Authentication
SIM swapping
Like many other types of cyber crime, SIM swap attacks have been on the rise in recent years.
You may have heard of SIM swapping when Twitter CEO Jack Dorsey was targeted in 2019, which made major headlines. After all, if the CEO of a major social media company could fall prey to such an attack, then how can the average person prevent it from happening to them?
Despite the dangers, using the Internet safely and confidently is possible. It’s all about educating yourself and taking proactive measures to protect your data.
Here’s everything you should know about SIM swapping fraud and how to prevent it from happening to you:
What is SIM swapping?
SIM swapping fraud involves a few steps.
First, a cyber criminal acquires private information about a victim, typically by impersonating their phone service provider via phishing emails or fraudulent phone calls. They may also buy this information on the dark web if the targeted individual has been involved in a data breach — and many people have, whether they know it or not.
Next, the scammer calls the victim’s mobile carrier, using the stolen personal data to impersonate the victim and report their phone’s SIM card as stolen or missing. While many phone service providers require customers to use PIN numbers on their accounts in order to prevent fraudulent account access, SIM swap perpetrators often insist they’ve forgotten their PIN if they weren’t able to retrieve this code when stealing the victim’s personal information.
If successful, the attacker convinces the mobile carrier to transfer the victim’s phone number to a new SIM card in their possession. There have even been cases in which employees of phone providers have collaborated with criminals to perpetrate SIM swap fraud.
Dangers of SIM swapping
Here’s why SIM swapping is dangerous for victims: It enables the attacker to access any of your accounts that use SMS or phone call verification by allowing them to request password resets or bypass two-factor authentication (2FA) and multi-factor authentication (MFA).
2FA and MFA are security measures commonly implemented on online accounts, especially those containing sensitive or financial information. They offer an extra line of defense against cyber attacks so that if your password is compromised, there’s another layer of authentication to prevent hackers from accessing your accounts.
However, SIM swap attacks exploit a critical weakness in 2FA and MFA. Because these cyber security protocols often rely on SMS or phone call authentication, a scammer performing a SIM swap can bypass this added protection and do things like access individuals’ bank accounts to steal money or sell access to those accounts to other bad actors on the dark web.
If you’re the target of SIM swap fraud, you could not only lose access to your accounts, but you could also have your personal data leaked, your social media accounts hacked, your cryptocurrency transferred out of your digital wallet, or money stolen from your bank account.
How to tell if you’ve been SIM swapped
If your SIM card suddenly becomes inactive, then you could be the victim of a swap. The most immediate effect you’ll notice if your SIM is deactivated is that you unexpectedly and completely lose service on your mobile phone and are unable to send or receive texts and calls. You might also get a text message alerting you that the SIM card for your phone number has been changed.
If either of these things happens but you did not request a new SIM, then you should call your phone service provider immediately and take steps to protect your online accounts — more details on this below.
How common is SIM swapping?
Unfortunately, like many digital crimes, SIM swap attacks are increasing in frequency. According to the FBI, these types of cyber attacks resulted in more than $68 million in losses in the US in 2021 alone — which marks significant escalation compared to prior years.
A huge cyber attack on T-Mobile in 2021 compromised the PIN numbers, SSNs, and other sensitive personal information of current and former T-Mobile customers. This particular attack leaked the data of millions of people, opening the way for SIM swap fraud and showing that anyone with cell phone service could be susceptible to an attack of this kind.
There have even been high-profile victims of this type of fraud, most notably Twitter CEO Jack Dorsey. It was this particular event in 2019 that brought public awareness to SIM swapping, because a group of attackers actually took control of Dorsey’s own Twitter via SIM swap fraud, tweeting out offensive messages to his more than 4.2 million followers.
In short, anyone — even CEOs or celebrities — can be the victim of this type of cyber attack, and the associated costs are often high. That’s why it’s worth taking proactive measures to protect yourself.
