Your mobile phone account could be hijacked by an identity thief

Share This Page

A few weeks ago an unknown person walked into a mobile phone store, claimed to be me, asked to upgrade my mobile phones, and walked out with two brand new iPhones assigned to my telephone numbers. My phones immediately stopped receiving calls, and I was left with a large bill and the anxiety and fear of financial injury that spring from identity theft. This post describes my experiences as a victim of ID theft, explains the growing problem of phone account hijacking, and suggests ways consumers and mobile phone carriers can help combat these scams.

My Experiences as a Victim of ID Theft

One evening my mobile phone stopped working mid call. After discovering that another phone on my account also had no signal, I called my mobile carrier on a landline phone. The customer service representative explained that my account had been updated to include new iPhones, and in the process the SIM cards in my Android phones had been deactivated. She assumed it was a mistake, and told me to take my phones to one of my mobile carrier’s retail stores.

The store replaced my SIM cards and got my phones working again. A store employee explained that a thief claiming to be me had gone into a phone store and “upgraded” my two phones to the most expensive iPhone models available and transferred my phone numbers to the new iPhones.

I called my mobile carrier’s fraud department and reported what happened. The representative agreed to remove the charges, but blamed the theft on me. When I asked how the store authenticated the thief, he told me that employees of stores owned by the mobile carrier would have asked for the account holder’s photo ID and the last four digits of their social security number, but if the theft occurred at another retailer, that might not have happened.

I logged in to my online account, changed the password, and added an extra security PIN recommended by the fraud department. I then logged on to the Federal Trade Commission’s website to report the theft and learn how to protect myself. is a one-stop resource for identity theft victims. It includes step-by-step instructions and sample letters to guide victims through the recovery process. Following the checklist, I placed a fraud alert and obtained a free credit report. I also prepared an identity theft complaint affidavit, which I later printed and took with me to my local police station when I filed a police report.

I called my mobile carrier back several times over the next few days to finish cleaning up this mess. One of my phones had ended up with the wrong phone number and the other one no longer had voice mail. A few days later I received an email about mobile phone insurance that the thief had apparently added to my account. After three trips to my carrier’s retail stores and many hours on the phone, my carrier eventually fixed all the problems and refunded the fraudulent charges.

I was interested in learning where the theft had occurred and how much of my personal information was in the hands of the thief. Section 609(e) of the Fair Credit Reporting Act requires that companies provide business records related to identity theft to victims within 30 days of receiving a written request. So, following the template provided by, I wrote a letter to my carrier requesting all records related to the fraudulent upgrades on my account. After about two months my carrier sent me the records. I learned that the thief had used a fake ID with my name and her photo. She had acquired the iPhones at a retail store in Ohio, hundreds of miles from where I live, and charged them to my account on an installment plan. It appears she did not actually make use of either phone, suggesting her intention was to sell them for a quick profit. As far as I’m aware the thief has not been caught and could be targeting others with this crime.

The Growing Problem of Phone Account Hijacking

Records of identity thefts reported to the FTC provide some insight into how often thieves hijack a mobile phone account or open a new mobile phone account in a victim’s name. In January 2013, there were 1,038 incidents of these types of identity theft reported, representing 3.2% of all identity theft incidents reported to the FTC that month. By January 2016, that number had increased to 2,658 such incidents, representing 6.3% of all identity thefts reported to the FTC that month.  Such thefts involved all four of the major mobile carriers.

Identity theft reports to the FTC likely represent only the tip of a much larger iceberg. According to data from the Identity Theft Supplement to the 2014 National Crime Victimization Survey conducted by the U.S. Department of Justice, less than 1% of identity theft victims reported the theft to the FTC.

