Technology is continuously evolving to protect consumer data. A cornerstone improvement was the implementation of 2FA (Two-factor authentication). The usage of 2FA is to block unauthorized access to online accounts/ services (including financial services like banks).
This 2FA technique is based on a consumer’s phone number, and the consumer must enter the code or OTP sent to his phone number to log into the required account/service. As technology is evolving, so do the scammers.
One of the techniques they developed is a SIM swap attack called SIM swap scam, port-out scam, SIM jacking, SIM hijacking, SIM Intercept attack, etc.
Introduction of a SIM Swap Frauds/Attack
The telecom and I.T industries use your SIM to authenticate different actions like password reset on a website (although mobile numbers were not intended for this use). Due to this factor, your SIM is the magic key to many (if not all) essential services. Your bank accounts, email accounts, social media, and even online wallets (including crypto wallets) are tied to your phone number.
Even the 2FA technique was developed to use your SIM to authorize a login to an account or service by entering a code sent to you either via call or text message to safeguard you even if your credentials were stolen.
But the strength of this technique is also part of its weakness, as whoever possesses the phone or phone number will get the code. Hence, scammers developed the SIM swapping attack. A scammer may not be a hacker or tech-savvy with million-dollar equipment, he just needs a phone and a SIM card to perform his ill action.
In this attack, scammers get a consumer’s phone number on their SIM (physical or E-SIM) by convincing the consumer’s carrier that they are the actual consumer and thus bypass the 2FA, opening hells of opportunities for them. This can be the worst of nightmares an individual may face as his SIM is virtually stolen but physically present with the consumer. In other words, a SIM swap attack occurs when a fraudster takes control of the victim’s phone number.
The popularity of cryptocurrencies also increased the frequency of SIM swap attacks as the funds transferred from the victim’s crypto wallet are difficult to trace. Also, there are reports of data breaches on cryptocurrency exchanges, putting the data (especially the phone numbers of crypto owners) on sale on the black market. In 2020, Interpol arrested 10 fraudsters who were able to steal more than 100 million USD in cryptocurrencies by using SIM swap attacks.
SIM swap attack is part social engineering as the fraudsters must know the personal details of the victim and part telecommunication fraud as the fraudsters must convince (or bribe) the telecom rep to issue the new SIM with the victim’s phone number. The most basic purpose of a SIM swap attack is to circumvent accounts’ security features based on messages or calls.
SIM swapping attacks made the news headlines in 2017, although they were happening even before that. In the UK only, there is a reported surge in SIM swap attacks of 400% from 2015 to 2020. SIM swapping is a legitimate process if done by the original person but will be illegal if done by an imposter.
SIM swapping is also used to enable embedded SIM (E-SIM) on the phone. This attack is (virtually) more lethal to a person as the phone, or the SIM will not leave his hands or premises.
Details Required by Scammers to Do a SIM Swap Attack
Details required by re-issuance of a SIM depend on your country and the operator, but usually, they target the following information:
- Date of birth
- Social Security Number (SSN)
- Social Media Accounts
- Mother Maiden Name
- Sometimes, copies of govt IDs (to generate a fake one)
The more information an attacker may have, the more chances he may succeed in his ill intent. With the mentioned information in the scammers’ hands, the attack could be so devastating (account takeover, identity theft, credit card fraud, etc.) that a victim may fail to restore his online identity fully.
Methods Used by Fraudsters to Choose Victims
An attacker may select victims by using the following method:
- Using Brute Force: Many fraudsters may simply use random phone numbers or phone numbers in a series to choose their victim. Also, phone numbers exposed in a data breach may also be targeted.
- Targeting a Particular Individual: This is the primary mode where an attacker chooses a vulnerable victim and has the victim’s phone number and other valuable information/data like social media handles. It is reported that stolen Instagram or gaming accounts (with heavy followings) can be sold at around 40000 USD.
Steps in Performing the SIM Swap Attack
The general steps in a SIM swap attack can be listed as:
- Once an attacker locks a phone number to perform his SIM swap attack, he will search the information of the probable victim, required to impersonate a victim to a telecom rep. He may get these details by using social engineering techniques, phishing emails/messages, spying on you when you were using your phone, or buying the details from an organized criminal racket (if your data was a part of a data breach). After having details of the victim, some scammers may start constant calls and messages to a probable victim to annoy him to a level where the target is forced to switch off his phone so that the carrier cannot contact him when re-issuing or porting out the SIM.
- Then he will contact the telecom operator and impersonate the victim.
