Scam Alert: SIM Swapping
Smart phones are central in our lives: They hold our personal data, our contacts, and often serve as our primary mode of communication. They are the access point to our online lives and most of us protect them as such. We have insurance to protect them from damage and keep them close at almost all times. It would be extremely disruptive to lose service unexpectedly, which is exactly what happens when you fall victim to SIM swapping.
SIM swapping is when a bad actor coerces a mobile service provider to switch your phone number to the scammer’s SIM card. A scammer may use social engineering techniques to convince the rep that he is the rightful owner of the phone number. This may include sharing personal information found on your social media profile or elsewhere on the internet. The rep could even be an insider threat- someone in on the scam for their own personal gain. Regardless of how the SIM is switched, once it’s done, it can be a disaster for your online accounts.
After a recent data breach, an undisclosed number of T-Mobile customers were affected by SIM swapping. And when this ZDNet contributor fell victim, a hacker took over his Gmail account, his Twitter account, and purchased $25K worth of bitcoin! You may be surprised to hear that, in this case, the reason the hacker was able to take over so many accounts is related to a good security practice – multi-factor authentication.
As a refresher, multi-factor authentication is a security protocol that requires a user to enter a username and password and another piece of information, usually a code, to access an account. That code can come via text message or be found on an app. The problem occurs when the MFA is configured to deliver the code via text. In this setup, when your phone number is stolen via SIM swapping, the hacker will get the MFA code. With that code, they may be able to reset certain accounts and wreak havoc in your online life.
We want to be clear that we at Cyber Safe Workforce still recommend using MFA where it’s available. If you have the choice between getting the code from an app or a text, always choose the app. It’s a more secure option since if your phone is SIM swapped, the MFA codes for online accounts will exist on the app on your phone and will be safe from the SIM swapper. To help avoid SIM swapping altogether, call your service provider to set up a PIN. Once a PIN is associated with your account, changes can only be made if the PIN is confirmed. This way, a scammer cannot use found or stolen personal information to socially engineer the service provider representative.