Media reports on mobile phone account hijacking provide more evidence of this problem. A 2013 Forbes article reported that the government had seized over 5,500 phones from a Michigan operation that allegedly acquired them fraudulently from AT&T, Verizon, Best Buy, Radio Shack, and Apple stores and was shipping them overseas. The article reported that thieves used stolen identities to upgrade phones and add phone lines to existing accounts. In February 2015 more than 50 customers in the Denver area complained that Verizon had charged them for iPhone 6s, iPads, and new service plans they had not ordered. A North Carolina church received an AT&T bill for 17 iPhones purchased by an identity thief. In December 2015, four suspects were charged with using fake identity documents to purchase iPhones at AT&T stores in Kansas. In April 2016 three people arrested in a traffic stop in New Jersey were found to have fake IDs with the names of identity theft victims that they had used to fraudulently acquire iPhones. In May a man was arrested in Oregon for trying to buy four iPhones at a Verizon store using a fake ID. The man had previously been arrested twice on similar charges.

The reports indicate that it is common for thieves to hijack a mobile phone account and also open other accounts in the victim’s name, days or weeks later. These are often mobile accounts with other carriers or credit cards for retail stores. In addition, some victims reported that identity thieves also changed the email addresses associated with their financial accounts.

Some victims did not have their mobile account hijacked, but instead received bills or calls from bill collectors about accounts with other carriers that identity thieves had opened with their names.

Most of the account hijackings likely occurred without the victims having provided information to fraudsters themselves. There are a number of reverse-lookup websites that will identify the carrier associated with any US phone number for free. Some will also identify the name of the subscriber and their city and state for free, and will sell the complete address for less than a dollar. There are also black market websites that sell dossiers that include social security numbers.

Other victims have also recounted falling for a phone scam in which the caller impersonated a representative from their mobile carrier. One victim reported that before their account was hijacked, a caller fraudulently claiming to be from their mobile carrier told them that their phone service would be down for 24 to 48 hours. Another victim reported that that a phony representative from their carrier’s fraud department called them and asked them to read back a code that had just been texted to their phone. When the victim complied, the fraudster was able to impersonate the victim and make unauthorized changes to their mobile account.

Perhaps most insidious, some thieves use their victim’s hijacked phone number to gain access to financial accounts that use two-factor authentication through text messages. This is known internationally as a “SIM swap” scam, or “SIM splitting.” The New York Division of Consumer Protection also warns about this scam on their website.

Thieves first purchase the victim’s bank account info or acquire it through a phishing attack. They may also look for publicly available information about the victim on social networks that can help them answer security questions. Then they impersonate the victim and call the victim’s mobile phone company to report that their phone has been damaged or stolen and convince the company to cancel the SIM card and activate a new SIM card with the victim’s phone number in the thieves’ phone. The thieves are then able to make bank account transfers, responding to phone calls and text messages directed to the victim’s phone number in order to complete the transactions. The victim’s phone stops working as soon as the SIM card is swapped. It usually takes them several hours or days to get their phone service restored, and longer to notice that their bank account has been emptied.

Industry experts I spoke with at a company that provides authentication services for mobile banking told me that SIM swap scams have become common in Europe and are increasing in the United States. In addition to obtaining information through phishing attacks, they told me that fraudsters often purchase victims’ information from black market sellers, or from rogue employees of financial institutions or mobile carriers. Unfortunately, there is little a consumer can do to prevent this.

What You Can Do

I asked all the major mobile carriers what consumers could do to protect themselves from a mobile account takeover. One of the most important steps you can take is to establish a password or PIN that is required before making changes to your mobile account. Each of the carriers offers this feature to their customers in a slightly different way.

AT&T offers a feature they refer to as “extra security.” Once activated, any interaction with AT&T, whether online, via phone, or in a retail store will require that you provide your passcode. You can use your AT&T online account or the myAT&T app on your mobile phone to turn on extra security. Note, that when you login online with your passcode, you may be presented with the option to not be asked for it again. Do not accept this option or you will disable extra security.

Sprint asks customers to set a PIN and security questions when they establish service with Sprint, so no additional steps are needed to use this feature.

T-Mobile allows their customers to establish a customer care password on their accounts. Once established, customers are required to provide this password when contacting T-Mobile by phone. To establish such a password, customers can call T-Mobile customer service or visit a T-Mobile retail store.

Verizon allows their customers to set an account PIN. Customers can do this by editing their profile in their online account, calling customer service, or visiting a Verizon retail store. This PIN provides additional security for telephone transactions and certain other transactions.