- Now he will deceive and convince the telecom rep to transfer the victim’s phone number to a new SIM as the old SIM is lost or stolen and may make the rep issue a new SIM to the attacker or issue the victim’s phone number on a SIM in possession of the attacker, impersonating the victim.
In some countries, the attacker must convince the victim to do a particular action to authorize the SIM swap, e.g., in Nigeria and India, an attacker must convince the victim to press 1 on his registered number to authorize the SIM swap. Some fraudsters may use an insider on the telecom operator side to complete their task (less common but reported incidents where an employee was gaining USD 100 for each illegal SIM swap).
- Once the attacker is the control of the victim’s SIM (the victim’s phone will lose connection and he will not be able to make calls, use mobile data, or send messages), the attacker can start the next phases of the attack by using OTP/2FA messages to log into the victim’s accounts, steal his information and personal data.
Usage of SIM Swap Attack by Fraudsters
The SIM swap attack is the basic step of fraud. Once a fraudster is in control of a victim’s phone number, he may use it for the following (but not limited to):
- Accounts Takeover: This is the most common form of SIM swap attack and is the basic reason a fraudster may target a victim. As the fraudster controls the phone number, he can receive 2FA or OTP messages and log into a victim’s accounts/services. These include social media, gaming, mobile banking, online crypto wallet, or online store accounts. He can even change the account credentials (making it nearly impossible to recover) or delete an account and its data.
- Identity Fraud: Once a fraudster controls a victim’s phone number, he can pose as the victim on SMS and social media apps which can be used for personal gains like asking the victim’s friends/families for an urgent loan. Also, if you have your documents (like government-issue IDs) on a cloud service and fraudsters can log into that account, they can use your documents to perform different frauds using your IDs.
- Phishing: Once your phone number is compromised, fraudsters can vast their network of SIM swap attacks by sending malware to your friends/families, and they may become the next victim of the SIM swap attack as they open those links/messages from the fraudster, thinking that you have sent them something.
- Transaction Fraud: The attacker may use that e-wallet to perform different types of purchases like gift cards, gifts, etc. If your credit card number is linked to any of those compromised accounts, then that could be a jackpot for the attacker, who may use it to perform different actions like shopping. If your bank or financial institute sends a verification message or calls for verification, the attacker impersonates you will verify the transaction, and you will suffer a financial loss.
- CEO Fraud: Fraudsters love to impersonate managers or executives of reputable companies to lure the lower-level staff into fraud, and if they can get hold of the phone number of any such individual, then they can use that number to impersonate a company’s CEO easily and may do a fraud with the other employees of that company.
- Blackmailing: No individual in this world is perfect and may have some things/events an individual may want to keep hidden from family/friends. To keep a victim’s information/data private, a scammer may blackmail a victim. Also, some scammers may contact you to give back your data in return for some monetary or other benefits.
The severity of the Attack
To know the severity of the attack, let us quote an experience shared by a victim:
“My entire digital life was destroyed in one hour after the SIM swap attack. Firstly, the scammer took over my Google account and then deleted it. Then, they logged into my Twitter account and started to broadcast racist/homophobic content.
The worst was that they broke into my Apple ID account, and the scammers remotely erased the data of my MacBook, iPhone, and iPad. I do not have any backup of the data, so I have lost photos/videos of my daughter’s entire lifespan, and essential documents/emails were also lost.”
Warning Signs That You are Under a SIM Swap Attack
As you may have grasped the idea of how deadly a SIM swap attack can be, now here are some warning signs that you may notice when under attack:
- No Network Service on the Victim’s Phone: If your phone stops receiving signals from the mobile carrier, that could be the first sign of a SIM swap attack, given that there is no network outage for others in the vicinity.
- Unfamiliar Social Media Accounts Activity: If you are noting unusual activity on your social media accounts (like signing out of social media apps on your smartphone) that are not initiated by you, then that could be another sign that you may be a victim of a SIM swap attack.
- No Access to Financial or Bank Services: Another sign of the SIM swap scam is that you may fail to gain access to your financial (like a credit card) or bank services if your SIM linked to these services has been swapped by a fraudster.
- Notifications: You may start to see notifications on different apps not initiated by you, like a notification of a transaction in the Cash App, not authorized by you.
- Carries Intimation: If you have a carrier app installed on any of your smartphones and that app intimates you (or an email message from the carrier tell you) that a new SIM is issued for your phone number (not initiated by you), then that is a clear signal that you are under a SIM swap attack.
Steps If You Are Attacked
If you are one of those unlucky ones who are suffering from the SIM swap attack, then you must take the actions listed below as the time is the key here:
- Firstly, contact your operator and get a new SIM of your phone number or activate your phone number on your present SIM so that your phone number is deactivated on the SIM possessed by the hacker.
