Your mobile phone account could be hijacked by an identity thief

Share This Page

A few weeks ago an unknown person walked into a mobile phone store, claimed to be me, asked to upgrade my mobile phones, and walked out with two brand new iPhones assigned to my telephone numbers. My phones immediately stopped receiving calls, and I was left with a large bill and the anxiety and fear of financial injury that spring from identity theft. This post describes my experiences as a victim of ID theft, explains the growing problem of phone account hijacking, and suggests ways consumers and mobile phone carriers can help combat these scams.

My Experiences as a Victim of ID Theft

One evening my mobile phone stopped working mid call. After discovering that another phone on my account also had no signal, I called my mobile carrier on a landline phone. The customer service representative explained that my account had been updated to include new iPhones, and in the process the SIM cards in my Android phones had been deactivated. She assumed it was a mistake, and told me to take my phones to one of my mobile carrier’s retail stores.

The store replaced my SIM cards and got my phones working again. A store employee explained that a thief claiming to be me had gone into a phone store and “upgraded” my two phones to the most expensive iPhone models available and transferred my phone numbers to the new iPhones.

I called my mobile carrier’s fraud department and reported what happened. The representative agreed to remove the charges, but blamed the theft on me. When I asked how the store authenticated the thief, he told me that employees of stores owned by the mobile carrier would have asked for the account holder’s photo ID and the last four digits of their social security number, but if the theft occurred at another retailer, that might not have happened.

I logged in to my online account, changed the password, and added an extra security PIN recommended by the fraud department. I then logged on to the Federal Trade Commission’s website to report the theft and learn how to protect myself. is a one-stop resource for identity theft victims. It includes step-by-step instructions and sample letters to guide victims through the recovery process. Following the checklist, I placed a fraud alert and obtained a free credit report. I also prepared an identity theft complaint affidavit, which I later printed and took with me to my local police station when I filed a police report.

I called my mobile carrier back several times over the next few days to finish cleaning up this mess. One of my phones had ended up with the wrong phone number and the other one no longer had voice mail. A few days later I received an email about mobile phone insurance that the thief had apparently added to my account. After three trips to my carrier’s retail stores and many hours on the phone, my carrier eventually fixed all the problems and refunded the fraudulent charges.

I was interested in learning where the theft had occurred and how much of my personal information was in the hands of the thief. Section 609(e) of the Fair Credit Reporting Act requires that companies provide business records related to identity theft to victims within 30 days of receiving a written request. So, following the template provided by, I wrote a letter to my carrier requesting all records related to the fraudulent upgrades on my account. After about two months my carrier sent me the records. I learned that the thief had used a fake ID with my name and her photo. She had acquired the iPhones at a retail store in Ohio, hundreds of miles from where I live, and charged them to my account on an installment plan. It appears she did not actually make use of either phone, suggesting her intention was to sell them for a quick profit. As far as I’m aware the thief has not been caught and could be targeting others with this crime.

The Growing Problem of Phone Account Hijacking

Records of identity thefts reported to the FTC provide some insight into how often thieves hijack a mobile phone account or open a new mobile phone account in a victim’s name. In January 2013, there were 1,038 incidents of these types of identity theft reported, representing 3.2% of all identity theft incidents reported to the FTC that month. By January 2016, that number had increased to 2,658 such incidents, representing 6.3% of all identity thefts reported to the FTC that month.  Such thefts involved all four of the major mobile carriers.

Identity theft reports to the FTC likely represent only the tip of a much larger iceberg. According to data from the Identity Theft Supplement to the 2014 National Crime Victimization Survey conducted by the U.S. Department of Justice, less than 1% of identity theft victims reported the theft to the FTC.

