There is a consumer warning about a growing scam that is costing unsuspecting victims millions of dollars — and it's done entirely and unknowingly through their cell phone number.
On Long Island, Jacqueline Berman didn’t know anything was wrong until she tried to make a call, saying she saw she was connected to WiFi but didn't have service. In New Jersey, Luis Martinez never even had that chance, as his phone just suddenly went dead.
Within minutes, both of their bank accounts were cleaned out. Berman said she lost $26,000, while Martinez said he was out $30,000.
Both were victims of a growing mobile phone hacking scam called SIM card swapping.
"Cases are definitely increasing," said Paul Roberts, assistant special agent in charge in the complex financial crimes unit for the FBI in New York. "These are a lot of organized crime groups, they’re not a single actor. It’s a group of people working together to exploit this."
The scam – involving control of the SIM card we all have in our phones – is shockingly simple.
A scammer will imitate their target, asking the victim's current phone carrier to switch their number to another company through the Subscriber Identity Module – or SIM. That SIM is then virtually connected to the thieves device and now they have access to everything on their victim's phone.
"One of the first things they do is take over your email. Once they take over your email, get the password reset, now they have your email and your phone," Roberts said.
That puts everything on a victim's phone in danger, according to Nicole Sette, a cyber security expert at Kroll.
"They go to 'forgot password' and request the one time passcode that will go to their device, and they can start resetting accounts real quickly and transferring money out of your bank accounts," Sette said.
Berman said she has no idea how or why she was targeted.
"With all the passwords and pins and facial recognition and everything that I have, I really still have no idea how this happened," she said.
Experts say the hackers first get personal information, like a social security number, for a potential target through a data breach or other means. And since carriers are flooded with real requests to switch sims for new phones, the bad guys can slip through as their victims, undetected.
"Because there is a legitimate requirement for sim swapping, it makes it a little more difficult for carriers to completely block the practice," Sette said.
sot-2:28 fbi agent "With the amount of data out there and the breaches that have happened in many places, people shouldn’t be in the mindset of 'how can I prevent this,' but 'how can I be prepared if this happens to me,'" said Roberts.
The FCC is trying to help by proposing new rules “requiring providers to immediately notify customers whenever a sim change or port request is made on customers’ accounts.” Two of the biggest carriers – Verizon and AT&T – tell NBC New York they’re already taking action.
Verizon said it is "proactively notifying customers via text messages and email before the transaction completes to ensure they are aware of the activity." AT&T said it is "training employees to better recognize impersonation attempts and working closely with law enforcement."
The FBI and cyber security experts say there are other ways people can protect themselves from becoming victims. An easy additional level of protection: Installing a two-factor authenticator app on a phone that will send a separate notification, alerting of a potential hack.
Experts also say that anyone who mysteriously and suddenly loses service should contact their carrier or go to a store immediately.
Both Berman and Martinez said that if they’d known about SIM swapping and taken action instantly, they might have had a chance.
"I was aware of it after it happened to me which is a day late and a dollar short," he said.
"It’s hard-earned money, most of these people that are having this happen, it’s thousands of dollars, not just change," said Berman
NBC New York reached out to the banks and carriers for Berman and Martinez. As least one bank acknowledged fraud occurred, but no money has been returned.