How to protect against SIM swap
Although SIM swapping and other types of cyber attacks are on the rise, you aren’t helpless. There are certain actions you can take to strengthen your digital privacy and security, and they’re all simple enough for anyone with any level of digital proficiency to take on.
Beware of phishing attempts
This one is simple: be careful what you click on.
Phishing is a very common entry point for perpetrators of SIM swap attacks. Hackers have gotten very good at sending fraudulent messages that seem legitimate, including text messages or emails that appear to be from your mobile carrier, bank, or another account.
These messages may include links that may appear to be a legitimate login screen for one of your accounts but that actually catalog and steal your login credentials. They may also include links that install malware onto your device that can steal your passwords and other sensitive data, or personal questions that help a scammer to answer the security questions on your accounts.
Whatever form they take, these types of phishing messages can give attackers everything they need to commit SIM swap fraud. Always verify that the email address or phone number you’ve gotten a message from matches the one in your contacts or on the business’s site. As an added security measure, simply avoid clicking on links received in messages. Instead, go directly to the desired website on your browser, log in, then locate the page you need.
Don’t post personal information online
Avoid posting personal details online that could help bad actors guess answers to security questions on your accounts. This recommendation holds true even if you have private social media accounts or if you’re sending information via direct messages, because large social media companies can and have experienced data breaches and because your accounts could be hacked.
This includes practicing caution when sharing photos online or via direct message. For example, a picture of your driver's license and vaccination card may show your address or date of birth, which can give an attacker the information they need to hack your accounts or commit SIM swap fraud.
Additionally, don’t make any details of your financial assets public online, including any investments, cryptocurrency, and similar. Advertising these assets can draw unwanted attention and make you a target for cyber attacks.
Protect your cellular account
Because your cell phone number can be a single point of failure when it comes to your cyber security, it’s important to add multiple layers of protection to this account. Most mobile carriers offer various options for account protection, but there are also additional steps you can take.
Here are some of the best practices for protecting your cellular account:
- Use a strong, unique password. Password security is essential for all your accounts, but especially on sensitive accounts like your cell provider and bank.
- Add a PIN number or passcode. Most cell carriers provide a built-in option for a second layer of protection on your account — usually a PIN number or passcode. Always opt to add this layer of security, but be sure not to make this code too easy to guess (like numbers from your home address, phone number, or SSN), and make sure not to share the number through social media, text, or email.
- Be careful with your information. If you receive a phone call from someone claiming to be with your phone provider, you shouldn’t volunteer personal details like your PIN number or login credentials. Instead, hang up and call your mobile carrier’s customer service line to verify that you aren’t sharing access to your account with a scammer.
Strengthen your authentication
SIM swapping exploits a significant vulnerability of 2FA and MFA protections — but this doesn’t mean you should forsake authentication altogether. Instead, opt for layered protections that don’t involve SMS or phone call verification.
Biometrics are the future of authentication, and biometric-based authentication offers an easy way to secure your accounts from attackers. Because this type of protection relies on something that can’t be taken from you in phishing or SIM swap attacks — i.e., your face, fingerprints, or other biomarkers — you can navigate the Internet with more confidence when you have biometrics in place to protect your personal data.
What to do if SIM swapped
If you’re the target of SIM swap fraud, take action immediately. Here are the next steps to take as soon as you become aware of an attack:
- Immediately contact your cell phone service provider to recover control of your number.
- Change passwords on all your accounts, making sure to use strong, unique passwords for each account. Implement authentication that doesn’t rely on SMS or phone call verification, such as biometrics, physical security tokens, or separate authentication apps.
- Contact your bank(s) and other financial institutions to place alerts on all accounts monitoring for suspicious activity, unknown login attempts, or fraudulent transactions.
- Reach out to local law enforcement or your local FBI field office to report all suspicious activity. Additionally, report the information to the FBI's Internet Crime Complaint Center.
Being the victim of any type of fraud or cyber attack is scary, and it can be challenging to regain your confidence. But if you’re the victim of SIM swapping, there are actions you can take to recover your accounts and measures you can enact to make sure it never happens again.