- Contact financial institutes (banks, credit card issuers, etc.) and block or reverse any transactions. Many financial institutions add a time delay for an unusual or suspicious transaction, and if you contact the institution in time, you may be able to get the transactions reversed by the fraudsters. If there are transactions not initiated by you, bring those to the notice of your financial institute. Keep in mind that chances of recovery of financial losses are minimum as scammers transfer funds to accounts in another country.
- Reset passwords/PINS for any online accounts and services. If possible, switch the preferred phone number of the account or services to another phone number. Also, if possible, switch the primary email of your social media accounts to another email address.
- If your SSN (or any other govt issued ID) is also stolen and used by scammers, immediately contact the Social Security Administration (or the authorities that issued the IDs).
- Some hackers may try to contact you, and that contact will be quite tempting as they have your sensitive information but do not fall for it as you will either be extorted or unknowingly become part of a larger hacking activity. Do not engage with the hackers but bring that to the notice of law enforcement agencies.
- Report the SIM swap attack and losses suffered through your country’s law enforcement agencies.
Steps to Prevent the SIM Swap Attacks
There is a saying that prevention is better than cure, and there are some steps you may take to minimize the chances of SIM swap attacks. But the prevention is not the responsibility of a single entity, i.e., governments, telecom operators, financial institutes, and mobile phone subscribers.
All must act in their respective domains to curb this scamming technique, as ignorance of any of these can lead to a successful SIM swap attack. A point to remember is that if a person is attacked once, then there are chances of more subsequent (probably automated) attacks if he does not take action to prevent attacks.
Countries must bind the telecom operators to re-issue a SIM with proper verifications, and if there is a SIM swap attack, the country’s police must act to its maximum to capture the criminals involved. Otherwise, a successful SIM swap attack will be a moral booster for other criminals.
Many countries are making laws and actions to counter this scam technique (FCC is already making rules in this regard). Telecom operators must make procedures to protect their customers from SIM swipe attacks. Operators must ensure that their employees do not fall for bribes offered by fraudsters.
In this regard, T-Mobile already made some protocols to be followed by its employees before a SIM can be changed, like approval from two T-Mobile employees, which previously was tied to the approval of one manager; although it is not foolproof, it is a step in the right direction.
Banks may use an API by the country’s regulator to check if there is a recent SIM swap, and if so, it should limit the client’s online access for a certain period or the client physically authorizes the swap. Also, using hardware authentication by a Bank should be a must to avoid any hacking of a client account.
As a customer, you may adopt the following techniques to safeguard yourself from a SIM swap attack or repeated attacks (if already a victim). The basic purpose of these techniques is to break the vicious cycle that a victim may face if he becomes under attack by using the SIM swap method.
Check Your Country’s Regulations
The first step to counter SIM swap attacks should be to check your country’s regulations and see how your telecom operator is following the country’s regulations.
Check Your Operator’s Procedures to Issue a SIM
Try to properly understand your mobile carrier procedures for issuing a SIM, and if it offers any type of account management portal to manage your SIM or lock your phone number to a particular SIM, if so, then you may use it to safeguard yourself.
If your operator is a little lousy in its procedures, you may get your number ported to a more secure operator (if possible). Even some operators provide a special code that you can dial from your phone to report any SIM swapping incident.
Some operators may facilitate with a call-back feature. With the callback feature, whenever the mobile network operator is contacted for re-issuance of the SIM card of a probable victim, the operator may contact the probable victim on the phone number provided by the individual when settings up a call back feature and ensure that if he is legitimately requesting a SIM re-issue.
If not, the operator will not issue a new SIM, and the attack will fail. So, if your mobile carrier has a call-back feature, use it to safeguard yourself from the SIM swap attack.
Some operators have a time delay (around 72 hours) before a client’s SIM is swapped. Check if your carrier has any such facility. If so, activate it on your phone number so that you may have a time window before a scammer succeeds in his ill intentions.
Check Your Financial or Banking Procedures
Some banks (or financial institutes) are applying techniques to safeguard their customers against financial fraud by using SIM swap attacks. One such technique is to use the country’s regulator APIs to check if a client has recently swapped his SIM before performing transactions.
If so, then the bank will limit the client’s transactions for a particular time or if the client physically verifies the SIM swap on a bank’s branch. The UK, Australia, and many African countries (like South Africa, Kenya, Mozambique, and Nigeria) have implemented the mentioned technique. So, check what is the safeguard by your bank against a SIM swap attack and follow any guidelines from the bank to avoid any SIM swap attacks.
