An account takeover fraud called a SIM swap scam (also called a port-out scam, SIM splitting, Smishing and simjacking, SIM swapping) typically preys on a flaw in two-factor authentication and two-step verification, where the second factor or step is a text message (SMS) or phone call to a mobile device.
The scam takes use of the capacity of a mobile phone service provider to effortlessly migrate a phone number to a device using a different subscriber identity module (SIM). When a client is moving service to a new phone or when a phone is lost or stolen, this mobile number portability option is typically employed.
A fraudster gathers personal information on the victim at the outset of the con by using phishing emails, purchasing it from organised criminals, or by social engineering the victim.
The fraudster contacts the victim’s mobile phone provider armed with this information. The fraudster utilises social engineering strategies to persuade the victim’s phone number to be ported to the SIM of the fraudster. For instance, the victim may be impersonated using personal information to seem genuine and the allegation that they have misplaced their phone. In other nations, most notably India and Nigeria, the fraudster must persuade the victim to push 1 to authorise the SIM change.
Numerous times, SIM numbers are immediately changed by telecom company staffers who have been bought off by crooks.
Once this occurs, the victim’s phone will no longer be connected to the network, and all SMS and voice calls that were meant for the victim will instead be received by the fraudster. This enables the fraudster to intercept any one-time passwords sent to the victim via text messages or phone calls, enabling them to get around many two-factor authentication procedures for accounts that depend on text messages or phone calls (such as their bank accounts, social media accounts, etc.). The fraud enables crooks to access virtually any account linked to the stolen number because so many providers offer password changes with simply a recovery phone number. As a result, they could be able to blackmail the account’s legitimate owner, transfer money straight from the account, or sell the accounts on the black market to commit identity theft.
Social media’s role in SIM swap fraud
When trying to conclude a SIM swap fraud, scammers may utilise the information they learn about you from your social media sites to pass off as you.
As an example of a response to your security questions, mention your mother’s maiden name or your high school mascot. Your Facebook profile may contain that information, which a fraudster may access.
The good news is that social media can also warn you when you’re being victimised.
Take the well-known SIM switch fraud against Twitter CEO Jack Dorsey as an example. Dorsey’s Twitter account was compromised when con artists got hold of his phone number. During the fifteen minutes it took for Dorsey to recover control of his account, the fraudsters who were behind it continued to post nasty remarks using his Twitter name.
How was Dorsey’s phone number obtained by the hackers? They managed to persuade Dorsey’s phone provider to effectively exchange SIM cards, giving their SIM card and phone Dorsey’s phone number. They then sent their messages over Twitter using the text-to-tweet feature of Cloudhopper.
What are the signs of a SIM swap attack?
The telltale indicators of a SIM switch are sometimes relatively simple to spot and generally become clear very quickly after the attack. Just a few things to watch out for are as follows:
- Unusual notifications The phone in issue may get messages or calls informing it of an unexpected change to the service in the early phases of a SIM switch scam. If this occurs, it is advisable to get in touch with the service provider right once to see what steps have been done.
- without having a phone: It’s conceivable that the SIM card has been disabled if the phone in issue suddenly loses service—it can’t place or receive calls or messages, for example, or can’t access data when it should. Whether a switch has taken place or there is just a short-term issue can be verified by the service provider.
- Social media postings that are out of the ordinary: If the owner of a social media account detects posts on their profile that they did not make, it’s probable that a SIM jacking scammer has taken over their accounts.
- Account lockouts: Sudden inability to get into email, social media, or bank accounts may be a sign that these accounts have been compromised by a SIM swap scam.
- Unexpected transactions: SIM swap con artists could covertly conduct transactions through the bank accounts connected to a phone number. Another indication of SIM switching is suspicious activities on bank or credit card account statements.
How can you protect against SIM swap scams?
Fortunately, there are steps you can do to guard against falling prey to SIM switch fraud, as can your service providers.
- Online conduct: Watch out for phishing emails and other attempts by criminals to gain access to your personal information so they may pose as you to your bank or mobile provider. Don’t click on links in emails you get from unknown senders. Also keep in mind that your bank, cable company, credit card company, and other service providers won’t contact you asking for your personal or financial information.
- Account security: Increase the safety of your mobile account by using a strong, one-of-a-kind password together with strong security questions and answers that only you are aware of.
- PIN codes: Think about using a different password or PIN for your conversations if your phone provider permits it. It could offer an extra layer of defence.
- IDs: Don’t base all of your identity verification and security only on your phone number. This applies to SMS text messages as well, which are not encrypted.
- Apps for authentication You may use a two-factor authentication tool like Google Authenticator that connects to your actual device rather than your phone number.
- Alerts from banks and mobile carriers: Ask your banks and cell provider whether they can work together to incorporate user warnings and extra checks when SIM cards are supplied, for example, and to share their information of SIM swap activity.
- Technology that analyses consumer behaviour: Banks can use this technology to identify hacked devices and alert customers not to transmit SMS passwords.
- Call-backs: Some businesses call back clients to confirm that they are who they claim to be and to apprehend identity thieves.
- One factor that makes a phone number a poor identity checker is SIM switching. It can be fooled as an authenticator. Your accounts and identity may be safer if you add more levels of security.
Sim swapping is only one method of identity theft, of course. Consider using a reputable identity verification service like IDcentral if you’re worried about identity theft as a result of a lost driver’s licence or other form of identification.
How do SIM swaps function?
SIM swaps operate by getting a cell phone provider to transfer a mobile number to a SIM that belongs to the hacker. The hacker can alter the passwords for all the accounts that utilise that phone number for two-factor or multifactor verification once they have control of the phone number.
Is switching SIMs illegal?
Yes, SIM switching is a type of cybercrime that involves theft, conspiracy, wire fraud, identity theft, and computer fraud. SIM switching is a serious felony that may result in years in prison and other harsh punishments.
An SIM card switch hack is what?
A SIM swap is also known as a SIM card exchange hack. A SIM card switch hack involves the illicit transfer of a victim’s cell phone service to another SIM card. With a card reader, a SIM card may also be physically duplicated.
Can a SIM switch be stopped?
Yes, using complicated and distinctive passwords and avoiding posting any personal information on social media will assist you prevent a SIM switch. In order to deceive mobile service providers into believing they are a paying client, SIM swaps rely on simple passwords and personal information. SIM swap avoidance is also significantly improved by physical security keys like Yubikey and authenticator applications like Google Authenticator.
How much time does a SIM switch take?
A SIM swap continues for as long as the SIM swapper avoids detection or until they decide to stop using the phone in order to avoid being discovered. A SIM swap typically comes to an end once the SIM swapper makes a significant purchase or transfers a sizable sum of money to a secure place.