Using this extra password or PIN is a good idea and should help reduce your risk of mobile account takeovers. However, it does not offer complete protection, so make sure you remain alert for phishing attacks, protect your financial account information, and examine your mobile phone and credit card bills carefully every month for signs of fraud. If your phone stops receiving a signal and says “emergency calls only” or “no network,” even after you restart your phone, contact your mobile carrier to see whether your account has been hijacked.

What Mobile Carriers Should Do

The mobile carriers are in a better position than their customers to prevent identity theft through mobile account hijacking and fraudulent new accounts. In fact, many of them are obligated to comply with the Red Flags Rule, which, among other things, requires them to have a written identity theft prevention program.

Carriers should adopt a multi-level approach to authenticating both existing and new customers and require their own employees as well as third-party retailers to use it for all transactions.

Having a mobile phone account hijacked can waste hours of a victim’s time and cause them to miss important calls and messages. However, this crime is particularly problematic due to the growing use of text messages to mobile phones as part of authentication schemes for financial services and other accounts. The security of two-factor authentication schemes that use phones as one of the factors relies on the assumption that someone who steals your password has not also stolen your phone number. Thus, mobile carriers and third-party retailers need to be vigilant in their authentication practices to avoid putting their customers at risk of major financial loss and having email, social network, and other accounts compromised.

The author’s views are his or her own, and do not necessarily represent the views of the Commission or any Commissioner.


This also happened to me last year. I was lucky to have seen the email message announcing the change to my account. While Verizon's Fraud department backed out the cost of the phones, they left it up to me to report the loss to the local police. Please make the following rule changes: 1) Carrier/seller should bear the cost of any fraud, 2) Such cases should be reported to the FTC and state police. Only if the carrier's are responsible for the cost/risk will there be sufficient incentive to stop this sort of thing.

I need help and I'm terrified of my phone

I have had my SIM card cloned atleast 4 times it’s happening through my local Verizon store once the victim comes in they sales rep is able to make a copy of the sim and the hacking begins , Its Sad that Verizon allows this to happen...

I have had my SIM card cloned atleast 4 times it’s happening through my local Verizon store once the victim comes in they sales rep is able to make a copy of the sim and the hacking begins , Its Sad that Verizon allows this to happen...

I believe this happend to me at a metro pcs store atheist twice. I actually more than suspect. When I make a phone calls I clearly can hear a click, another line pick up. And when I got my new phone again mine and my wife's phone at the same time were completely taken over and texting was disabled for both. Only allowed us talking on phone. My at home wifi is also being hijacked when I get in to the admin settings i see my settings changed and when I change my admin password it will say there's another user logging in at this time. So I'll reset to factory settings to get back in then change passwords then it happens again.

singularity a case in going through now pcs. Will document at a later date got to get my phone service at the very least stable I thank you for your post and lets me know that at least I'm not again along with Metro and the sometimes I feel I'm just you know thank you again.

I had Apple iPhone XR that I bought a Apple store paid in full . I decided to go with Verizon but what a nightmare this mobile carrier has been as the IPhone XR got sim swapped while. I was iMessage Verizon tech support and all sudden my iPhone was dead and went to OTA , Verizon only cares about billing and adding on more features that cause bill to skyrocket . Security is low on there scale and tech support are poorly trained , but the USA govt is probably there biggest customer

100% agree. If they've gone for the cost of hijackers and hackers then they would definitely have the government do something about it.

Someone is in all my stuff I can't do anything with my phone
Please help me

How did you find out who is all in your stuff and do you know who it was and how did you find the person and w

Question: If I already have a 5-8 digit PIN on my actual handset, does that help as a first step to keep my phone from being hijacked?

A PIN on the handset is a good idea and will help protect your phone if someone steals the actual device from you. However, it will not prevent the phone account hijacking I described in this blog post.

Why don't they *ALWAYS* send a phone or text message notification to the old phone, preferably a series of such messages starting 24 hours before the switchover? Why can't I instruct my phone company to do this?

Very good advice !maybe you should contact CEO & give. Them some tips on " not becoming the next victim!

