Print Article
SHARE

The Federal Communications Commission (FCC) has issued an Enforcement Advisory addressing the increasing threat of fraudulent Subscriber Identity Module (SIM) swapping schemes. The Enforcement Advisory comes on the heels of the Commission’s proposed a $20 million fine against Q Link Wireless and Hello Mobile Telecom for apparent failures to protect subscribers’ CPNI, violating data security standards under Section 222 of the Communications Act of 1934 (“the Act”) and the FCC’s rules.

These schemes involve threat actors gaining control of mobile phone accounts without physical access to the device. Threat actors engage in fraudulent SIM swaps to carry out data breaches in furtherance of ransom and extortion schemes. The schemes typically use one of two methods – SIM swapping and port-out fraud. In SIM swapping, threat actors convince a wireless provider to transfer a victim’s mobile service and number to a device they control. In port-out fraud, the threat actor opens an account with a different provider, transferring the victim’s number to the new account. Then, threat actors can intercept authentication calls and texts, gaining control over various accounts, such as those with financial institutions, healthcare providers, and retail websites.

The heightened scrutiny carriers are facing is consistent with the findings released by the Department of Homeland Security Cyber Safety Review Board in August, outlining the increasing problem of SIM swapping. Currently, the Act requires that telecommunications carriers to take reasonable measures to discover and protect against attempts to gain unauthorized access to CPNI, and properly authenticate customers when disclosing CPNI. Carriers must also notify customers immediately of certain account changes.

The FCC has adopted proposed rules to address the rise in SIM-swapping that are slated to go into effect in 2024. Further details on the effective date are forthcoming, but soon all providers will be required to: 

  • Adopt secure methods of authenticating a customer before redirecting a customer’s phone number to a new device or provider;
  • Adopt processes for responding to failed authentication attempts;
  • Institute employee training for handling SIM swap and port-out fraud;
  • Establish safeguards to prevent employees who receive inbound customer communications from accessing CPNI in the course of that interaction until after the customer has been authenticated;
  • Notify customers regarding SIM change and port-out requests;
  • Offer customers the option to lock their accounts to block processing of SIM changes and number ports; and
  • Give advanced notice of available account protection mechanisms.

When a SIM Swap or port-out fraud occurs, providers will also be required to:

  • Maintain a clear process for customers to report fraud;
  • Promptly investigate and remediate fraud; and
  • Promptly provide customers with documentation of fraud involving their accounts.

The FCC’s Enforcement Advisory and the forthcoming rules to combat SIM fraud underscore the Commission’s interests in increasing security and protecting consumers in the realm of telecommunications. The recent enforcement action against Q Link Wireless and Hello Mobile Telecom serves as a stark reminder of the potential consequences for carriers failing to protect subscribers’ CPNI adequately. As threat actors employ increasingly sophisticated tactics, carriers and customers should take the time to review their current CPNI practices and ensure they are compliant with the FCC’s current procedures, and make plans for compliance as the new rules are implemented.

Should you have any questions or require further assistance regarding the matters discussed in this advisory, we encourage you to reach out to the attorney assigned to your account. If you do not currently have an assigned attorney, please feel free to contact Linda McReynolds at lgm@commlawgroup.com, and she will promptly assist you or direct you to the appropriate legal professional. Your satisfaction and understanding are paramount, and we are here to ensure your legal needs are met with the utmost care and expertise. Thank you for entrusting us with your legal matters.

Ask An Attorney

Disclaimer: Please be advised that contacting our law firm through this contact form does not establish an attorney-client relationship. While we appreciate your interest in our services, we cannot guarantee the confidentiality of any information shared until an attorney-client relationship has been formally established. Therefore, we kindly request that you refrain from submitting any confidential or sensitive information through this form. Any information provided through this form will be treated as general inquiries and not as privileged or confidential communications. Thank you for your understanding.