A SIM Swapping also referred to as swap scam, port-out scam, SIM splitting, and simjacking, is a type of account takeover scam. It specializes in targeting weaknesses in dual-factor authentication mediums – two-factor authentication and one-time password.
Phones have an in-built SIM card slot where you plug in your SIM to send and receive calls, text message, phone numbers, data, online accounts, social security numbers, social media accounts details, credit card details, account holder personal information and much more. SIMs are issued by carriers who usually charge you in multiple ways, prepaid, postpaid, or other mediums.
With a SIM card, you get a phone number that is tied to your SIM for as long as you use that phone number. If an attacker is somehow able to steal that data by getting a mobile carrier to switch your phone number over, SIM hijackers have drained thousands of dollars out of people’s checking accounts. they could switch over your cell phone numbers to their own SIM card and their own device which means that they will start receiving text messages, cell phone calls and anything else that’s related to your phone number.
Consequently, your device would stop receiving your calls and text messages, all your phone calls, and anything else and it would basically tell you that you no longer have service with that phone number on your cell phone.
What is a SIM Swap Hack
So, how is an attacker able to do this? It all comes down to social engineering. This is where an attacker is able to call up a customer service representative at AT&T, Verizon, T-Mobile or any other phone companies, and they basically pretend to be you. The attacker could say something like ‘my phone got stolen, and I bought a new phone with a SIM card and need to transfer the previous phone number over to my new phone.
The customer service representative would eagerly assist you in fixing your phone, which is actually the attacker’s phone. The representative will try their best to get that phone number transferred over and authenticate who you are. If the attacker has access to any data that could validate them as being you and let them steal your identity – your mobile phone identity, then they can steal your phone number.
Why would a hacker want to gain access to your phone number? It all comes down to two-factor authentication (2FA) and a one-time password (OTP) which you receive as a text message to safeguard your personal information. The 2FA code is an authentication code just like Google Authenticator that you would receive, but in this case, the hacker would now receive them on their cell phone instead.
The hacker could now get into your internet account if they also have your password, or they might be able to reset your password with just the 2FA code. If you don’t have 2FA turned on, which you should, then a hacker could still use your phone to authenticate them like you on social media platforms.
On your social media platform, the hacker could say that you forgot your password. The site would respond by authenticating it is who you say you are via 2FA or OTP. In this event, the attacker would receive the OTP, login, and reset your password.
How Does a SIM Swap Work?
At the ground level, sim swap fraud happens when an attacker dupes your mobile carrier to switch your phone number over to the attacker’s SIM card. Please make no mistake as the attacker isn’t doing this for pranking you or to prove themselves that they can do it.
The main motive is straightforward as by redirecting your phone number for sim swaps scam; the hacker gains all access to your incoming messages and two-factor authentication codes, which were in place to secure your internet accounts. Now, the hacker can pretend to be you without raising any suspicions and gain your personal data.
What’s worse is that if you haven’t set up two-factor authentication, the hacker can use your device number to deceive your internet accounts to give up your passwords and personal data. SIM hijacking isn’t uncommon. In fact, it’s pretty common around the globe and costs millions of dollars in damage each year, logging in your bank account, taking over your social media account or email account, etc just because of sim swap fraud.
Justin Bieber has been a victim of a SIM swap attack when his private photos from Selena Gomez’s account were exposed. Apart from the fear of having your private photos getting exposed, a SIM card hacker can impact other angles of your life.
The effects of SIM hijacking have had severe impacts on cryptocurrency investors as well. A SIM swap resulted in the theft of $23.8 million-worth of tokens.
Is SIM Swapping Illegal?
Yes, It is an illegal activity as it involves cloning someone’s real identity. Identity theft fraud is a serious crime, and SIM hijacking is no different.
SIM swap scams can give away your social media handles, giving the attacker an edge to stalk you – cyberstalking. They can also gain access to your bank account details, credit card holder personal information, text messages, contact numbers, online accounts. Then hackers use them to gain access to online accounts/social media accounts Facebook and Twitter, email log-in media accounts and so much more.
Measures to be taken to Avoid Sim Swapping
If you’ve been a victim to a SIM hijacking attempt, there’s not much you can do to stop SIM hijackers from targeting you. If the attacker is skilled, they might actually take over your digital footprint.
On a lighter note, there are steps that you can take to limit the chances of a SIM swap attack ever happening to you.
- Online behavior: Be on alert of phishing emails, you get a new email that looks like it’s from a friend and other ways cyber attackers may try to access your personal data to help them convince your bank or cell device carrier that they are you. You may wonder, how are fraudsters able to answer your security questions That’s where the data criminals collected data on you.
- Account security: Increase your cell account security with a unique, strong password and strong extra security questions and answers (Q&A) that only you know.
- PIN codes: If your device carrier allows you to set a separate passcode or PIN for your communications, consider getting it done. It could potentially provide an additional layer of protection.
- IDs: Don’t build your security and identity authentication solely around your phone number accounts. This includes text messaging (SMS), which is not encrypted.
- Authentication apps: You can use an authentication app such as Google Authenticator, which gives you 2FA but it links to your physical device rather than your device number.
- Bank and mobile carrier alert: Watch out if your banks and mobile carrier can combine efforts, sharing their knowledge of SIM swap activity, and implementing user alerts along with additional checks when new SIM card is reissued, for example.
- Behavioral analysis technology: Banks can use technology that analyzes customer behavior to help them discover and identify compromised devices, warning them not to send SMS passwords and other confidential info.
- Call-backs: Some organizations call customers back to make sure they are who they say they are when they are using their accounts — and to catch cybercriminals.
How do you know if you’ve Been Affected?
The most common way to tell if you’ve been affected by a SIM swapping attack is to check whether you’re getting any signals on your device. In some instances, you may receive a notification stating that the SIM card for your account number has been changed. You should immediately call your carrier’s customer service if you didn’t make the change.
However, with your SIM card no longer active on your phone accounts, you can’t call the customer representative from your device.
What should you do if you’re a victim of a SIM swap fraud?
If you’ve just experienced a SIM swap hack, someone must really want your private data bad enough to trick your carrier’s support representative.
The moment you realize you’ve lost service on your mobile device accounts, it’s best that you call your carrier immediately or head over to a franchise and explain the issue. Tell the representative that it’s not you who requested to make any changes.
Your carrier company will help you recover access to your phone number accounts. Ensure that you don’t wait long enough after you’ve found out that you’re a victim. It’s a hassle that you’ll have to go through, but keep in mind that the longer a hacker has access to your number, the more time they have to cause added damage to you.
Here are the customer service numbers for each major carrier. Put your carrier’s number in your phone as a contact to customer support representatives:
- Sprint: 1-888-211-4727
- AT&T: 1-800-331-0500
- T-Mobile: 1-800-937-8997
- Verizon: 1-800-922-0204
Here’s what you need to do for each of the four major US carriers yourself.
- Sprint customers: Log in to your account on Sprint.com then go to My Sprint > Profile and security > Security information and update the PIN or security questions then click Save.
- AT&T subscribers: Access your account profile, sign in, and then click Sign-in info. Select your wireless account if you have multiple AT&T accounts, then click on Manage extra security under the Wireless passcode section. Make your changes, then enter your password when prompted to save.
- T-Mobile users: Set up a PIN or passcode the first time you sign in to your My T-Mobile account. Pick Text messages or Security question and follow the prompts.
- Verizon Wireless customers: Call *611 and ask for a Port Freeze on your account, and visit this webpage to learn more about enabling Enhanced Authentication on your account.
Know that prevention is better than cure!