Set a PIN or Password on Your SIM or Carrier’s Account Management Portal
As per the FTC recommendations, it is better for a mobile network subscriber to set up a PIN or password on his SIM. Also, to prevent changes to the subscriber’s phone number without the subscriber’s consent, a subscriber must lock his phone number in the carrier’s management portal (if available). If your carrier supports any of these, make sure to avail the feature to avoid any mishap in the future.
Avoid Sharing Personal Information
The cornerstone of a SIM swipe attack is the victim’s personal information required by mobile operators for re-issuance or porting a phone number to a new SIM. If a victim’s personal information is not available to an attacker, then the chances of attack by using the SIM swapping method are minimized but the attacker can still purchase a victim’s details from the black online market, given that the victim’s data was part of a data breach.
So, to take advantage, ensure never to share your personal information with people on the phone or online (even if someone claims it is essential). Another technique used by fraudsters is to call a victim from a number looking like the mobile operator’s helpline number (or any government department like the health department) and try to gather the victim’s personal information.
So, do not share your personal information over the phone, even with the persons claiming to be from the operator’s helpline or govt agencies.
Avoid Using Same Phone Number for Sensitive Accounts
A best practice that can be used is to use different phone numbers for different services (that will be a burden for some people) or another approach you can use is to use a single number for social media accounts and then another phone number for other services (like email, banks, etc.).
Stay Away from the Mentality that “I Am Safe”
When the fraudsters attack a number by using brute force method, they are shooting in the wild without knowing who the target is, and thinking that I am safe as I am not a high-profile individual may cost you your entire digital life (you may again read the Severity of the Attack section) and may cause other issues as well.
There may be some people who may think that we have nothing to hide, but that is just a lame excuse because such people do not forget to close their house doors when leaving the house.
Use Landline Phone Numbers, eSIMs, or Virtual Phone Numbers
Whenever you are required to use a phone number, it is always better to use a landline number as it will protect you from a SIM swap attack. Also, if you are required to share your phone number online, go for a landline number.
Moreover, in some countries, eSIMs may safeguard you against a SIM swap attack if the eSIM is only issued after the physical verification of the client on a company’s franchise. If you must use a mobile phone number and share it online, go for a virtual number like a Google Voice or Google Fi number.
Use a Different Type of Verification Method
Many services offer verification methods besides SMS like Google offers Google Authenticator to get codes when logging into Google or a hardware key offered by YubiKey. It will be better to use these alternatives to generate a login code (in place of SMS or call-based authorization), so that if you lose access to your account, you may still be able to log in using the authenticator app.
Use a Password Manager
Using common or similar passwords across websites is a great security hazard. It will be better to use a strong and unique password. If you are habitual of using common or similar passwords, you may switch to a password manager to avoid a catastrophe.
Stay Away from Suspicious Emails or Messages
If you are receiving emails or messages (even from close ones) that look suspicious, then you must not open those emails/messages or click any link in any emails/messages till you are 100% sure that the link is safe as scammers use suspicious emails or messages, or links in them to collect information about a probable victim and then carry on the SIM swap attack.
Also, never download an attachment on your system/device until you are fully confident that the attachment is legitimate. Scammers mostly use these while keeping your interests (from your social media account) in their view, so do not fall for it.
Use Single Use Credit/Debit Cards
You may use online services (e.g., Privacy or Blur) to get single-use credit/debit cards or rechargeable credit/debit cards to avoid using your original single credit/debit cards online to avoid any damages that may occur if your original credit card info is stolen by scammers by using the SIM swap attack.
Use Bio-metric or Hardware Key Authorization
More and more services are shifting to bio-metric authorization. If your accounts or services support bio-metric authorization, it will be better to switch to those services to avoid SIM swaps or hacking attempts. If you are not comfortable using biometrics, you may adopt the hardware key authorization (like YubiKey).
Use Up-to-Date Security Tools on Your Devices
The web is not safe, and a person must use security tools (like antivirus, firewall, ad or pop-up blockers, etc.) to keep his data and information safe, especially from a phishing attack to gather the required information to carry on a SIM swap attack. Beware of those browser pop-ups or use an ad/pop-up blocker.
Never Share OTPs, 2FA Codes, or Take an Action That You Do Not Understand.
Scammers will try to use different techniques to lure the probable victims. They try to get OTP and 2FA codes from you to get your personal information. Also, if a person asks you to press a specific number key or perform an action on your phone, do not do that as you may be authorizing a SIM swap request as many operators require you to press a specific key (like 1 in India) to authorize a SIM swap operation.