SIM swapping: A hot fraud, but you can stop it cold

By /

SIM-swapping frauds are on the rise. SIM swapping is a type of account takeover scam where hackers take control of your phone number to access all kinds of personal information. They can even use it as an attack vector for two-factor authentication and one-time passwords (OTP). It requires only minor tech skills for an attacker to target your cellphone number, which is why it has become popular with younger, less sophisticated hackers. It does take some leg work, however. In simple terms, a hacker will not have to type any complex technical commands to rip it off. So today, we’re going to talk about SIM-swapping scams — what they are, how they work, and how you can defend yourself from becoming one of its victims.

sim swapping fraud
Designed by Macrovector / Freepik

The more, the merrier

A hacker needs some of the would-be victim’s personal data to perform a SIM-swapping fraud. Then, the attacker uses this personal information to breach the victim’s account. If the attacker gets lucky enough with personal data, they don’t need to have physical control of the device.

How did they get the personal information? They could have obtained it from data exposed in data breaches or the social networks where you publicly share your information. They may also get it the old-fashioned way — spying on you as you use your phone.

The chances of a successful SIM-swapping fraud increase with the amount of information about the victim. The hacker always keeps an eye on the victim’s social media accounts to gain some helpful information. Think twice before posting something on any social media account.

But what if someone is unable to get your data, email address, or credentials? It’s unlikely that they will be able to SIM swap you. That also highlights the importance of using common sense as a defense against these types of attacks. We’ll provide some tips on averting SIM-swapping fraud further down.

How attackers perform a SIM-swapping fraud

There are two most common steps to perform a SIM-swapping scam.

The hacker will have to know many details about the victim before they can do any damage. A person’s private information falls into one of these categories: Passwords and usernames, date of birth, last four digits in credit card numbers.

The hacker may practice a social engineering approach to trick the victim into giving away their information, or they can steal it from a data breach that has already taken place. Once an attacker attains access, your accounts are at risk of being hacked and accessed without notice.

Conning the carrier

sim swapping fraud

As soon as the hacker has the victim’s credentials and additional information, it’s on to the next step. Now, the hacker has to fool the victim’s phone service provider’s customer representative to accomplish the SIM-swapping fraud.

The infiltration of the wireless provider to change phone numbers is a time-consuming process that takes some convincing and sincerity. The hacker will typically impersonate their victim by saying they lost their phone or switched carriers and need to port over an existing number from one SIM card onto another. They can do this with both cell service providers and cable Internet connections at home. This is all accomplished through social engineering mojo.

The wireless carrier representative tries to ensure that the calling person is the account holder. The rep will ask some security questions of the attacker. If the attacker has knowledge of your personal details, it is easy for them to come prepared with the right answers. The question might be about a credit card’s last four digits, mother’s maiden name, or other personal information. If the hacker has done the job well, it will succeed. The customer service representative will shift the victim’s number to the hacker’s SIM card.

The nightmare begins

Moving forward, now the attacker can intercept all of your text messages and phone calls. It means that they can interfere with any password resets sent to you via call or text. They can also receive two-step verification tokens for accounts where it is enabled. SIM-swapping fraud can be severe indeed.

If the attacker successfully obtains the victim’s banking credentials, they can change all the personal information on the victim’s banking site. For example, they can change their password or registered email. The attacker can even open up another account in the victim’s name in the same bank. Also, they can transfer the money among the accounts.

A sim-swapping attack can open the gateway to several different identity thefts. They range from basic credit card fraud, where your information is used for online purchases or other illegal activities, all the way up to high-level things like hacking into government databases that are protected by strict security measures.

Examples of SIM-swapping frauds

Instagram

In 2018, a group of cybercriminals stole the identities of numerous Instagram users. These unsuspecting victims logged into their accounts to find themselves unexpectedly locked out. When these unlucky individuals attempted to log back in, they discovered that they were no longer owners of their profiles. Hackers set up a new email address and phone number.

Twitter

Jack Dorsey, the CEO of Twitter and Square, was hacked by a SIM-swapping attack. Hackers were able to invade his account in August 2019. They posted racist messages and bomb threats from his compromised account. Obviously, this was a major embarrassment for both Dorsey and Twitter.