Media reports on mobile phone account hijacking provide more evidence of this problem. A 2013 Forbes article reported that the government had seized over 5,500 phones from a Michigan operation that allegedly acquired them fraudulently from AT&T, Verizon, Best Buy, Radio Shack, and Apple stores and was shipping them overseas. The article reported that thieves used stolen identities to upgrade phones and add phone lines to existing accounts. In February 2015 more than 50 customers in the Denver area complained that Verizon had charged them for iPhone 6s, iPads, and new service plans they had not ordered. A North Carolina church received an AT&T bill for 17 iPhones purchased by an identity thief. In December 2015, four suspects were charged with using fake identity documents to purchase iPhones at AT&T stores in Kansas. In April 2016 three people arrested in a traffic stop in New Jersey were found to have fake IDs with the names of identity theft victims that they had used to fraudulently acquire iPhones. In May a man was arrested in Oregon for trying to buy four iPhones at a Verizon store using a fake ID. The man had previously been arrested twice on similar charges.

The reports indicate that it is common for thieves to hijack a mobile phone account and also open other accounts in the victim’s name, days or weeks later. These are often mobile accounts with other carriers or credit cards for retail stores. In addition, some victims reported that identity thieves also changed the email addresses associated with their financial accounts.

Some victims did not have their mobile account hijacked, but instead received bills or calls from bill collectors about accounts with other carriers that identity thieves had opened with their names.

Most of the account hijackings likely occurred without the victims having provided information to fraudsters themselves. There are a number of reverse-lookup websites that will identify the carrier associated with any US phone number for free. Some will also identify the name of the subscriber and their city and state for free, and will sell the complete address for less than a dollar. There are also black market websites that sell dossiers that include social security numbers.

Other victims have also recounted falling for a phone scam in which the caller impersonated a representative from their mobile carrier. One victim reported that before their account was hijacked, a caller fraudulently claiming to be from their mobile carrier told them that their phone service would be down for 24 to 48 hours. Another victim reported that that a phony representative from their carrier’s fraud department called them and asked them to read back a code that had just been texted to their phone. When the victim complied, the fraudster was able to impersonate the victim and make unauthorized changes to their mobile account.

Perhaps most insidious, some thieves use their victim’s hijacked phone number to gain access to financial accounts that use two-factor authentication through text messages. This is known internationally as a “SIM swap” scam, or “SIM splitting.” The New York Division of Consumer Protection also warns about this scam on their website.

Thieves first purchase the victim’s bank account info or acquire it through a phishing attack. They may also look for publicly available information about the victim on social networks that can help them answer security questions. Then they impersonate the victim and call the victim’s mobile phone company to report that their phone has been damaged or stolen and convince the company to cancel the SIM card and activate a new SIM card with the victim’s phone number in the thieves’ phone. The thieves are then able to make bank account transfers, responding to phone calls and text messages directed to the victim’s phone number in order to complete the transactions. The victim’s phone stops working as soon as the SIM card is swapped. It usually takes them several hours or days to get their phone service restored, and longer to notice that their bank account has been emptied.

Industry experts I spoke with at a company that provides authentication services for mobile banking told me that SIM swap scams have become common in Europe and are increasing in the United States. In addition to obtaining information through phishing attacks, they told me that fraudsters often purchase victims’ information from black market sellers, or from rogue employees of financial institutions or mobile carriers. Unfortunately, there is little a consumer can do to prevent this.

What You Can Do

I asked all the major mobile carriers what consumers could do to protect themselves from a mobile account takeover. One of the most important steps you can take is to establish a password or PIN that is required before making changes to your mobile account. Each of the carriers offers this feature to their customers in a slightly different way.

AT&T offers a feature they refer to as “extra security.” Once activated, any interaction with AT&T, whether online, via phone, or in a retail store will require that you provide your passcode. You can use your AT&T online account or the myAT&T app on your mobile phone to turn on extra security. Note, that when you login online with your passcode, you may be presented with the option to not be asked for it again. Do not accept this option or you will disable extra security.

Sprint asks customers to set a PIN and security questions when they establish service with Sprint, so no additional steps are needed to use this feature.

T-Mobile allows their customers to establish a customer care password on their accounts. Once established, customers are required to provide this password when contacting T-Mobile by phone. To establish such a password, customers can call T-Mobile customer service or visit a T-Mobile retail store.

Verizon allows their customers to set an account PIN. Customers can do this by editing their profile in their online account, calling customer service, or visiting a Verizon retail store. This PIN provides additional security for telephone transactions and certain other transactions.

