Between 2019 and 2020, the FBI received 320 complaints of SIM swap attacks, totaling an estimated $12 million in losses. In 2021 alone, the agency received more than 1,600 SIM swap complaints, inflicting estimated losses of $68 million. With SIM swapping on the rise, it’s important to understand how this type of account takeover works, what the risks are if you fall victim, and how to protect yourself.
SIM swapping is a technique criminals use to gain access to victims' bank accounts, crypto-currency accounts, and other sensitive information. Also known as SIM splitting or SIM jacking, this type of account takeover scheme targets SMS-based two-factor authentication (2FA), where the attacker intercepts the victim’s second factor verification codes to take over their account.
The scam usually begins outside the cellular realm, with the fraudster gathering personal details about the victim, either through social engineering (i.e. phishing emails), or by purchasing data dumps on the dark web resulted from data breaches.
With a phone number and other credentials in hand, the threat actor contacts the phone company to impersonate their owner, claiming they’ve lost their phone and demanding that they port their number to a new SIM card.
Sometimes, the attacker bribes one of the operator’s employees to port the number directly.
With the number ported to a SIM the fraudster controls, the victim loses connection to the network. The fraudster then uses the stolen credentials to access the victim’s accounts. Now in control of their 2FA layer, the criminal uses the incoming codes via SMS to take over the victim’s bank account or crypto wallet and steal their money.
While the main goal is to drain the victim’s bank account, the scheme is sometimes also used to extort the rightful owner or to sell the victim’s accounts on the black market to other criminals wanting to conduct identity theft schemes.
A number of high-profile hacks are known to have used SIM swapping, including a hack of Twitter CEO Jack Dorsey.
In 2018, crypto investor Michael Terpin – the founder and CEO of Transform Group – got swindled out of almost $24 million by a teenager through the use of data stolen from by SIM swaps.
More recently, a Florida man lost his entire life’s savings in a similar scam.
· Resist the urge to brag about financial assets or cryptocurrency investments on the web, especially on social media – it will draw the attention of criminals
· Don’t post your phone number or other personally identifiable information to the public domain
· Don’t give out your mobile number or account information over the phone or email, especially when you receive an unsolicited call – it’s likely a social engineering attempt
· Don’t store access credentials in plain text on your phone or computer
· Create strong, unique passwords for your various online accounts
· Avoid SMS-based 2FA. While it’s better than no 2FA at all, an attacker can still bypass this security layer using the SIM jacking method. To thwart attacks, use strong multi-factor authentication methods, like standalone authentication applications, biometrics or physical security keys
If you fall victim to SIM swapping, note that texting and calling may stop working, this being the first major sign that you have been hacked. Check your email and see if you’re getting messages about account changes – if you are, change your passwords immediately and enable a different 2FA method that doesn’t involve your phone number (as noted above).
If your friends ask you about strange social media activity stemming from your accounts and you were unaware of it, chances are you’ve been hacked. Remember to follow the steps outlined above to prevent this from happening.
SIM swapping can happen to anyone, so it’s important to take pro-active measures to combat this sneaky account takeover technique. Consider using a security solution on your mobile device to limit hackers’ chances of socially engineering you, or to infect your device with data-stealing malware. Learn more at https://www.bitdefender.com/solutions/.