Warning signs you have been SIM swapped

SIM swapping fraud

Symptoms occur quickly when a SIM-swapping attack hits you. So you need to take immediate action. Here are a few warning signs you have been SIM swapped:

  • Your social media account starts behaving strangely, and you see the posts you never made. This is what happened with Jack Dorsey, and the same thing can happen to anyone.
  • Another typical sign that you are a victim of SIM-swapping fraud is your phone network will show no signals. You cannot make phone calls or send text messages using your mobile phone. In addition, your SIM card will not show your service provider company.
  • Some wireless carrier services use client email to send notifications. For example, if your email account is not compromised yet, you will receive a notification via email. Now you know that your new SIM card got activated even though you never requested a new SIM card.
  • Another sign of SIM-swapping fraud is you are no longer the owner of your accounts. It is because your account detail got changed by the attacker.

How to prevent a SIM-swapping attack

There are some decisive steps you can take to protect yourself from SIM-swapping fraud. Implement these, counting on the tips to guard your personal information online. It will make life a little bit easier for you.

On your cellphone, you can have a PIN that will prevent unauthorized use. If an attacker doesn’t extricate this PIN before attempting to hijack the account, it could thwart any attack altogether. Some carriers even allow their clients to set up isolated pins for SIM cards inserted in phones.

To protect your accounts, use authentication apps. Two-factor authentication is a great way to bolster security. It’s better if you use an authenticator app and not SMS. For example, if you configure 2FA with an app alternately receiving tokens via phone text message. Then the attacker wouldn’t have any information they could intercept if successful. There would be nothing for them to find. Some recommended authentication apps are MS Authenticator, Google Authenticator, and Authy. Use the one that suits your needs best.

You should set up a call-back in your account with your mobile carrier. When you are being attacked, and the hacker is trying to impersonate you, this will help verify that they aren’t who they claim to be, so their attack can’t succeed. If your carrier ever suspects someone is trying to tamper with your account, they’ll call you back on the phone that’s currently storing all of your essential information.

How to protect personal information online

Staying safe in today’s world is no easy task. From the minute you turn on your phone and log into all of your social media accounts, you are vulnerable. It can be overwhelming how many ways hackers try to get our personal information or money. So, to stay protected as best you can from this type of fraud, follow these simple tips:

  • A firewall is a defensive measure that protects your computer and other devices from unwanted intrusion. It does this by blocking any incoming information to the machine until analyzed. You should always have an active antivirus program installed on both software-based and hardware-based firewalls to be more effective.
  • Antivirus software is a must to ensure that your business data and assets are secure. However, it’s difficult to tell which ones can provide the best protection from hackers and malware threats. Better to read reviews or ask friends for their opinions. It never hurts to be too careful.
  • Avoid pop-ups click. Dangerous pop-ups can be deceiving. Clicking on one may take you to a site that is not safe for browsing. It could also contain malware or spyware in the form of ads.
  • If you see a warning about visiting a website, it means the site is likely to be compromised somehow. If this happens to you, try looking for information elsewhere. Do not follow any links on that page that could potentially compromise your device further.
  • You can’t be too careful. It’s always better to err on the side of caution. Never download any attachment if you don’t know who sent it or what it is for.
  • The Internet often has links that can trick you into clicking on them. Be careful not to click any of these unless it is from someone in your contacts. Make sure the link goes straight where it should go without making a detour.
  • Don’t fall prey to phishing scams. Phishers will often pose as legitimate organizations such as banks and other financial institutions that you may have an account with. They will try to access sensitive data like passwords, allowing them easy access to bank accounts.
  • Be mindful of the personal information you share on social media. The more intimate details accessible about your life, the greater risk there is for a SIM-swapping fraud to be successful. Attackers use this data against unsuspecting victims by guessing passwords and answers to security questions like “What was my first car?” So be smart with what you post online.

What to do if your phone has been SIM swapped

It’s not too late to get your information back if you fell victim to a SIM-swapping attack. Follow these steps:

  • Contact your cellphone service provider immediately. Request the deactivation of the hacker’s SIM card and recover the service on your present cell phone. Then change the password of all your accounts.
  • If you notice any unusual charges on your bank account, credit card, or other financial accounts, report them to the relevant institution immediately.
  • If your Social Security number has been stolen, contact the Social Security Administration immediately (1-800-772-1213).

SIM swapping is a nasty attack. Once it is accomplished, it leaves you with a nightmare scenario of trying to put your online and personal life back together again. It is best to implement defense measures like those mentioned in this article to stop an attack before it is successful.

Featured image: Shutterstock

About The Author

Ali Qamar is a privacy and cybersecurity enthusiast. His work has been featured in major tech and security blogs, including InfosecInstitute, Hackread, ValueWalk, Intego, and SecurityAffairs. He is the founder and editor of PrivacySavvy.com now. Follow Ali on Twitter @AliQammar57.

Read Next

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top