That was great advice! A simple text or call to me today before disabling my SIM CARD and giving a new SIM to the THIEF who took over my # and then used text codes to take over my CC would have been such a simple step!!!!

What do I do even if I buy a new phone under someone else's name he is rite back in it . I just bought one tonight and in under a hr it's taken over again I even know who he is . It's my x

That is almost exactly what is happening to me . And I know the people that are doing it . And when I asked the authorities to do something he literally said well what u want us to do about it. Totally frustrating and literally dangerous to me my family and definitely them .

the hacker appears to be reading this article simultaneously ain't that "something" hmmm!
the bat just dropped to 31% from 44% and my phone can be used to iron a shirt, also losing about 1% per min on this paragraph alone!!! 3% just on spell check !!! right G !!!! oh look they left

Makes total sense, and case in point. When you contact the IRS or bank, they send out a notification by postal mail to both the new and old address to verify that an address change was made. Phone companies should do the same when any changes are made, but instantly.

Can someone who has physical access to my phone line, outside my dwelling, use such access to impersonate the person or company I'm phoning?

That could potentially happen

That's why I do not own a mobile, only a simple cellphone in case of car emergencies. And that's why I blocked all mobile orders on my online store. All orders placed on mobile phones were fraudulent and payments never realized, but I also never shipped the goods. Screw the mobile "industry". It is their fault that fraud like this happens. Just like if a bank is not secure enough the account holder is not hel d responsible. Banks are full of cashiers who are outright thieves and frauds and try not to give cash by sweet talk to elderly but even I in my 30s was supposed to become a victim. I reported the and they got fired. One did not get fired and I reported to FBI and then the bank had a lot of problems.

Why doesn't the Red Flags rule also require that customers be able to conduct their business without the customer at the next window overhearing all their "challenge question" answers, etc?

"without the customer at the next window overhearing"

Great point. When someone is particularly careless I have been known to approach them afterwards and (with a little prior discussion to set the stage) recite all of their personal info, explaining that there are criminals who make a living out of "shoulder surfing" and that if I have the capacity to immediately memorize all of their information upon simply hearing it once, others do as well. (In fact, there are techniques that can be learned for doing this, although some come by the skill naturally.) The funniest reaction I've had was the wife of a particularly loud mouthed gentleman who immediately lit into him saying, "what have I been telling you every time you open your big mouth?"

My solution is to refuse to provide such information verbally. I either require that we step into a private area, or that I write the information down on a slip of paper WHICH I KEEP and destroy later. However, if they are going to simply repeat the information over the phone so that someone can overhear them, I either get a manager to solve the issue, or I put a halt to the transaction until I can make other arrangements.

There are other forms of ID theft that can have unfortunate results. Who's the ombudsman to report vulnerabilities to?
If I suspect that the "red flags rule" program for a particular business may be flawed, or perhaps was not followed, who would I report it to?

All forms of ID theft can be reported at

I have a friend who works for Boost mobile,i gave her money to purchase a phone and to turn the service on for me i told her to add a pin number,we had got into a fight so because she new all my imformation and my pin number she turned my service off and changed my pin number after a week she turned my phone back on but now it says my pin has been changed how can i find out. How to retreave my pin

Requiring a PIN or password at the phone store in this case may have helped to prevent identity fraud, even if the identity thief presents a fake ID at the store. But the use of a PIN or password as a shared secret between the customer and the mobile service provider has known weaknesses: it can be stolen by identity thieves and used to impersonate someone else. That’s one reason why many service providers are using one-time codes sent to their customer’s mobile phones as a second layer of authentication. Although not foolproof, it’s better than relying only on a static PIN or password.

But what if the mobile phone provider instead had sent a “push notification” to the author’s phone? The notification message might have said something like “Someone, perhaps you, is attempting to update your account at a phone store. If this is you, please enter a PIN (or swipe your finger) to authorize this transaction.” The author, upon receiving this notification on her phone, would have realized immediately that something was wrong, and the fraud would not have succeeded. But if the transaction were legitimate, the mobile phone customer could authorize the transaction by providing the correct PIN, or perhaps swiping a finger. The difference here is that the identity thief would not only need to know the correct PIN, but would also need to have the phone as well. The PIN or biometric would never leave the phone, but would instead be used to unlock a “key” to authorize the transaction. Preventing fraud by demonstrating possession of one of the phones on the account, in addition to knowledge of a PIN, is a stronger method of preventing fraud.

