This article first appears on Blomberg
In May 2021, about 100 employees of an unnamed phone company received an unsolicited text message, according to court records.
The sender, who isn’t named, had an offer: In exchange for cash, would the staffers leverage their access to the phone company’s internal systems to help them hijack customer phone numbers?
Some of employees informed higher-ups about the texts, and eventually the FBI’s Newark field office became aware. But one employee who received the messages, Corrine Little, allegedly didn’t tell her bosses. In fact, over a 13-day period, Little communicated with phone numbers associated with the scammer, known as a SIM swapper, at least 53 times, according to the Justice Department.
The phone company audited Little’s activity to find she conducted multiple authorized SIM swaps, a process where a phone number is transferred to a new phone without the owner’s knowledge or consent, according to court records. In an interview with the FBI, Little denied performing the SIM swaps, but said she received multiple $600 payments from the unknown texter via CashApp, records show.
Little pled guilty to a misdemeanor charge as part of a plea agreement.
Based on court cases against convicted scammers, a typical scheme goes like this: a gang of SIM swappers will bribe low-paid telecom employees with thousands of dollars to give them control of a target’s phone number. With that phone number, the thieves can reset a victim’s passwords to seize their email inbox, social media profiles or their cryptocurrency wallets.
From there, the intruders try to steal as much money as possible before they lose access to the number.
The case illustrates a key factor in the success of SIM swaps: that phone company insiders are often crucial parts of the scam.
The problem is about incentives. SIM swapping has been an issue since 2014 in part because scammers keep finding people to bribe. For now, staffers in both retail locations and at call centers have incredible access to tools that scammers are willing to pay for.
Even if you do everything right, like using unique passwords or using two-factor authentication or your accounts, you could still be victimized.
That’s because the telecom is responsible for protecting the security of your phone number, and as a customer, you have no other choice but to fully put your faith in the phone company.
It’s evolved into a major problem. The FBI received 1,611 reports of SIM swapping in 2021, with losses of more than $68 million. SIM swappers often target people with large crypto investments, the FBI said.
In another case in 2021, a former employee at an unnamed carrier was sentenced to three months probation and a year of home confinement after he was paid $500 in daily bribes in order to perform SIM swaps. In each case, outsiders would send the employee a phone number, a four-digit PIN number and information about a new SIM card to direct a victim’s data, the Justice Department said.
In December, a judge sentenced one Manhattan man, Nicholas Truglia, to 18 months in prison for his involvement with a crew that stole $22 million in crypto.
Truglia was an outside SIM swapper, not a telecom employee, though his case points to some of the riches that hackers might find with this method: Court records show that the 25-year-old Truglia had obtained expensive art, jewelry and cryptocurrency holdings with some of the loot. He also agreed to pay back $20 million in restitution, court records show.
relates to A $68 Million Scam That Relies on Telecom Insiders
A victim, in that case, is suing AT&T for allegedly doing too little to stop the heist.
Neither the Telecommunications Industry Association nor the Telecom Information Sharing and Analysis Center, which functions as a clearinghouse for cyber threats, responded to requests for comment.