laws have been preempted by the Federal Arbitration Act (FAA), 9 U.S.C. § 1 et seq. The interplay between state and federal arbitration law is complex and fact-specific.

Practical Steps to Protect Against SIM Swap Attacks

Cryptocurrency investors and others who hold significant financial assets accessible via two-factor authentication should take the following steps to reduce the risk of a SIM swap attack:

• Set a port freeze or SIM lock with your carrier. Most major carriers now offer the ability to lock your SIM card so that it cannot be transferred without you personally appearing in a store with government-issued ID. This is the single most effective prevention measure available.
• Use an authenticator app instead of SMS for two-factor authentication. SMS-based two-factor authentication is vulnerable to SIM swapping. Authenticator apps like Google Authenticator or Authy generate time-based codes that are not linked to your phone number and cannot be intercepted through a SIM swap.
• Use a hardware security key for critical accounts. For cryptocurrency exchange accounts and financial accounts holding significant assets, a hardware security key (like a YubiKey) provides the strongest available two-factor authentication protection.
• Use a separate email address for financial accounts. If your primary email address is linked to your phone number for account recovery, a SIM swap can compromise your email and then cascade to your financial accounts. Use a dedicated email address with a strong password and hardware-key two-factor authentication for financial and cryptocurrency accounts.
• Set a unique PIN with your carrier. Most carriers allow you to set a PIN or passcode that must be provided before any account changes — including SIM swaps — are processed. Set a PIN that is not guessable from information available on your social media profiles.

If you are the victim of a SIM swap scam, contact a data breach attorney immediately. Revision Legal offers a wide array of legal services related to data breach and Internet law matters. We can be reached by using the form on this page or by calling us at 855-473-8474.