Using this extra password or PIN is a good idea and should help reduce your risk of mobile account takeovers. However, it does not offer complete protection, so make sure you remain alert for phishing attacks, protect your financial account information, and examine your mobile phone and credit card bills carefully every month for signs of fraud. If your phone stops receiving a signal and says “emergency calls only” or “no network,” even after you restart your phone, contact your mobile carrier to see whether your account has been hijacked.

What Mobile Carriers Should Do

The mobile carriers are in a better position than their customers to prevent identity theft through mobile account hijacking and fraudulent new accounts. In fact, many of them are obligated to comply with the Red Flags Rule, which, among other things, requires them to have a written identity theft prevention program.

Carriers should adopt a multi-level approach to authenticating both existing and new customers and require their own employees as well as third-party retailers to use it for all transactions.

Having a mobile phone account hijacked can waste hours of a victim’s time and cause them to miss important calls and messages. However, this crime is particularly problematic due to the growing use of text messages to mobile phones as part of authentication schemes for financial services and other accounts. The security of two-factor authentication schemes that use phones as one of the factors relies on the assumption that someone who steals your password has not also stolen your phone number. Thus, mobile carriers and third-party retailers need to be vigilant in their authentication practices to avoid putting their customers at risk of major financial loss and having email, social network, and other accounts compromised.

The author’s views are his or her own, and do not necessarily represent the views of the Commission or any Commissioner.


I went into a local convenience store and wanted to pay for my breakfast samich with my Visa card because I had walked out of the house without cash. Apparently, the chain of stores had added a new level of "secure" authentication, the clerk explained, by entering into the cashier's terminal the customer's 3-digit security code from the back of the card. I hesitated, but held up the card to the clerk so that he could read the number, rather than me read it aloud because several customers behind me would have overheard it. The clerk then says aloud, "Okay, let's, 6-8-7" and punches it in. I went ballistic that he had read it loud enough for the whole line to hear! I complained to the manager and went home and canceled the card. Be careful, folks!

I am dealing with right now someone somehow transferred my tmobile phone number to a verizon number and somehow used my verbal password???? HOW??? you have to speak to someone to do that?? So now they tell me i should call and have verizon transfer back the number, HA...VERIZON does not have my number to that account. So they cant...cause they dont know how. Tmobile says it is not a smart phone which my phone is a smart phone. SO can they get their act together?? 15 years and NEVER had a problem.

Having a pin is not enough, if they have two fake IDs and present them to the store the customer service rep can bypass the pin, which is so dumb it doesn't make sense but that is what my carrier told me, I have tmobile

I want to ask that somebody put my number into her google voice account and google sends me the verification code but i didn't give code to her so will she can be use my number through her voice account or not?

This is my story ! I’m going through this now, she had an Id and everything. She went into a fort smith Arkansas store and had my Id , they lady remembered it and the day and time because my last name is Christmas. We are trying to get the video and I will hopefully stop her!

This just happened to me last weekend. I received emails thanking me for adding new lines, installment agreements, and store receipts. This happened in a Sprint store on the other side of the country from where I live. When I called the store manager and asked how they did this, he said that they scanned their ID. That's all. No more pins or passwords, etc. I have no idea how someone encoded their id with my info, but the scanned ID gave them access to my now they have my account number, phone number, and my contact information...all printed on the receipt that I would assume they received a copy of and was emailed to ME because they used my account. I've contacted Sprint, made a police report, reported to the, etc. I am very unsettled about what they might do next with my info. Not to mention the hours I've spent on this. :-(

The AT&T fraud dept is a joke. Someone fraudulently purchased two phones on my account and I didn't realize it right away. My statements are paperless and my payment was directly withdrawn from my account. I'm already into it for $500 for someone else's phones. After waiting for 2 -3 hrs on hold several times they kept trying telling me the most outrageous lies...for example I told them to provide me with proof of signature on the purchase. The fraud department told me that I didn't have to sign anything, just agree to the terms and conditions...(had to delete "bad word" abbreviation). Then i asked for proof of swiping my ID since I have to show ID to make changes to an account, they then told me that they don't swipe or scan ID's at the store...again a lie. this was just the tip of the iceberg of lies. I have been dismissed and treated like a thief. I have complained to just about every place I can think of and I simply get passed around on hold with ZERO results. I wish this company wasn't so big because they sure as (insert another "bad word" here) would lose all their customers. Apparently after speaking with many,many AT&T personnel, that fraud is rampant and everyone acknowledges it except AT&T.. The thing is that I cannot even switch carriers and keep my same phone and number since I have B$ installments on my phone.

