Rob Ross freaked out.
One minute, the San Francisco man’s investment accounts added up to a million dollars; the next moment they had a zero balance.
"I was devastated," he said. “It was about 90 percent of my net worth.”
Ross was a victim of the “SIM Swap Scam.” His story is a warning for everyone. If you have a mobile phone, you are a potential target in this fraud.
Thieves have hacked this extra layer of protection known as two-factor authentication. You’ve probably seen "2FA" in the form of a message from your bank account, social media, or email provider suggesting something along the lines of “adding a phone number adds security.”
But thieves have hacked it.
First, they hijack your mobile phone number. At that point, your email, social media, and financial password reset codes go to them. And that's all they need to take control of all those accounts and steal from you.
“They don’t care about the damage they are doing to other people’s lives,” Ross said.
The scam starts when your cellphone suddenly shows “No Service.” After Ross discovered that message on his phone, he contacted his carrier.
“AT&T said there had been a SIM swap request,” Ross said. “I had never heard the term SIM swap.”
The SIM is the small card that contains your phone number. When the hackers got Ross’s carrier to swap his number off his SIM and put it on their phone, they redirected Ross’s calls and text messages. And that’s all the hackers needed to clear him out.
“My worst fears were being played out in real time,” he said. “They traded the money into bitcoin and then they withdrew it all.”
We searched our nationwide database of consumer complaints and found viewers around the country complaining of the same SIM swap scam.
“Why would they take control over my phone number,” asked a New York woman whose credit was compromised after a SIM swap. A viewer near Los Angeles lost money just as quickly as Ross did. “They stole $4,000 in less than 2 minutes,” she wrote.
Law enforcement sources estimate 1,000 victims, conservatively.
We wondered how hackers are gaining access to so many people’s wireless accounts to swap SIMs. We found Trickery and bribery.
We pulled records for a few SIM Swap cases that are in court. They show one hacker simply "pretending to be an AT&T agent" on the phone with AT&T to access a target’s cellular account and hijack their number.
Other hackers in online chats brag of paying off carrier salespeople or call center workers with a few bucks or even a small bag of pot. Hackers call them “plugs.” One hacker wrote, “My Sprint plug is legit.”
Ross fears low level carrier employees, some of whom are overseas, are too easily compromised into swapping SIMs.
“A lot of people," he said, "are susceptible to bribery.” Ross said the world's wireless carriers need to step up. “To my knowledge, [the carriers] are not doing anything.”
We asked AT&T, Verizon, Sprint, and T-Mobile how they’re combatting unauthorized SIM swaps. AT&T said in a statement, “We continually look for ways to enhance our policies and safeguards to protect against these sorts of scams.”
Verizon recommended users put an administrative block on their account. T-Mobile offered the same solution plus an account PIN. Sprint’s website also suggests a PIN for any changes to your service or SIM.
But court records we covered show at least one SIM swapper’s “plug” simply handing it over.
“[The plug] just gives me the PIN,” one hacker wrote.
Justin Dolly, chief security officer at a cybersecurity firm SecureAuth, told us wireless carriers track their workers at almost every turn. So now they need to cross reference that big data with unusual transactions and weed out whoever is assisting scammers.
“The information is there," he said. “There’s definitely some responsibility that they need to take."
So, what do you do about those password resets by text that can open the door for hackers? Consider some changes, right now.
Ask your bank, brokerage, email, and social media companies if they can send unlock codes via email, not SMS. Or, text them to a secondary number — like Google Voice — instead of your cell.
Dolly endorsed that idea.
“You’re one more hop away from the hacker, and they might not be able to reach you there,” he reasoned.
Ross launched a website, StopSIMcrime.org, to raise awareness of the SIM Swap Scam. The site warns people that your phone could one day read “No Service.” And then, no matter how much or how little money you have, SIM swapping hackers will try to steal it.
"They don’t always know what they’re going to get until they get into the financial accounts,” Ross said. And yet, they keep trying. "They’re doing this all day long.”
Detectives recovered some of Ross’s savings. But most of it is still missing. The accused thief is facing prosecution in Santa Clara County.
If you suddenly see “No Service” on your cellphone, call your carrier right away — from a different phone — to see if your SIM has been swapped. If so, insist they undo it immediately. Then lock down your financial accounts ASAP. Block withdrawals. Check your balances. And report any missing money on the spot.
If you've been the victim of a SIM swap, let us know. Call 888-996-TIPS. Or go to NBCBayArea.com/Responds.