FCC Must Increase Accountability in Fight to End SIM Swap and Port-Out Fraud

February 13, 2024 — Press Release

Carriers should be held liable for failing to adopt effective measures to eliminate fraud

WASHINGTON –  The National Consumer Law Center (NCLC) and the Electronic Privacy Information Center (EPIC), along with Consumer Action, Consumer Federation of America, National Association of Consumer Advocates, National Consumers League, Public Knowledge, and U.S. Public Interest Research Group, filed reply comments yesterday with the Federal Communications Commission (FCC) calling for substantially stronger rules to protect cell phone users from SIM swap and port-out frauds. These types of fraud occur when scammers who target data and personal information covertly swap a cell phone’s SIM card or port a phone number to a new carrier – actions they can carry out without ever gaining physical control of a consumer’s phone. 

“The FCC must make clear that carriers, which are the only parties in these frauds with the means to protect consumers from losses, are liable in SIM swap and port-out fraud cases,” said Margot Saunders, senior attorney at the National Consumer Law Center. “The threat of individual, occasional enforcement actions from the Commission is not sufficient to compel carriers to protect consumers. Otherwise, these problems would not be so severe today.”

In the comments, the advocates applauded the Commission’s efforts to prohibit the use of patently insecure methods of authentication and require the carriers to evaluate the effectiveness of their own authentication methods every year. However, they warned that, without establishing meaningful incentives that will drive carrier behavior, the measures proposed in the FCC’s recent order are unlikely to reduce the increasing numbers of SIM swap attacks.

“Holding carriers liable when their customers fall victim to fraud is the most effective action the FCC can take to protect consumers from SIM swap and port-out fraud,” said Chris Frascella, an attorney with the Electronic Privacy Information Center. “The FCC must also prohibit carriers from using binding pre-dispute arbitration clauses to rob consumers of their day in court when they fall victim to these attacks.”

Declaring that telephone carriers are responsible for the financial losses suffered by consumers when fraudsters exploit their networks is the best incentive the FCC can provide to encourage carriers to address the misuse of their networks. More importantly, ensuring that harmed consumers can recover their losses from the carriers responsible for failing to prevent them is both vital and fair. The carriers are the only parties in these frauds that have the means to protect consumers from losses. 

SIM swap fraud is an especially concerning crime, because there are few precautions consumers can take on their own, and it subverts what is intended to be a security mechanism.  As a consequence of access to the consumer’s incoming calls and text messages, SIM swap fraud enables the fraudster to access other consumer accounts, such as email, online banking, and social media. Additionally, SIM swaps are typically facilitated by a complicit employee or an employee duped by a criminal actor impersonating a customer. Attackers can also discover information used to facilitate SIM swap fraud through data breaches, which have affected most major carriers, including T-Mobile, Verizon, and AT&T.  

Hundreds of customer complaints to the FCC and the Federal Trade Commission (FTC) each year show that despite victims’ best efforts, SIM swaps are generally successful because provider employees do not know how to address SIM swap fraud, providers refuse to provide documentation of attacks, and provider employees are often involved in the fraud themselves. 

According to the FBI, fraudsters stole more than $72 million via SIM swap fraud in 2022, more than double the losses the FBI attributes to ransomware over the same time period, and a pronounced increase from the $12 million in SIM swap-related losses for the entire three-year period Jan. 2018-Dec. 2020. 

Last year, the Cyber Safety Review Board, an entity comprised of government and private sector cybersecurity experts, called upon the FTC and FCC to “incentivize better security at telecommunications providers by enacting penalties for fraudulent SIM swaps or lax controls.” Earlier this year, a Securities and Exchange Commission’s social media account was taken over and misinformation was published immediately impacting cryptocurrency values; this incident was effectuated via a SIM swap attack. 

 “Consumers must have the power to hold carriers accountable when they fail to prevent this form of fraud,” Saunders added.