Anyone can fall prey to the SIM-swapping scam
By Greg Collier
You may have head of the term SIM-swapping before. You may even know SIM-swapping is part of a larger identity theft scheme. What you may not know is that the term SIM-swapping is a type of misnomer. SIM-swapping makes it sound like someone needs physical access to your phone so they can steal your SIM card. A more appropriate term would be SIM-hijacking, since the scam itself is committed remotely.
A SIM-swapping attack is a type of cyberattack where a malicious actor fraudulently convinces a mobile carrier to transfer a victim’s phone number to a SIM card under the attacker’s control. This is typically done by impersonating the victim or exploiting vulnerabilities in the carrier’s verification processes.
The attacker contacts the victim’s mobile carrier, posing as the legitimate account holder. They may use gathered information to convince the carrier’s customer support representatives that they are the actual owner of the phone number.
Once the attacker successfully convinces the carrier to transfer the phone number to a new SIM card, the victim’s phone loses network connectivity. The victim may not be aware of this until they try to make a call or use data services.
With control of the victim’s phone number, the attacker can receive the victim’s text messages and phone calls, which may be used to bypass two-factor authentication (2FA) on various accounts linked to the phone number. This can lead to unauthorized access to email, social media, financial, or other online accounts.
In the past, when we’ve discussed SIM-swapping attacks, we’ve heard from readers who said their phones are immune from these attacks since their phone doesn’t have a SIM card. Unless you’re still carrying a flip phone you bought from Sprint in the mid-2000s, chances are your mobile phone has a SIM card in it. You may not have placed the card in the phone yourself, but without a SIM card, your phone wouldn’t be able to communicate with your phone carrier and provide you service. There’s also what’s known as an eSIM. This is a SIM card that can be embedded in your phone, meaning it can’t be removed. In essence, if you have a reasonably modern mobile phone, it has a SIM card. And if it has a SIM card, it’s vulnerable to these attacks.
A woman from California, recently fell victim to one of these attacks. After scammers successfully had her phone company transfer her service to the scammers’ SIM card, they were able to get access to at least one of her bank accounts. They drained her account of $49,000 before it was all said and done. The victim tried to work with both her bank and phone provider, but they denied any of her requests. As with many bank-related scams, it wasn’t until the victim contacted her local news station before she received a refund from her bank.
There are several effective strategies to safeguard yourself from SIM-swapping. One approach is to opt for an authenticator app instead of relying on text messages for two-factor authentication. Authenticator apps are tied to a specific device rather than a phone number, enhancing their security. Additionally, it’s crucial to refrain from using easily discoverable information, such as high school mascots or pet names, for security questions on online accounts, as such details are often accessible on social media. Finally, you can enhance security by reaching out to your carrier and requesting the restriction of any device switches on your account. It’s important to note that to lift this restriction, you might need to visit a carrier store and provide identification.
Leave a Reply