As societal reliance on “smart” technologies has grown to encompass the entirety of the developed world, the average citizen has come under fire by fraudsters aiming to exploit the wealth of new opportunities presented, specifically those offered by personal handheld devices. Cellular fraud is defined as the unauthorized use, tampering or manipulation of a cellular phone or service, with common forms including SIM swapping, cloning and subscriber fraud. The Federal Communications Commission (FCC) – an independent agency of the United States federal government that regulates communications by radio, television, wire, satellite, and cable across the United States – has long warned of the many risk factors associated with the aforementioned growing paradigm shift specifically for the unsuspecting consumer when it comes to cellular fraud. Until this point however, the regulatory agency had been hesitant to tighten regulations governing certain cell phone services. However, the exponential growth of fraud and hacking scams leading to a growing number of complaints from consumers who have fallen victim to new, fruitful scams, as well as new pressure coming from the U.S. government given the overlap of these scams into the realm of true financial crime, may soon bring about change in this regard.

Last week, the FCC announced its proposal for new rules to protect consumers from fraud related to cellular phone misuse, while also aiming to increase awareness into growing trends and common tactics being used by the modern financial criminal to penetrate a users’ personal accounts. As part of their offensive, the FCC has highlighted one form of fraud in particular that is growing in both global reach and ultimate success rate. Coined “SIM swapping” (but also known as “port-out” scams), these ploys revolve around scammers targeting consumer’s cell phone numbers as a means to gain access to their lucrative personal accounts. With two-factor authentication being pushed by banks, cryptocurrency platforms and countless other online service providers as a means of increasing financial security during the virtual log-in process, text messages with unique single-use security codes are often sent out by these entities to help verify an individual’s identity when attempting to access or update their accounts. Given that this is now a common practice in the 2020’s, scammers have increasingly targeted this very access point itself. In a SIM swapping ploy, scammers who may already hold key pieces of a targeted individual’s “identity” contact this individual’s phone carrier and trick them into activating a SIM card that the fraudsters have in their possession, usually under the guise that the original SIM card found in the device was lost or broken. Once this occurs, the scammers effectively gain control over this person’s phone number, with any incoming texts or calls effectively routed to the scammers’ device. As such, they can immediately bypass (and even turn off) two-factor ID and pillage an unsuspecting victim’s account at their leisure and often without a trace.

The other common scam that the FCC identified is referred to as a “port-out fraud.” Given that cellphone numbers can legally be ported from one provider to the next when you switch your phone service, port-out fraud sees an imposter pose as a legitimate end-user and open an account with a different carrier before having a user’s service transferred to that new account so that the original owner no longer has access or control of the service altogether.² While phone companies have tried to establish safeguards to prevent this form of crime, once a fraudster holds enough of a user’s personal information, it is nearly impossible to prevent this crime from occurring. While these ploys do have a good deal of moving parts about them, their success rates remain relatively high. As such, where a criminal was once forced to steal a physical cellphone or SIM card – which does still remain a viable option in today’s world – the modern fraudster knows that by simply hijacking a mobile number, they can effectively assume your identity, intercept security protocols sent to your phone, and gain access to financial, retail and even social media accounts while avoiding the risk of detection at a much more efficient rate.³

Given the inherent risks to consumer privacy, the FCC has set its sights on protecting consumers against scams that aim to commandeer their cell phone accounts. The newly proposed measures would effectively establish baseline requirements for tracking and reporting of potential red flags in this regard while also establishing a uniform framework across the industry, this while still allowing providers flexibility to implement “the most advanced and appropriate fraud protection measures available.” The FCC’s Privacy and Data Protection Task Force is seeking to ensure that all wireless providers establish new, secure measures for personal identity authentication whenever SIM cards are swapped or moved to a new device, while also enhancing personal record-keeping. practices and perhaps most importantly, immediately notifying customers whenever a SIM change or port-out request is initiated.

In a statement released following the proposal of these new rules, FCC Chair Jessica Rosenworcel noted, “Every consumer has a right to expect that their mobile phone service providers keep their accounts secure and their data private. These updated rules will help protect consumers from ugly new frauds while maintaining their well-established freedom to pick their preferred device and provider. I ask my colleagues to join me in supporting these common-sense consumer protections.”¹ Consumers and employees of not only cellphone service providers but also the various entities issuing two-factor identification codes are encouraged to remain vigilant against these types of scams, as the FCC’s proposal is still in its infant stage. As such, analysts are expecting a late uptick in the overall prevalence of these scams over the coming months given the potentially-dwindling window of opportunity that remains for the bad actors behind these attacks.

Citations

1. “FCC PRIVACY TASK FORCE ANNOUNCES PROPOSED RULES TO PROTECT CONSUMERS’ CELL PHONE ACCOUNTS.” Federal Communications Commission, 11 July 2023. 
2. Hill, Kelly. “Rosenworcel Proposes New Rules on Authentication to Prevent SIM Swapping.” RCR Wireless News, 12 July 2023. 
3. “Port-out Fraud Targets Your Private Accounts.” Federal Communications Commission, 11 July 2023.