It starts small at first: you receive an e-mail that someone has logged into your account or changed your password. That’s not right, you think. You try to log into your account, but you’re locked out. By the time you contact your bank or security provider, you’ve found yourself missing a sizable amount of money or discovered that a hacker penetrated your network. You must now endure the stressful, tedious procedures of re-accessing your accounts and information.
You could be the victim of a SIM swap. One of the alarming qualities of this type of cybercrime is that it invades your personal and organizational networks through the device you use the most: your cell phone. Keep reading to learn:
- What SIM swapping is
- Why it’s a rising concern to individuals and organizations
- How to spot signs of a SIM swap
- How to mitigate SIM hijacking crimes
What Is SIM Swapping?
SIM swapping (also known as SIM hijacking) occurs when an attacker tricks your mobile phone company into transferring your phone number to their SIM card.
If the deception is successful, the attacker will be able to intercept your MFA authentication codes and gain unauthorized access to all your accounts.
SIM swapping has become so prevalent that the FCC adopted new SIM Swap and Port-Out rules in 2023 to protect mobile phone users from it.
These rules were slated to go into effect on July 8, 2024, but have since been waived until the OMB (Office of Management and Budget) completes a thorough review. That likely won’t happen until late November 2024. Meanwhile, read on to discover how you can protect yourself from this insidious threat.
Why SIM swapping is a growing concern
SIM swapping is becoming a larger concern because it relies on identity theft and social engineering. The attacker usually begins by gathering a critical mass of information on you, the phone account owner, online. How? They buy information about you online through the black market or collect it from your social media profiles.
Another common way is through a phishing scam. The attacker will impersonate a phone service provider and send you an email. The email will usually have a link to a web page where you’re asked to enter information like your birthday, passwords, or even your Social Security number. The attacker is posing as a legitimate company, so this approach is an easy way to trick people.
After the attacker gathers your information, they can pose as you to your phone carrier to convince them that they’re the account holder. Once they pass through the verification tests, the attacker can ask the carrier to “port” your number to a new SIM card because “you” lost “your” original one. The attacker can now control your phone and interfere with phone calls and text messages. They might even access authentication codes for accounts like your banking or social media profiles.
How SIM swapping affects individuals and businesses
A SIM swap is theft and sabotage for individuals on multiple levels. The fraudster steals your identity and corrupts your relationship with your mobile carrier to access your information. They can transmit false information by impersonating you, extracting data or confidential information, and blocking access to your accounts.
For example, NBC Los Angeles recently reported on a man who lost $21,000 in a SIM swap scam. Jeff Drobman started receiving notifications from his bank that someone had logged into his account and changed his password. A fraudster got Drobman’s personal information and convinced Spectrum, his cellphone company, to transfer his number to a new phone. They could bypass two-factor authentication to access the authentication codes typically sent to his phone. Then, they were able to log in and steal $21,000.
There are larger-scale consequences for organizations. As Twilio points out, a SIM swap attack can destabilize your organization’s security. The hacker may pass your company’s multi-factor authentication, and an “employee” can steal and corrupt your files, financial information, and customer records. If the hacker infiltrates your network, they can steal your customers’ data and conduct identity theft attacks. They may also make a false purchase, acting as your customer.
The monetary and reputational damages from a SIM swap attack could be debilitating. First, your organization would have to contend with the loss of trust from employees and customers by not making the organization secure enough to prevent data theft. Your customers and investors would abandon you, subject you to lawsuits, and potentially dissuade others from doing business with you, resulting in significant revenue declines. In 2023, the FBI reported a loss of over $50 million due to SIM swapping.
How to Protect Against SIM Swapping
Enable two-factor authentication
If you think a scam has happened, the hacker has likely circumvented your existing two-factor authentication. To enhance security, use authenticator apps rather than receiving codes through e-mail or text. It adds another layer of protection where you could add PIN codes, a facial recognition ID, or fingerprints.
Use a strong and unique PIN for your SIM card
McAfee advises against creating passcodes that are easy to guess, such as anniversaries, birthdays, or addresses. You can compile several random numbers and memorize them, or you can use a password generator to create one for you.
