SIM swapping is a prevalent type of account takeover fraud, in which an attacker takes over control of your mobile phone number. The attacker can then send and receive calls and texts, including two-factor authentication PINs and one-time passwords.
For an attack with such a valuable payload (your mobile phone number), it requires very little technical skill. That’s not to say that it’s easy to accomplish. It simply means that an attacker isn’t going to be typing any complex commands in a Linux terminal to pull it off.
In this post, we’re going to look at what SIM swapping fraud is, how it works, and how you can protect yourself against it.
The more (information), the merrier
In order to pull off a successful SIM swapping attack, the attacker will need at least some of the victim’s personal information. This information will be used by the attacker to compromise the victim’s accounts. A SIM swapping attack can only be successful if the attacker already has everything they need to access the victim’s accounts – except control of their phone number.
The ways in which that information is obtained can range from data breaches, to social engineering, to phishing scams. It’s all fair game.
And the more information the attacker has on their victim, the higher the chances of a successful attack. For this reason, an attacker is also likely to troll their victim’s social media accounts for any piece of useful information they can glean, so you may want to think twice before posting something too revealing.
But the point here is that if an attacker is unable to get to your personal information, credentials, email address, etc., the odds are very low that they will try and SIM swap you. That also highlights the fact that your best defense will be common sense. We’ll provide you with some tips on avoiding SIM swapping attacks further down.
How SIM swapping fraud works
A SIM swapping attack comprises two main steps.
First, the attacker will have obtained some of the prospective victim’s personal information. This could be usernames and passwords, date of birth, answers to common security questions, last four digits of credit card numbers, etc. Anything that can help the attacker gain access to the victim’s accounts.
The attacker may use social engineering techniques (usually a bogus email, Facebook post, or SMS, containing links to a malicious site controlled by the attacker) to obtain the information or they may obtain it from a data breach that has already occured. Whatever the case, the attacker will use these credentials to access the victim’s accounts after the attacker has compromised and taken control of their phone number.
If this is successful, the attacker now has the victim’s credentials and as much auxiliary information they could find. But that’s just the first step.
In order for a SIM swapping attack to be successful, the attacker must also fool the victim’s wireless provider’s customer service rep.
Now that the attacker has their victim’s credentials for an account, they then proceed to contact the victim’s wireless provider and attempt some social engineering mojo on them. Typically, the attacker will impersonate the victim and claim they’ve lost their phone and need to port their number to a new SIM card. This will, of course, be the attacker’s SIM card.
The customer service representative will undoubtedly ask a few security questions to the attacker in an attempt to make sure they’re the account holder. If the attacker has done their job well, they’ll be prepared to answer questions about mother’s maiden names, the last four digits of credit cards, and other personal info. And the customer service rep will transfer the victim’s mobile number to the attacker’s SIM card.
SIM swapping attacks
From this point on, the attacker will be receiving all of the victim’s phone calls and text messages. That means that the attacker can intercept any phone or SMS-based two-step verification tokens and one-time passwords for accounts on which two-step verification is enabled. That includes password resets sent to that phone via call or text.
SIM swapping fraud can be very serious indeed.
Suppose the attacker managed to obtain the victim’s online banking credentials. After a successful SIM swapping attack, the attacker could change the victim’s personal information on their banking site, change their password, and their registered email account. The attacker could even open another bank account, at the victim’s bank, in the victim’s name and transfer funds between the accounts.
Basically, SIM swapping attacks open the door to every kind of identity theft you can imagine.
SIM swapping attack examples
In 2018, numerous Instagram users fell victim to a SIM swapping attack. These users noticed that they were being unexpectedly logged out of their accounts. When they attempted to log back in, they noticed that the handle, email, and phone number associated with their Instagram account had changed.
Twitter’s Jack Dorsey
In August of 2019, hackers were able to successfully take over Twitter CEO Jack Dorsey’s account, using a SIM swapping attack. They used the compromised account to post racist messages and a bomb threat that appeared to come from Mr. Dorsey.
How to know if you’ve been SIM-swapped?
You should be able to quickly figure out that you’ve been hit with a SIM swapping attack because the symptoms appear quickly. Here are some telltale warning signs that you’ve fallen victim to a SIM-swapping attack.
- You notice social media posts in your name that you never made. That’s what happened to Jack Dorsey. And it can happen to anyone.