In any case, mobile carriers would need to implement fraud prevention options such as this, and mobile phone customers would need to know about these options, and be motivated to activate them.

At least three things seem to be needed: (1) a set of “best practices” for preventing various kinds of identity theft that some entity acting in the public interest (the FTC?) is distributing throughout the business community; (2) incentives to motivate the business community to implement these practices; and (3) awareness and education of individuals about these practices. Could the FTC take a more aggressive role in making these things happen?

This happened to me in 2012. I'm glad to see that more attention has been given to this type of issue. Someone was successful in hijacking my account to purchase 5 iPhones. I had the passcode and all available alerts setup on my account. It was my account activity alert that informed me of the activity. I received an email thanking me for purchasing a new phone. In 2012, the cell phone company and law enforcement were very difficult to work with and were not interested at all!!! They acted as if I had done something wrong! I had my account locked down as much as it could be. This fraud was committed in person. There were all sort of red flags that the cell phone company ignored: 1) all of the transactions were uncharacteristic of my 20 year old account; 2) supposedly, the individuals didn't even know my full cell number; 3) the majority of the fraudulent transaction was completed by a member of the opposite sex, when that sex is not listed on my account; 4) in 20 years, I've never purchased an iPhone so why would I all of a sudden buy 5 of them; 5) my account was blocked from premium services, while the 5 fraudulent iPhones were purchased all with premium services; 6) etc.

There were too many mistakes that lead me to believe that the hijacking of my cell phone account was an internal scam. How do we prevent those??? They moved my number to a secondary account, associated with my account and made one of the stolen iPhones the primary. They removed my address and left the address blank. They removed the majority of my alerts. I was fortunate that they missed 2 alerts!!

Lost my phone so I can't receive a text or email code to login what can I do to to login before my account gets closed

What do you do if your house burns down or what do you do if your car quits you have to have a back-up plan. Maybe. install a landline. People need to be aware of the possibilities of this stuff happening thank you for the article.

While getting a landline sounds like a good plan, I just had my landline illegally ported by someone who is now trying to use my identity to set up credit cards in my name, with my ported phone number, but to an address that is not mine. I have no idea how my landline was ported, but pretty much nothing is safe from those who are bent on earning their money the fraudulent way. I caught it at 6 am on the day it was being ported and was able to block their access to all of my financial accounts and get a 7 year fraud alert placed on my account with all three credit reporting companies. Who knows how much of my personal data they have and how or when they will choose to try and use it again. Oh, the blessings and wonders of our technological advances.

Oh my gosh..... just think how bad it would have been had you not caught what was happening!!!!! How were you alerted? That’s a great safe guard. Wow something that works like it says it’s suppose to work! And how did you manage a 7 year fraud alert? I contacted the credit reporting agencies and put a fraud alert then a credit freeze and it worked for a couple months then all hell broke lose. Someone sold my info and bank account info to the highest bidder because I was foolish enough to put my account I owed money on, on auto pay to make sure I never was late paying my bills. I had VERIZON withdrawal 660.00 from my bank account when I’d closed my cell account with them five days before and I was waiting for them to send me a final closing bill. I was shocked they could do that. And I WAS A GOOD CUSTOMER TOO for over 20 years and always paid on time and was kind to the customer service reps always.

Once your info is out there everyone scams and takes advantage of you. Who’s to stop it? We as consumers have no real help. And they know thisthats why they do it too us. The fleecing of American Citizens is in full swing. Be careful with your money and document everything and keep it in a safe place not in the cloud!

If phone carriers sold data and cell service like gas stations sell gas, instead of by monthly contract, and also didn't sell phones or at least required phones to be bought separate from service, maybe there wouldn't be such ready picking for scammers.

Also, the fact that the big four loose so much money to scams and still make massive profits should tells us something about their obscenely high profit margins.

