SIM spoofing, SIM hijacking, SIM splitting, SIM swap scams
These are all the different names for seemingly one action: the account takeover fraud. To make the attack work, the cybercriminal will first gather information on the mark, often through trawling the web and searching for every tidbit of data the potential victim may have shared. Evil-doers can also glean the victim’s personal information from known data breaches or leaks or via social engineering techniques, such as phishing and vishing, where the fraudster wheedles the information directly out of the target.
When enough information is on hand, the fraudster will contact the target’s mobile phone provider and trick its customer service representative into porting the telephone number to a SIM card owned by the criminal. More often than not, the scammer’s story will be something along the lines that the switch is needed due to the phone being stolen or lost.
Once the process is done, the victim will lose access to the cellular network and phone number, while the hacker will now receive the victim’s calls and text messages.
The real danger of SIM swap scams
Commonly, the point of this type of attack is to gain access to one, or more, of the target’s online accounts. The cybercriminal behind the attack is also banking on the assumption that the victim uses phone calls and text messages as a form of two-factor authentication (2FA).
If that’s the case, the fraudsters can wreak unseen havoc on their victim’s digital and personal lives, including cleaning out bank accounts and maxing out credit cards, damaging the victim’s standing and credit with banks in the process.
The hackers could also access their victim’s social media accounts and download sensitive messages or private conversations that could be damaging in the long run. Or even post insulting messages and statuses that could cause major reputational damage to their victims.
How to avoid being scammed
Start by limiting the personal information you share online. Avoid posting your full name, address, phone number. Another thing you should avoid is oversharing details from your personal life: the chances are that you included some aspects of it in your security questions that are used to verify your identity.
When it comes to using 2FA, you might want to reconsider SMS text messages and phone calls being your only form of additional authentication. Instead, opt for using other forms of two-factor authentication, such as an authentication app or a hardware authentication device.
Phishing emails are also a popular way for cybercriminals to obtain sensitive information. They do so by impersonating a trusted institution, relying on the assumption that you won’t hesitate to answer their questions or scrutinize the emails too closely. While many of the phishing emails will be caught by your spam filters, you should also educate yourself on how to spot a phish.
Telecom companies are also working towards protecting their clients. Vodafone, for example, uses number locks that protect its customers against potential SIM swap scams, while its US counterparts offer the option of additional authentication in the form of PIN codes, passcodes, and additional security questions. You should check with your provider to learn how to enable such features, should they offer them.
While SIM swap scams are ever-present and a threat to everybody, there are ways to protect yourself. Taking one or more of the several steps outlined in the article can help you lower your chances of falling victim to such an attack. Additionally, you can contact our customer support to inquire about any supplementary security services TRASTRA provides to lock down your account.