Imagine that you’re sitting at the dinner table, and your phone suddenly comes alive with debit alert after debit alert. You can see the transactions pouring in, and your account balance trickling away, but can do nothing about it. You try calling for help, but the line won’t connect; texting isn’t an option either. You’ve become the latest victim of a SIM-swap attack, and you’re trapped — it’s a horrific experience. Read on to find out what a SIM swap is and what you can do to prevent it from happening to you.
What is SIM swapping, and how does it work?
SIM swapping, also known as SIM jacking, is a fraudulent way of gaining access to someone’s mobile number. It happens when a criminal convinces your cell phone provider to transfer your phone number to a different SIM card, usually one in their possession. If they succeed, you’re automatically at a disadvantage.
Here’s why. Fraudsters can swap your SIM from the comfort of their homes, provided they have your personal data. On the other hand, a complete swap will disconnect your line, and you can only reclaim it after visiting the carrier in person and proving that you are the account owner.
Interestingly, the hacker doesn’t even need to have any advanced technical knowledge — a SIM card and a phone call to your provider are sufficient. Of course, they have to provide some personal information, but that’s fairly easy to get these days through social media accounts and even data exposed in wide-scale breaches. With such information, cybercriminals can trick mobile service employees into switching the number linked to your SIM card to one in their possession.
What do fraudsters stand to gain from swapping your SIM?
In a word: Access.
Your SIM is a gate pass to many essential services. You use it to receive calls and texts, and it’s most likely tied to your bank, email, and social media accounts for two-factor authentication (2FA) requests. With all this information at their fingertips, fraudsters could log into these accounts and empty them, as well as gain access to your contacts. That makes it easier for them to scam friends and family.
Two-factor authentication (2FA) is designed to increase security on the internet. Rather than simply logging into online accounts with a password, 2FA requires you type in a time-limited code before gaining full entry. It is widespread for the extra security it provides, since malicious parties have to control both your password and your phone to infiltrate your accounts.
Unfortunately, the system’s strength is also part of its weakness. Authentication codes are usually sent via emails, mobile numbers, and authentication apps, meaning that entry lies with whoever possesses your card or phone. This is unlike fingerprint or face ID, which require your physical presence. Cybercriminals know this and try to leverage that loophole when they access your mobile phone.
Government entities and carriers are attempt to combat SIM swapping. The FCC announced late last year that it was drafting rules to fight SIM swapping and port-out fraud. While that’s in the works, T-Mobile already implemented some in-house protocols to improve the system — changing a SIM card will now require SMS verification or approval from two carrier employees instead of one manager alone. It’s not foolproof, but it’s a step in the right direction.
What are the signs of a SIM swap fraud?
During a SIM swap, the earlier you can reverse the changes to your accounts, the better. If you notice any of the following warning signs, contact your cell phone provider immediately, as you might be under attack.
- You are locked out of your phone’s online account.
- Your phone loses service, or you cannot receive calls or texts even with good reception.
- You receive phone service notifications for actions you didn’t take.
How to prevent SIM swapping
The cost of a SIM swap could be catastrophic. Your best bet is to take precautions to avoid falling victim in the first place. Here are a few steps you can take to stay safe.
1. Protect your phone and SIM
Most phones ship with some forms of protection method, including PINs, passwords, patterns, fingerprint scanning, and facial recognition. The latter two are quite common in modern devices, so enable them to add another layer of security.
Aside from your phone, you should also protect your physical SIM. You can lock it with a numerical PIN that you must enter every time you restart your device. Your Android device or iPhone should allow you to create a PIN in Settings. Just make sure you don’t use your birthday or that of someone important to you.
2. Lock your phone number with your service provider
Many network service providers offer Port Freeze or Number Lock to protect your mobile number from unauthorized transfer. Once activated, your number cannot be ported to another line or carrier unless you remove the lock, either with a PIN or by walking into the store. If your carrier allows this feature, it’s an excellent way to beef up your SIM protection.
3. Use strong passwords and security questions
If you still use your birthday or middle name as a password, it’s time to stop. You need to come up with a strong password that is nearly impossible to guess — something with at least 12 characters, including different letter cases, numbers, or special symbols. It’s also good practice to use different passwords for different accounts so that a breach of one doesn’t become a breach to all.
But how do you remember so many passwords? You don’t. Instead, take advantage of password managers to store them. Aside from strengthening your passwords, you should also try to select identity questions that even close acquaintances would struggle to guess.
4. Turn on two-factor identification
2FA is another way to quickly add an extra layer of security to your accounts. Log into platforms that enable 2FA, such as Google, turn it on, and that’s it. You can even make it more secure by eliminating the risk associated with SMS-based authentications. Use 2FA applications like Google Authenticator or Authy whenever possible.
5. Enable biometric authentication on your device
Passwords, PINs, and 2FAs are great. But face and touch ID offer a level of protection that exceeds those simply because they require your physical presence to work.
Whenever possible, use mobile apps and services that support two-factor biometrics. That way, even if thieves get their hands on your phone number, they won’t be able to bypass the biometric barrier.
6. Limit how much personal information you share online
Fraudsters can take advantage of even the most minute details to convince your carrier that they are you. So avoid posting your full name, address, phone number, and date of birth on public platforms. Also, resist the urge to overshare details of your personal life like your pet’s name, best friend’s location, favorite food, etc., on social media. You may have included them in some online security questions to verify your identity.
7. Be wary of phishing emails, texts, and calls
Phishing is almost as old as the internet. It’s a social engineering attack often used to steal login credentials, credit card numbers, and other user data. Phishing usually involves criminals trying to impersonate reputable institutions, such as banks, government institutions, and health offices, assuming that you won’t hesitate to answer their questions or scrutinize their emails because you trust these organizations.
However, note that your bank, the government, or any reputable health office will never ask for your personal information online. If you receive such calls or messages, hang up or delete them even if they seem to be legit. You can always contact the agency to confirm the outreach.