These days we all use our smartphones to organise many aspects of our lives. We access both our personal and business emails, we interact via instant messaging with friends, family and colleagues and we will sometimes access documents and data from our business networks. Many of us also use our mobile devices to access both personal and business bank accounts. What if your mobile phone account was effectively stolen by a scammer?
SIM swap identity fraud has grown by over 400% over the past 5 years. In one case hackers accessed the Twitter account of a business owner, posting racist tweets and praising Adolf Hitler. And in many other cases, people have lost thousands of pounds to fraudsters without even knowing their accounts had been compromised.
In this post we look at SIM swap fraud and what you need to do to keep yourself and your business safe.
What is SIM Swapping?
SIM swapping refers to an account takeover technique that exploits a mobile phone service provider’s capability to reassign a telephone number to a device containing a different SIM (subscriber identification module).
Fraudsters research and gather personal information on a victim that enables them to contact the victim’s phone service provider and convince them to port the victim’s phone number to their SIM. They exploit the phone service provider’s facility to deal with lost or stolen phones or switch to a new device.
SIM Swap Fraud
Once the SIM swapping process has taken place the victim’s phone loses connection to the network and the fraudster’s phone receives all SMS and voice calls to the victim’s number. This allows them to intercept bank authorisations sent via SMS or other codes such as PayPal authorisations that the mobile number is used for. If your telephone number is associated with a number of different accounts that use two-factor authentication the fraudster can then proceed to reset your passwords and gain access to all of these accounts.
SIM swap fraud is also known as SIM splitting, simjacking, SIM hijacking, or port-out scamming. The number of people in the UK falling victim to this crime has grown enormously since 2015 resulting in losses of more than £10 million to UK consumers.
Are You a SIM Swap Attack Victim?
SIM swap attacks can sometimes go unnoticed long enough for criminals to gain access to accounts, transfer money and change passwords. Here are some of the key signs of possible SIM swapping.
SIM Swap Notification: If you receive a notification from your phone service provider telling you that a SIM swap has been initiated, don’t ignore it - act immediately. Contact your phone service provider and tell them that this was not initiated by you and that it is likely to be fraudulent.
Loss of phone service: If your mobile device unexpectedly loses service this can be an indication that a SIM swap has occurred. Of course, there are other potential causes for a loss of mobile service - but if you have lost service from a location where the phone service has always been reliable, this can be a sign of an account takeover. Contact your phone service provider immediately and let them know.
Call and message flooding: Fraudsters will sometimes send a flood of bogus calls and messages to a victim’s mobile number to get them to turn their phone off, enabling them to carry out the SIM swap without the victim noticing the loss of service. If this is noticed, don’t turn off your phone and be vigilant.
Phishing awareness: SIM swap fraud relies on the fraudster being able to impersonate the victim when communicating with the phone service provider. They will need to collect personal information such as date of birth, mothers maiden name etc. Never respond to any communications seeking this data and be careful what you post to social media sites.
How to Prevent SIM Swap Fraud
Awareness goes a long way toward avoiding SIM swap fraud. If you and your staff use mobile devices for both personal and business purposes it’s essential that everyone is fully aware of the risks, the signs to look out for and how to safely and securely use their devices. Here are some key points that will help maintain security.
- Make certain that everyone is aware of the need to keep personal information such as dates of birth, schools, mother’s maiden names, pet names and whatever might have been used to establish accounts, entirely safe and secure. Staff should be briefed in how to avoid phishing scams and not to open attachments or click on shared links. Look out for suspicious emails or SMS messages and never open or forward them.
- Ensure that mobile phone and computer software is always up to date and install appropriate antivirus software.
- As previously noted, look out for a sudden deluge of suspicious calls or messages as these may precede an attempted SIM swap. And be aware of any prolonged phone service outage which should be checked with your service provider.
- Look out for any unsolicited messages from your service provider about your SIM being ported or a PAC request and contact your service provider immediately if you receive one.
- Protect your mobile account with a strong password and use random answers to the security questions.
- Tighten up your social media profiles to ensure they are not disclosing any personal information and only those you know have access to your profile.
- Contact your bank(s) immediately if you suspect a fraudster is attempting to gain access to your accounts.
- Stop using your mobile phone number as the facility for password resets for any accounts. Use two-factor authentication via a secure authentication application such as Microsoft Authenticator.
SIM swap fraud is a growing problem for both individuals and businesses. With more people working remotely and routinely accessing both personal and business accounts via their mobile devices, rigorous mobile security precautions are essential.