It was a Friday in July when I first noticed something seemed off. I was spending some time with my family on a gorgeous summer day, swimming and drinking beer and ignoring my phone as much as possible. When I finally checked my notifications, I had two alerts from Verizon. Both contained authorization codes — the kind of security measure they take when you make changes to your account. There was also a receipt from Verizon for $0 and a message thanking me for activating my new device.

I immediately checked my Verizon account, but nothing seemed amiss. The receipt seemed like a glitch — as if Verizon had belatedly billed me for the phone, which I’d activated four months prior. In hindsight, I should have been more suspicious. I should have called Verizon right away. But why would I want to spend the day in customer-service hell when I could spend it on a boat?

The next morning, though, something else strange happened. When I went to send a text, I realized I didn’t have service. I tried flipping cell service on and off, restarting my phone — nothing. I couldn’t text and I couldn’t make calls. I asked my fiancé to check for a local Verizon outage, but nothing turned up. I wondered whether maybe I was just in a dead zone, but I’d never had this problem before. And then I started to feel that slowly dawning sense of dread.

A few days earlier, my colleague Rob Price had published a terrifying story about hackers who waged a campaign of harassment and intimidation to steal Instagram handles and other coveted usernames on social media. Tucked into that story was a phrase I hadn’t heard before, a type of hack I’d had to look up: SIM swapping.

In a SIM swap, the hacker doesn’t need to physically steal your SIM card — the thing in your phone that identifies it as your phone. They just pretend to be you and persuade an employee at your telecom provider to activate a new SIM card for them, using your phone number. Once that happens, your phone immediately loses service — and the hacker can now use your number to wreak havoc on your life. They can send messages to others pretending to be you, intercept texts from your bank, and even reset your passwords to lock you out of your own accounts.

SIM swapping hasn’t been around long. It started in about 2018 as a way for gamers to steal other people’s cryptocurrency, which is pretty easy to do once you have full access to someone’s phone. But now, experts say, the crime has become more pervasive — and far more organized. In 2021, the FBI reports, SIM swaps robbed victims of more than $68 million. “You could think of these people as petty thieves,” says Allison Nixon, the chief research officer at Unit 221b, a cybersecurity firm. “But after 2018, these are petty thieves that became millionaires.”

I borrowed a phone and called Verizon, which confirmed I’d been SIM swapped. While I was vacationing in western New York, more than four hours away, the hacker had shown up at a Verizon store in Columbus, Ohio, pretending they were me, complete with a fake ID. They told a store employee their phone had been destroyed and asked to use my phone number to activate an older iPhone they’d brought with them.

I remembered that strange $0 receipt I’d gotten the day before, and checked the store address at the bottom. Sure enough, it was from a Verizon store in the Columbus area.

I was floored by how easily someone could steal my phone; surely it must have been a major screwup on the part of the store employee. But when I spoke with higher-ups at Verizon, they explained that actually, their device-activation process had worked precisely the way it was supposed to.When two-factor authentication isn’t possible — like when a phone has been lost, stolen, or destroyed — an ID card will suffice. All the hacker needed was a knowledge of the glaring loophole in Verizon’s security, a phony piece of plastic, and a little chutzpah.

Verizon immediately deactivated the phone that belonged to the hacker and reinstated mine. But the employee I talked to warned me that this was probably just the beginning of the scam.

It turned out he was right.


Once the hacker had control of my phone number, they didn’t waste much time. They left the Verizon store and went to a nearby Apple store, where they used my Chase credit card to spend $6,370. Then they drove to a mall across town to shop at Gucci, where they made two separate transactions totaling $2,956. They finished at a clothing store called Psycho Bunny, where they spent about $452. All told, they racked up nearly $10,000 in purchases on my card in just a few hours.

The next morning, perhaps testing their luck, they tried to make another purchase at Best Buy. But this was after I’d spoken with Verizon and locked my card. So they just opened a Best Buy credit card in my name instead.