Regularly monitor your mobile account for suspicious activity
Keep watch for social engineering schemes like phishing. Phishing is when cybercriminals “fish” for your personal information and try to impersonate you to gain access to your information. They can trick you into submitting personal information like your credit card or social security number. One well-known scam is receiving false texts from UPS telling the recipient their package couldn’t be delivered and fooling them into inputting personal details.
Use a password manager
A password manager helps you create, use, and store an intricate password that’s extremely difficult to guess. It’s more advantageous if your password manager has zero-knowledge encryption qualities; only you will know your password, not the manager tool.
Signs That You May Be a Victim of SIM Swapping
Sudden loss of cellular service
If your phone suddenly can’t make or receive texts or calls and you lose service where you should have it, an attacker may have deactivated your SIM card.
Unusual text messages or emails from your mobile carrier
Alarm bells should go off when you start receiving strange texts or emails from your mobile service provider. The messages may report an unexpected change to the service. If you’re suspicious, contact your mobile carrier immediately.
Unauthorized access to your online accounts
It may be a sign of a sim swap scam if you suddenly can’t access your bank accounts, social media profiles, or emails. You may see suspicious transactions through your bank or credit card money. Another red flag is if you see unusual posts through your social media profiles that you did not create.
How to Report a SIM Swap Scam
Contact your mobile carrier immediately
This seems obvious, but if a SIM hijacking happens, your attacker has already managed to deceive your mobile carrier. Contact them immediately; hopefully, they’ll have security protocols that only you can pass.
If an attack occurs, your provider may have to deactivate your SIM card and phone account. Consider buying a backup mobile device or a burner phone.
File a report with your local law enforcement
After contacting your mobile carrier, contact your financial institution. You can also file an identity theft report with the Federal Trade Commission (FTC).
Inform your bank and other financial institutions
Even if the hijacking didn’t occur in your bank account, contact your bank anyway. They can alert or stop unauthorized access. Also, place an alert through one of the credit bureaus you use, like Experian, TransUnion, or Equifax, so the bureau with the alert will notify the other bureaus.
How Social Media Plays a Role in SIM Swap Fraud
How personal information shared on social media can be exploited
Think your X (Twitter) account may not be the cause of your security hack? Think again. One of the first and most significant steps for a sim hijacker is gathering as much of your personal information as possible. Your social media accounts are fertile ground. They could see an address, your college, or a pet’s name and test if they are your passwords. From there, they can drive the attack.
Tips for protecting your privacy online
Always be vigilant and cautious about strange emails, suspicious links, or organizations that ask you to give personal information. A quick Google search can greatly prevent a costly mistake if you suspect a scam. Being judicious and deliberate about your password creation and storage and enabling multi-factor verification will go a long way.
Educating others about the risks of SIM swapping
Most people don’t give much thought to the tiny chip card in their cell phones. However, SIM swapping is becoming a more prevalent cybercrime. Embedding SIM swapping prevention into your organization’s training and cybersecurity practices will—at a minimum—raise awareness of this growing issue.
LastPass’s Role in Protecting Against Sim Swapping
Utilize LastPass's strong password generator
Use the built-in generator to create a guess-proof password that auto-fills in one click on any device.
Enable multi-factor authentication (MFA) for your LastPass account
LastPass’s MFA uses biometric and contextual factors to enhance your account's security. Though a SIM swapping criminal may be able to guess your password, the MFA ensures that there are security barriers that only you can get through.
LastPass’s security features to safeguard your online account
A password manager will drastically reduce the chance of a SIM hijacking attack. First, LastPass uses zero-knowledge encryption, meaning only you know your password. LastPass has a security dashboard and automatic data breach monitoring to spot and stop threats immediately. It also offers impenetrable ways to safely share your password with your colleagues, family, or other trusted parties you authorize.
A SIM swap hijack can transform from a strange notification to stolen funds and large data breaches in minutes. It could be a taxing situation involving your mobile carrier, law enforcement, or customers. Since cyberattacks are becoming cleverer, you’re more susceptible than ever to attacks through your phone. Smart online behavior and optimal cybersecurity will stop potentially devastating attacks before they take shape. Start your LastPass trial today.