I have not had a 'contract' with a cell phone company for many years. When my last contract expired I stayed with the same major carrier but switched to a prepaid month to month. The rates are actually lower and the only inconvenience is remembering to re-up my phone every month which is easily done with a simple call. I also do not take up the option of having them store my debit card info...I re-enter it every time. I purchased an unlocked phone via a large on-line retailer (starts with A) so should I opt to go to a different carrier I have no need of purchasing a new phone.
There are good options out there to protect just have to think outside the box and not be swayed by carriers telling you that you need a long term contract and a phone locked in to their service.

I very much enjoyed reading this article. Do you mind if I post to the Department of the Navy Chief Information Officer website and possibly use the article in our IT publication called CHIPS? I will make sure the source and author are cited.

Excellent article!

Dear Ms. Cranor: I wish you had also named the carrier in your informative blog post. I don't understand why the carrier deserves to be shielded from exposure, especially since following security protocols appears to be "optional" depending on what store a crook happens to walk into and since the customer service representative had the temerity to blame you! How is any customer supposed to control whether a store rep follows required procedures when vetting a request to change phones? And it certainly doesn't take much effort to get the last four digits of a SS#, let alone somebody else's phone #.

The other thing implied, but left unsaid, is that humans are by far the weakest link in a typical security chain. I am always stunned at how easy it is to talk a representative into giving up the keys to an account kingdom. All it takes is a friendly voice, a polite manner, or an "honest" face. Unfortunately, enforcing security protocols and providing excellent customer service are often seen by electronic device/service providers as mutually exclusive, when they're not. No wonder honest people are constantly at a disadvantage and the crooks get to laugh all the way to (someone else's) bank.

Very well said. All of these mobile phone company's have all the power, and technical knowledge to protect consumer's accounts against these criminals.

Why don't carriers require the account holder to have his/her phone present to effect change/upgrade? If person claims phone is lost or stolen, why don't they call phone to confirm? There seems to be simple fixes. -Tom

I agree, this seems like a very easy thing to do, and should be a requirement. Send an SMS saying the phone is being switched off, and then call the number. Wait 10 minutes for someone to respond. The real owners may not always respond, but even just the existence of the checks would greatly increase the risk for the thieves and act as a substantial deterrent.

I don't want to seem insensitive, but I had a number transferred off my account by a family member, transferring my number to a in-laws account without my permission. The carrier (metropcs) defaults all passwords to the account holders date of birth. The carrier was completely unresponsive, to the point that they would not even provide me the store this happened at to send the cops to investigate. Even worse I CONTACTED THIS AGENCY, THE FTC, AND WAS TOLD THIS IS NOT, I REPEAT NOT IDENTITY THEFT! Hopefully with this personal experience you realise the gravity of the situation and use your agencies powers to enforce prosecution of the types of crimes that you personally identify with that your agency currently denies the existence of. Sincerely-good luck and please use your position to influence change. Thanks

I was wondering if yo happen to be from Southern California? If so I'm positive it's the same group that has attacked me and I believe we are very close to finding out who these people are.

I am from Southern California and this just happened to me today

I was able to find good advice from your articles.

"She had acquired the iPhones at a retail story in Ohio, hundreds of miles from where I live,"

Should say "retail STORE"

Good catch... thanks!

Dr. Cranor:

You wrote that, "In January 2013, there were 1,038 incidents of these types of identity theft reported...By January 2016, that number had increased to 2,658 such incidents."

How--exactly--did he Consumer Sentinel data people come up with that? There seem to be six applicable values under "Theft Incident SubType Description":

Wireless - New
Wireless – Existing
Utilities - New
Utilities – Existing
Telephone - New



Add new comment

Comment Policy

Privacy Act Statement

It is your choice whether to submit a comment. If you do, you must create a user name, or we will not post your comment. The Federal Trade Commission Act authorizes this information collection for purposes of managing online comments. Comments and user names are part of the Federal Trade Commission’s (FTC) public records system (PDF), and user names also are part of the FTC’s computer user records system (PDF). We may routinely use these records as described in the FTC’s Privacy Act system notices. For more information on how the FTC handles information that we collect, please read our privacy policy.