(Map: Chay Thawaranont/Insider)

Still, something about all the transactions kept bugging me. I noticed that the hacker never logged in to my Chase account or my social-media accounts — they just racked up charges on my card. I couldn’t figure out why they needed my phone number in the first place.

But when I scoured my text logs, I realized what they were up to. Chase, aware that I don’t typically spend $10,000 in a single afternoon, sent out fraud alerts via text each time the hacker tried to make a big purchase. I could see in my text logs that each time a fraud alert came in, the hacker used my phone to respond, allowing the charges to go through.

That mystery was fairly easily solved. But there was something else I couldn’t figure out: How did the hacker make so many purchases on my card in the first place? I could see in my account that the charges had occurred at physical stores, not online. The hacker never logged into my iCloud account to set up Apple Pay, and my credit card had been safely tucked into my wallet the entire time.

I decided to call each of the stores where the hacker went shopping, to try to figure out what happened. I tried Gucci first. A representative at a centralized Gucci switchboard informed me that Gucci doesn’t even have telephone numbers for its individual retail locations, and that the only way to learn more about how the purchase was made would be to visit the store. Given that I was back home in New York City, more than 14 hours away, I decided to try my luck at Apple.

Apple was equally unhelpful. A store employee politely informed me that unless I knew exactly which items had been purchased, there was no way he could look up information about the transaction, even though I knew the total amount spent, the card number, and the date and time of the purchases. The employee said there was another option. He’d be able to hand over the full receipt, no problem — as long as the police requested it from Apple’s legal department.

I decided to give it one last shot with Psycho Bunny, a menswear retailer whose logo is a rabbit skull and crossbones. A helpful store manager looked in the store’s system and confirmed that yes, someone who said their name was Avery H. had made a purchase of $452 using my card number. The shopper had even supplied a phone number that was one digit off from mine, the manager said. Unfortunately, that was the extent of the information she had.

Disheartened, I hung up. I wasn’t any closer to finding out how the thief had gotten hold of my card.

Then, about 15 minutes later, my phone rang. It was the store manager, calling back. She and her team had decided to go through the security footage from the day the purchase was made, and they’d found footage of the thief standing at the store counter. She asked me to describe what I look like.

“Yeah,” the manager said. “The person I’m looking at here is basically the exact opposite of you.” The thief was a woman, but she was wearing a hat and a face mask when she made the purchase.

I asked the store manager whether she was able to see how the thief paid for the items.

“They used a physical credit card,” she told me.

The manager seemed game to hand over the footage of the thief in action, so I called the Columbus police department, excited to present this new evidence. I had already filed a police report — one of the 23 steps I had taken, including submitting a claim to the FBI’s internet-crimes center and freezing my credit, to lock down my life and tie up the frayed ends of my identity. But when I spoke with an officer on the Columbus fraud squad, he asked me whether any money had been stolen from my bank account, or whether my credit-card company was holding me liable for the $10,000. No, I told him. Chase had agreed to reverse all the charges.

The officer was quiet for a beat. “Yeah,” he said, “we’re not going to investigate that.”

The squad, which has only five officers, gets 7,000 reports of fraud a year. If I hadn’t lost any money, the officer told me, it wasn’t worth their time.


As it turned out, I had spoken too soon. A few weeks later, I got a letter from the Chase fraud department. We changed our minds, it said. We don’t believe you that these charges were fraudulent. We’re holding you responsible for paying them. 

Suddenly, I was saddled with $9,778.24 on my credit card. Three weeks shy of my wedding, my card was nearly maxed out and beginning to collect interest. 

I pleaded with Chase to reverse its reversal, but they told me they thought I was lying for two reasons. One, because they had sent me fraud alerts when the purchases were made, and I had approved them. (But it was the thief, not me! I protested.) And two, because a physical credit card had been used to make the purchases, even though I was still in possession of my card. When I pointed out that the thief could be seen in the Psycho Bunny security footage tapping a physical card on the payment kiosk, the Chase representative said it would have been impossible for anyone to duplicate the microchip embedded in my card. The only way Chase would agree to remove the charges, she said, was if I could provide them with documentation that I’d been SIM swapped — either an official police report or a letter from Verizon confirming that my phone number had been hijacked.

