Ing + McKee

Cyber Bytes: What Is a Phone SIM Swap?

June 14, 2023

Most businesses use multifactor authentication (MFA) in their cybersecurity models. MFA requires you to provide multiple verification factors before granting you access to a network.

In addition to entering your usual login credentials, MFA requires you to enter a secret code generated through an automated call or text. The code is an added layer of security that verifies your identity. It is intended to prevent fraudsters from stealing and using your login credentials without your knowledge.

But MFA is only as secure as your phone is. There’s usually a criminal exploit for every fail-safe defense, and MFA is no different. You don’t even have to lose your phone to be a victim.

Your phone has an identity that can be stolen

Most phones use subscriber identity module (SIM) cards: semiconductor chips used to connect to the mobile network. A SIM contains identifying information about your phone. Wireless providers sometimes swap SIM cards to transfer mobile phone data for use in a different phone.

SIMs typically contain data required to connect and authenticate users on a wireless carrier’s network, such as their:

  • Contact lists
  • Stored texts
  • Location
  • Subscriber identity
  • Mobile phone number
  • Network authorization data
  • Personal security keys

Types of SIMs

A few types of SIMs are:

  • Mini (the first and largest semiconductor chip of its kind, rarely used in phones)
  • Micro (a smaller chip than the mini, used in some phones and tablets)
  • Nano (an even tinier chip than the micro, used in many phones)
  • Embedded or “eSIM” (fused into the device for better security)

SIMs are different from secure digital (SD) cards. SD cards are miniature high-capacity memory cards used in portable devices to store data like documents and media files. A SIM has minimal storage capacity since its primary purpose is to connect and verify you on a carrier network.

But even the minimal information on a SIM card can help a criminal access lucrative targets, like your accounts.

Faking phones: SIM swapping as a crime

The FBI Internet Crime Complaint Center (IC3) received 1,611 SIM swapping complaints in 2021, with adjusted losses estimated at $68 million. That represented a huge increase over the 320 complaints IC3 received from 2018 to 2020, with around $12 million in losses.

In just ten months, the CRTC, Canada’s telecom regulator, documented 24,627 cases of potential phone number fraud, according to an investigative report from The Globe and Mail, including 3,038 suspected SIM swaps.

Here’s how illegal SIM swapping works: Criminals contact your service provider pretending to be you. They give the service representative a bogus story, like a lost or damaged phone, asking them to activate a new SIM card.

Once the card is activated, your phone’s information is transferred to the fraudster’s device. They use it to intercept your calls and texts, including MFA codes. With access to your phone number and MFA, changing passwords on your accounts won’t take long.

You can see where it goes from there.

SIM swaps usually lead to bigger scams, like identity and account theft. For example, a court sentenced a Florida man to 18 months in prison and ordered him to pay over $20 million for his participation in a SIM-swapping crime gang. According to the Department of Justice, the operation netted over $20 million in stolen cryptocurrency.

You might wonder about your wireless providers’ verification process to prevent these scams. As mentioned before, fail-safes usually have workarounds.

How scammers get around the service representative verification

Before a customer service rep initiates a SIM swap, they must verify your identity using information like:

  • The last three digits of your Social Insurance number
  • Your account PIN
  • Security questions
  • Your driver’s license number

But this verification process might do little to deter a fraudulent swap. Scammers may already have enough of your personal information from a previous data breach to answer your security questions. This personal information could come from:

  • Previous phishing attacks
  • Malware
  • Social media research
  • Data purchased on the dark web

Your ill-gotten data is the ticket to conning a customer service rep into authenticating a SIM swap.

Threat actors often pull fraudulent SIM swaps when you’re less likely to notice issues with a device, like when you’re asleep. Signs of a SIM swap are:

  • Inability to make or receive phone calls or texts
  • A notification from your service provider that your SIM activation was successful
  • Transactions you don’t remember or recognize
  • Inability to access accounts

If you’re a victim of a swap

If you suspect a criminal hijacked your phone, then:

  • Contact your mobile provider immediately to regain control of your phone number.
  • Access your accounts and change all your passwords.
  • Contact your banking institutions about suspicious logins or transactions.
  • Report the SIM swap to your local law enforcement agency.

Safeguard your data

The FBI offers these security recommendations:

  • Don’t announce information about your financial assets on social media websites or forums.
  • Avoid posting personal information online, especially information that can tip off fraudsters about your challenge questions, e.g., a pet’s name or your grandmother’s surname.
  • Don’t provide your mobile account information to representatives soliciting you. Most providers will not call you directly. Instead, hang up and contact the service provider directly.
  • Use a unique password for each of your online accounts.
  • Be aware of any changes in wireless or messaging connectivity.
  • Use strong MFA methods (biometrics or physical security tokens) or stand-alone authentication applications to access online accounts.
  • Don’t store passwords, usernames or other personal information for easy login from your mobile device applications.
  • Don’t click links from unknown recipients or unexpected links. If you’re unsure about a link, call the person to verify they sent it.
  • Don’t click authorization codes you did not request. Hackers sometimes use brute force attacks that wear down your patience until you click the verification link.

Don’t fall for phishing bait pressing you to take swift action or face severe consequences, like freezing your account. Scare tactics bully you into giving up personal information for use in bigger swindles like SIM swaps.

Instead, call your service provider directly to flag suspicious contact. If it’s a fraud, you’ll be helping the good guys swap out the tricksters and their schemes, and protecting yourself in the process.

target pixel