cell phone numberWe often think of our social security numbers as being the crucial key to unlocking our identities, and it certainly is, but there’s a new kind of key that’s becoming more and more valuable to cybercriminals year by year — your cell phone number. When you think about it, the fact that this piece of information has become so important to digging into a person’s identity makes sense. After all, every person with a mobile phone has a unique 10-digit number that they share willingly with friends as well as strangers, depending on the circumstances. It’s a far cry from the days of landline phones, where a single number might be shared by half a dozen people or more.

How many times have you downloaded an app that required a valid mobile number to continue, written it down on forms at the doctor’s office or used your number at a grocery store to take advantage of your frequent shopper rewards? Unlike social security numbers, we freely share cell phone numbers without too much forethought, and it’s coming back to bite many people in the form of identity theft. If you’re wondering how cybercriminals can use your cell phone number to steal your identity and what you can do to protect yourself, keep reading.

Why are cell phone numbers just as revealing as social security numbers?

First used in the 1930’s, social security numbers have evolved to become a cornerstone of American identity, with every citizen being assigned their own unique number which is used by financial institutions, such as banks and the credit bureaus, government agencies, such as the IRS, and more to organize and acquire data about them. However, even though all U.S. citizens have social security numbers, not all of them have a credit history, and there are specific state and federal rules and regulations when it comes to how businesses and institutions can store and use social security numbers. Cell phone numbers, on the other hand, are not regulated. There aren’t any federal mandates that say a company must keep your cell phone number private, which means it’s data which can (and often does) get sold or left in less-than-secure databases.

According to recent data from the U.S. Health Department, 50.8% of American households do not have a landline, and instead solely rely on mobile phones. Not only do a majority of people in the U.S. use cell phones, but they are far more than just phones — increasingly, our smartphones are being optimized to perform all sorts of functions, from controlling the locks and lights in homes to completing financial transactions. Since we carry them wherever we go, geolocation features can track our every movement. Wireless phones are relatively easy to obtain and maintain, which means even someone with no credit history is likely to have one, and an increasing amount of children under 18 also have their own cell phones — which means they have a cell phone number that is tied to them and everything they do online. These numbers, in turn, are connected to far more databases than a social security number, many of which are totally open to thieves and scammers if they know how to look. Thus, alongside the growth in cell phone ownership is an increase in phone number-related identity theft.

How can a cybercriminal use your phone number against you?

Last year, approximately 161,000 U.S. consumers had their mobile accounts taken over, up from 84,000 in 2015. Considering only a small percentage of people report their identity theft to the FTC, it’s likely that any numbers available grossly underestimate the true scope of the problem. Thieves can get a hold of your phone number in multiple different ways, including from data stolen in breaches (like those in recent years at Yahoo and Anthem, for starters), which can be purchased in bulk on the dark web at a low cost. Once they have access to your cell phone number, a cybercriminal can do a number of things with it. Here are some of the most common ways your number can be misused:

1. Gather information about you. Since cell phone numbers are often used as an identifier on social media sites, apps and more, typing your number into a search engine or website can help someone glean plenty of information about you, which can be used in plenty of ways, including social engineering scams. Even scarier, a cell phone number can be the key to figuring out your true identity online — for example, if your cell phone number is connected to your Facebook account, someone could use it to try and obtain your name either through the site’s general search (if you haven’t made that private) or by using the “forgot password” feature at login and entering your number instead of a name or email address.

2. Launch smishing attacks and phone scams against you. If your phone number is in the hands of a criminal, they can use it to their advantage and try to scam you via text messages (known as smishing) or over the phone. These types of scams can be convincing, especially if the scammer has done their homework about you prior to their attempt, and you might be apt to think it’s legitimate if it’s coming directly to your phone. While phone scams might seem as outdated as landlines, they are very much still a problem these days, especially around tax time.

3. Take over your mobile account. People search or reverse-lookup websites allow anyone to find out information about a cell phone number, including the carrier (e.g., Verizon or Sprint), name and city/state associated with the number. They may have to pay to get some of the latter information, but the cost is usually cheap compared to how much they can benefit from it. Using information gleaned about you, they will impersonate you either in-person or over the phone to gain access to your mobile account. This enables them to upgrade for free phones (which they can sell for a profit), add additional lines or take over your number entirely (known as a SIM swap). They might also try to open up a mobile account at a different carrier using your information.

4. Gain access to your financial accounts. Beyond wreaking havoc with your mobile account, access to your phone number enables cybercriminals to take advantage of accounts using text message-based two-factor authentication. If they are in control of the phone number attached to these accounts, then any phone calls or texts sent to verify your identity will be sent to them instead of you. This could very well give them the ability to change the passwords and get access to your accounts, possibly leading to unauthorized charges on your credit cards or a drained bank account.

What can you do to protect yourself?

It might seem overwhelming to think about protecting your cell phone number, especially if you’ve had it for a long time and haven’t put much thought toward being careful in the past. However, there are certainly a few things you can do to protect yourself from falling victim to cell phone number identity theft.

Use a virtual number for non-critical use. One of the best ways to limit the amount of personally identifying data tied to your number is to avoid giving it out to anyone except those closest to you. That’s easier said than done today, but you can get some help by using a virtual number for non-personal matters. You can get a free one through Google Voice. These virtual numbers can accept text messages and phone calls, and you can set them up to forward to your mobile phone so that you won’t miss anything legitimate, but you also can rest easy knowing that your personal number is not accessible to wannabe thieves and scammers.

Don’t give it out unless necessary. You might be conditioned to jot down or hand over your number whenever asked, but it’s important to snap out of that habit and make a new one out of asking whether it’s necessary. You might ask whether you can instead provide a zip code or email address (make sure you’ve got an email address set up for this purpose first). Similar to your social security number, there are likely many cases where your cell phone number is collected as a means of quickly and easily identifying you, but isn’t actually mandatory. It never hurts to ask, and a virtual phone number can help in the instances where you have to provide one. Additionally, don’t publish your cell phone number online, and consider searching for it every so often to ensure it’s not providing a road map to your identity.

Establish a PIN or password with your mobile carrier. Thanks to the FTC’s Red Flags rule, mobile providers are among the businesses in the U.S. which are required to establish and follow guidelines to detect, prevent and mitigate identity theft for their customers. As a result, most allow you to set up an additional password or PIN that can be required to make any changes to your account. This secondary safeguard can help in the instance someone does get access to your information and tries to take over your account. Even if they employ a SIM swap, without your password or PIN, they hopefully won’t be able to get too far.

Report suspicious activity immediately. If your phone suddenly becomes disconnected and restarting it doesn’t change anything, or you notice something fishy with your bill, make sure you contact your mobile carrier immediately. The sooner you can catch a scammer in action, the quicker you can get the situation under control and prevent them from causing more damage. If you do find yourself a victim of cell phone number-related identity theft, make sure to report it. Additionally, be on alert for suspicious phone calls or messages pretending to be from your carrier — if your two-factor authentication is triggered and you haven’t attempted to sign in, that’s a sign someone may be trying to break into your account, and you should contact your carrier (and the corresponding service that sent the two-factor authentication code) at once.

The world has changed a lot since mobile phones were first introduced, both for better and for worse, but with a few adjustments to how you conduct yourself, you can do your best to dodge the scammers trying to take advantage of this technology. Learn more about protecting yourself and your information by following our identity theft protection blog.