The police had already told me it would take weeks for my report to work its way through the system. So, in what was my third call to Verizon, I begged the company to provide me with documentation of the fraud, which it had already acknowledged took place. But after I spent an hour and a half on the phone, being bounced around to five different departments, a Verizon representative told me they couldn’t provide me with anything in writing that confirmed I’d been SIM swapped. At that point, she said, it was a legal issue.

Then, out of the blue, I got another lucky break. After Chase told me I’d be held responsible for the charges, I had begged them to reopen my fraud case and check again. I sent them a folder with every shred of evidence I had. There was a screenshot of the receipt when the hacker activated my phone in Columbus, hundreds of miles from where I was at the time. There was documentation that I had submitted reports to the police, the FBI, the Federal Trade Commission, and the Federal Communications Commission. And there was a paper trail proving that I’d been forced to lock my credit file with the major credit-reporting agencies.

My begging must have worked, because Chase assigned a new investigator to look into my case. A few days after I was turned away by Verizon, he gave me a call. He’d found a few things the first investigator had missed. For starters, after the hacker tried to make their first purchase on my card and Chase issued a fraud alert, the hacker had called Chase from my phone number. They said they were me and asked Chase to allow the purchase.

You know how when you call customer service it often says, “This call may be monitored and recorded”? Well, they’re not lying — Chase had a recording of the call. The fraud investigator had listened to the recording and had called me to check whether it was the same voice. While he wouldn’t give much detail, he said it clearly wasn’t me who had approved the purchase.

But there was another thing that struck him as strange. Typically, when your credit card is about to expire, as mine was, the bank sends you a new card a few weeks ahead of time. The Chase investigator told me that when people get the new card, they follow a pretty standard pattern of behavior: They immediately stop using their old card and switch to the new one. But I hadn’t done that — I was still using my old card.

At this point in our conversation, I could almost hear my heart start beating louder.

“Here’s the thing,” I told him. “I never received a card with a new expiration date.”

The investigator explained that the purchases in Columbus were made using the card with the new expiration date. Meanwhile, on the same day, I had used my old card to buy dinner in western New York. The mystery of the credit card was solved. The hacker had gotten their hands on my new card, which is why all the purchases looked legit. Between the evidence of the card theft and the voice recording of the hacker, it was enough to convince Chase to change its mind and permanently reverse the charges.

But now a new mystery emerged: How did the hacker get my new card in the first place? The Chase investigator scratched his head at that. I live in New York City. So how could the hacker have gotten into my mailbox before hightailing it all the way to Ohio to buy men’s T-shirts at Psycho Bunny?

Unless, that is, they hadn’t stolen the card from my mailbox at all.


Chase, it turns out, is the largest credit-card issuer in the United States. It also happens to have a huge operations center smack in the middle of Ohio. In 2016, Bloomberg reported that Chase manufactured 60% of its cards in the area. New credit cards issued by the bank arrive bearing a PO Box in the town of Westerville — a 22-minute drive from downtown Columbus.

I figured this couldn’t be mere coincidence. Perhaps the person who hacked my phone had some sort of access to Chase’s operations center and had gotten their hands on my credit card at its birthplace. But when I asked Chase about it, they assured me that the company has strict security protocols in place that make it virtually impossible for cards to be stolen between the time they’re produced and when they enter the Postal Service. In fact, Chase was able to tell me exactly when my card left its operations center (July 13) and when it was last scanned at a postal facility (July 16). It’s highly likely, Chase said, that my card was stolen out of the mail.

Suzanne Lynch, the director of the financial-crime program at Utica University, told me that taking cards out of the mail has actually become more common since 2015, when most credit-card companies began embedding their plastic with microchips. In the face of the new technology, Lynch said, thieves simply altered their strategy and went “old school” — stealing cards rather than counterfeiting them.