Quite frankly all you need is a person’s phone number to be able to hijack an account . The cell phone companies know this they aren’t doing anything to prevent this from happening or they probably can’t . This is a very serious issue that needs to be address to Congress .

This Michael E West was forcing me to get an online access to my Sprint Care as soon as possible. I explained to him I do not have online access he wants me to create one. He was not happy because i said to him i am sorry I cannot help you.He raises his voice saying that he is not poor he can afford whatever he want to buy.

When will I get a report from the investigation about my cell phones and internet service? It’s still not working right now same words about mental disability insurance and money This all has been going on for years now? I need information ℹ️

I received a call from 800-726-0323 threatening me with jail time. Who is this & what ca I do about it?

Someone is hacking me presently now while I'm trying to sign up

This has also happened to me, however, I know the person who did it, but I don't know how to prove it. He actually has my device number, so it doesn't matter if I change my account. He has blocked my calls and texts and I don't understand how to de-root my phone or if he is using another device to detect my phone and use it for his advantage. If anyone has some advice, please let me know what I should do.


I find it strange I had a line on my moms contract but my girlfriend wanted to get me a phone on her account so I did I traded in my old phone my mom suspended the line and I was on my girlfriend's phone contract well 3 months later my mom noticed her bill was high and there were charges on the account she called me and asked if I had traded it in I said yes she said well it's in use come to find out some random stranger had my phone and the line was never suspended I'm thinking it was the employee at Verizon who waited on me I think he acted like he suspended the account took my old phone and sold it to someone what can I do about it I think he might have been selling people information as well because all of a sudden he has a restaurant business and nice house and cars just seems odd Verizon hasn't done anything so I wonder what I can do.

A worker at Verizon corporate office on 24th Street and Baseline hacked into my accounts and even sold me a new phone(Samsung Galaxy A10 20), then Switched the phone sent me home with. He was using my phone entire time of getting a new sim card, Also asked me for my Account passwords, and email address and password, he said he needed this to try it get my phone working because"Someone" BLOCKED INTERNET/DATA ACCESS!! HE EVEN ADDED A CLOUD ACCOUNT $5 Extra every month WITHOUT ASKING OR Informing me! By chance I saw this notice from carrier and told him "Why did you help us Cloud service via Verizon and then NOT tell me or even ask! He said he'd remove AFTER he took care of young woman who just showed up at the store and AFTER I left the store! He kept all personal info he written down on post it note!! Seems to me that the phone I bought clearly was not one that I would choose and told me that my other phone isn't worth getting the warranty on!! I would not have phone service either nor any phone for long time waiting for my old refurbished phone not very good!! Anyway I can do anything about this as Verizon employee's are in on this scam together, next corporate store took my ID and into then took off in the back of store out of view to verify my account details with out my phone and other employees at same store verification seemed to be done right out front of the store with owner present. Please advise me on what to do and how to handle this phone theft and all my info theft. Now he had no answers on blocking my phone BUT forced me to purchase one and go home with another or else they came inside home to steal and swap Galaxies out. Had Galaxy A10 20, NOW just have Galaxy A20!! Banking is off also and Gmail/texts intercepted, calls re-routed etc!!


Add new comment

Comment Policy

Privacy Act Statement

It is your choice whether to submit a comment. If you do, you must create a user name, or we will not post your comment. The Federal Trade Commission Act authorizes this information collection for purposes of managing online comments. Comments and user names are part of the Federal Trade Commission’s (FTC) public records system (PDF), and user names also are part of the FTC’s computer user records system (PDF). We may routinely use these records as described in the FTC’s Privacy Act system notices. For more information on how the FTC handles information that we collect, please read our privacy policy.