- You’re unable to make any calls or send any text messages from your mobile phone. That’s another classic sign that you’ve been SIM-swapped. You no longer have agency over your phone number.
- You’re notified that your new SIM card has been activated, although you never made that request. Some wireless carriers send notifications to their clients to confirm changes to their accounts, such as a new SIM card being activated. If your email account hasn’t been compromised (yet), you may see such an email in your inbox.
- You’re no longer able to log into your accounts. That’s another classic sign of a SIM-swapping attack. Your account credentials have been changed by someone other than you.
How can you protect yourself against SIM swapping attacks?
There are a few things you can do to protect yourself against SIM swapping fraud. You should implement these, along with the tips on how to protect your personal information online below. But taken together, they can change the odds a little bit more in your favor.
Here’s how to protect yourself from SIM swapping fraud:
- Set up a PIN on your mobile phone account. Some mobile carriers enable their customers to set up a separate PIN to enable the SIM card on the mobile network. If the attacker didn’t manage to extricate that PIN, it could thwart the attack altogether.
- Use authentication apps. Two-factor authentication can significantly bolster your accounts’ security. But it needs to be implemented using a secure channel – and SMS is not a secure channel. If you enable 2FA and configure it to use an authenticator app rather than receiving security tokens via SMS, the attacker couldn’t intercept them. There would be nothing for them to intercept. Some popular authentication apps are Google Authenticator, MS Authenticator, and Authy. There are others, such as the open-source FreeOTP. Pick one that suits your needs and use it.
- Ask for a call-back. Some service providers call their customers back in order to make sure they really are who they claim to be. Ask your mobile carrier if it offers this service, and set it up if it does. If you can set up a systematic call-back in your account, when the attacker attempts to impersonate you to convince your carrier to port your number to their SIM card, your carrier would first call you back on your current phone (which holds your current SIM card). And you would be aware that someone was trying to tamper with your account before they could do any damage.
How can you protect your personal information online?
Whether you want to avoid SIM swapping fraud specifically or any other online attack, these are all common sense tips that can assist you in protecting your personal information in such a connected world. Almost every type of attack has a social engineering/phishing component. Putting these common-sense tips into practice will help.
- Use a firewall – All major operating systems have a built-in incoming firewall, and all commercial routers on the market have a built-in NAT firewall. You should enable them as they may protect you in the event that you click a malicious link.
- Only buy well-reviewed and genuine antivirus software from legitimate vendors and configure it to run frequent scans at regular intervals.
- Never click on pop-ups. You never know where they’ll take you next.
- If your browser displays a warning about a website you are trying to access, you should pay attention and get the information you need elsewhere.
- Don’t open attachments in emails unless you know exactly who sent the attachment and what it is.
- Don’t click links (URLs) in emails unless you know exactly who sent the URL and where it links to. And even then, inspect the link carefully. Is it an HTTP or an HTTPS link? Most legitimate sites use HTTPS today. Does the link contain spelling errors (faceboook instead of facebook)? If you can get to the destination without using the link, do that instead.
- Don’t reply to emails, text messages, or phone calls that ask you for personal information. This is the telltale sign of a phishing scam. Legitimate organizations will never ask you for personal information when they contact you.
- Limit the amount of personal information you post on the internet. The risk of you falling victim to a SIM swapping attack can be correlated to the amount of personal information that’s publicly accessible about you. Attackers use that information to do things like guessing the answers to your security questions. The internet is a hostile place. Before posting something revealing, ask yourself whether it’s really necessary or not.
What should you do if you’ve been SIM-swapped?
If you’ve fallen victim to a SIM swapping scam, follow the advice below:
- Contact your mobile service provider immediately for them to deactivate the attacker’s SIM card and restore the service to your current SIM card and phone. Then change all your account passwords.
- Check your credit card, bank, and other financial accounts for unauthorized transactions or charges. Report any anomalies to the relevant financial institution.
- If you have reason to believe your Social Security Number may be compromised, contact the relevant government agency.
So that’s SIM swapping fraud, in a nutshell. It’s quite a nasty attack. And it’s difficult to defend against in part because of its important social engineering component. It exploits human emotions and our desire to be helpful most of the time. So, while you should implement the technical measures mentioned in this article, your best defense will be common sense.