But there was one last twist to the mystery. Sue Brennan, a spokesperson for the Postal Service, explained that my credit card was scanned at the processing center nearest to my local post office. Which means that the thieves stole it in New York City on July 16 and took it all the way back to Ohio in time for its big day of spending at the mall on July 22.

Two months after my hack, on September 29, federal prosecutors in New York announced that they had busted up a scheme that sounded familiar. Three postal workers were charged with stealing credit cards out of the mail and passing them on to five “shoppers,” who used them to buy luxury clothes and bags at stores like Chanel and Hermès that they could resell online. All told, the gang allegedly stole hundreds of identities and defrauded retailers and credit card companies of $1.3 million. The postal workers, who went by aliases like Lady Fab and Junzie-J, were arrested. The group’s ringleader, Ace, and the shoppers — including Payso, Dev, and Conny Cash — remained at large.

Whoever hacked my identity, it makes sense that they started with my credit card. That explained why they decided to SIM swap my phone in the first place — so they could intercept the fraud alerts and use my card with impunity. And because they stole my card out of the mail, they had my address, which made it easy to gin up a fake ID to show Verizon. Once they were in control of my phone number, it was just a race against time to swing by the Apple store and Gucci and Psycho Bunny before I discovered the hack and blocked their access to my accounts.

It’s also clear that my identity theft was made possible, in no small part, by the very companies and officials who were supposed to prevent it. Verizon accepted a fake ID, and then refused to assist me by confirming that the attack had taken place. Chase tried to charge me for $10,000 in purchases I never made. The police were too overwhelmed to investigate. Gucci couldn’t even be bothered to provide me with a phone number for one of its stores. The hacker might have committed the crime, but corporate America was an accessory after the fact.

But who was the hacker? That’s one of the hardest things about my identity theft, both as a journalist and as a victim — there’s simply no way to know who did it, let alone hold them accountable. If it weren’t for dedicated employees at Chase and Psycho Bunny who took the time and effort to investigate, I’d still be in the dark about what happened, and how the hacker pulled it off. She stole my identity, yet I’ll never know a thing about hers.

This kind of feeling is apparently pretty common among victims of identity theft — and pretty pointless. Eva Velasquez, the president and CEO of the Identity Theft Resource Center, a nonprofit organization that assists victims of identity crimes, told me that most people never learn where or how their data was compromised. In many cases, the fraud rings are based overseas.

“It’s much better for you to focus on your recovery than on that pound of flesh,” Velasquez told me. “It is a normal human feeling, but it’s not going to be productive in this circumstance.”

What’s most important, she said, is that I keep my guard up. A survey conducted by the resource center found that half of all victims of identity theft wound up being victimized again. That’s because most identity-verification procedures rely on what Velasquez calls “static data,” like Social Security numbers, that remain constant throughout our lives. Which means that no matter how much I lock my credit files or set up two-factor authentication or use strong passwords or steer clear of phishing attempts, the likelihood of someone stealing my identity again remains frighteningly high.

“I compare victimization to a physical illness,” Velasquez told me. “It can go into remission, but that doesn’t mean it’s gone away.”

Still, I find myself wondering sometimes about the woman who used my card at Psycho Bunny. She’s the closest thing I’ve got to an actual person to pin this on. Was she also the one who hacked my phone? And if so, why did she do it? For money? For fun? At the behest of someone else? Was this a solo operation, or part of the growing wave of organized crime, like the postal workers busted in New York, that is using SIM swaps and credit card thefts to rake in millions of dollars a year? I’ll never know. The only evidence of her role in stealing my identity is a blurry image, her features obscured by a hat and a face mask, on Psycho Bunny’s security footage, and a voice on Chase’s recording system that doesn’t sound like me.


Avery Hartmans is a senior reporter at Insider. 

Read the full article here

Share.
Exit mobile version