30.11.20

SIM swap scam: What it is and how to protect yourself

Here’s what to know about attacks where a fraudster has your number, literally and otherwise

By Amer Owaida

SIM swap scams have been a growing problem, with fraudsters targeting people from various walks of life, including tech leaders, and causing untold damage to many victims. Here’s why you should be on the lookout for attacks where someone can upend your life by first hijacking your mobile phone number.

How SIM swap fraud works

Also known as SIM hijacking and SIM splitting, SIM swapping can be described as a form of account takeover fraud. To make the attack work, the cybercriminal will first gather information on their mark, often through trawling the web and searching for every tidbit of data the potential victim may have (over)shared. The victim’s personal information can also be gleaned from known data breaches or leaks, or via social engineering techniques, such as phishing and vishing, where the fraudster wheedles the information directly out of the target.

With enough information in their hands, the fraudster will contact the target’s mobile phone provider and trick its customer service representative into porting their telephone number to a SIM card owned by the criminal. More often than not, the scammer’s story will be something along the lines that the switch is needed due to the phone being stolen or lost.

Once the process is done, the victim will lose access to the cellular network and phone number, while the hacker will now receive the victim’s calls and text messages.

What makes the scams so dangerous?

Commonly, the point of this type of attack is to gain access to one, or more, of the target’s online accounts. The cybercriminal behind the attack is also banking on the assumption that the victim uses phone calls and text messages as a form of two-factor authentication (2FA).

If that’s the case, the fraudsters can wreak unseen havoc on their victim’s digital and personal lives, including cleaning out their bank accounts and maxing out their credit cards, damaging the victim’s standing and credit with banks in the process.

The hackers could also access their victim’s social media accounts and download sensitive messages or private conversations that could be damaging in the long run. Or even post insulting messages and statuses that could cause major reputational damage to their victims.

How to protect yourself

Start by limiting the personal information you share online, avoid posting your full name, address, phone number. Another thing you should avoid is oversharing details from your personal life: chances are that you included some aspects of it in your security questions that are used to verify your identity.

When it comes to using 2FA, you might want to reconsider SMS text messages and phone calls being your sole form of additional authentication. Instead, opt for using other forms of two-factor authentication such as an authentication app or a hardware authentication device.

Phishing emails are also a popular way for cybercriminals to obtain sensitive information. They do so by impersonating a trusted institution, relying on the assumption that you won’t hesitate to answer their questions or scrutinize the emails too closely. While many of the phishing emails will be caught by your spam filters, you should also educate yourself on how to spot a phish.

Telecom companies are also working towards protecting their clients. Verizon, for example, launched a feature called ‘Number Lock’ that should protect its customers against potential SIM-swapping attacks, while AT&T, T‑Mobile, and Sprint offer the option of additional authentication in the form of PIN codes, passcodes, and additional security questions. You should check with your provider to learn how to enable such features, should they offer them.

In summary

While SIM swap scams are ever-present and a threat to everybody, there are ways to protect yourself. Taking one or more of the several steps outlined in the article can help you lower your chances of falling victim to such an attack. Additionally, you can contact your bank and telecommunications providers to inquire about any supplementary security services you can enable to lock down your accounts.