3 min read

How SIM Swapping Attacks Work and How to Protect Yourself

Filip TRUȚĂ

November 25, 2022

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
How SIM Swapping Attacks Work and How to Protect Yourself

Between 2019 and 2020, the FBI received 320 complaints of SIM swap attacks, totaling an estimated $12 million in losses. In 2021 alone, the agency received more than 1,600 SIM swap complaints, inflicting estimated losses of $68 million. With SIM swapping on the rise, it’s important to understand how this type of account takeover works, what the risks are if you fall victim, and how to protect yourself.

SIM swapping is a technique criminals use to gain access to victims' bank accounts, crypto-currency accounts, and other sensitive information. Also known as SIM splitting or SIM jacking, this type of account takeover scheme targets SMS-based two-factor authentication (2FA), where the attacker intercepts the victim’s second factor verification codes to take over their account.

How SIM swapping works

The scam usually begins outside the cellular realm, with the fraudster gathering personal details about the victim, either through social engineering (i.e. phishing emails), or by purchasing data dumps on the dark web resulted from data breaches.

With a phone number and other credentials in hand, the threat actor contacts the phone company to impersonate their owner, claiming they’ve lost their phone and demanding that they port their number to a new SIM card.

Sometimes, the attacker bribes one of the operator’s employees to port the number directly.

With the number ported to a SIM the fraudster controls, the victim loses connection to the network. The fraudster then uses the stolen credentials to access the victim’s accounts. Now in control of their 2FA layer, the criminal uses the incoming codes via SMS to take over the victim’s bank account or crypto wallet and steal their money.

What happens if you fall victim

While the main goal is to drain the victim’s bank account, the scheme is sometimes also used to extort the rightful owner or to sell the victim’s accounts on the black market to other criminals wanting to conduct identity theft schemes.

A number of high-profile hacks are known to have used SIM swapping, including a hack of Twitter CEO Jack Dorsey.

In 2018, crypto investor Michael Terpin – the founder and CEO of Transform Group – got swindled out of almost $24 million by a teenager through the use of data stolen from by SIM swaps.

More recently, a Florida man lost his entire life’s savings in a similar scam.

How to protect yourself

·      Resist the urge to brag about financial assets or cryptocurrency investments on the web, especially on social media – it will draw the attention of criminals

·      Don’t post your phone number or other personally identifiable information to the public domain

·      Don’t give out your mobile number or account information over the phone or email, especially when you receive an unsolicited call – it’s likely a social engineering attempt

·      Don’t store access credentials in plain text on your phone or computer

·      Create strong, unique passwords for your various online accounts

·      Avoid SMS-based 2FA. While it’s better than no 2FA at all, an attacker can still bypass this security layer using the SIM jacking method. To thwart attacks, use strong multi-factor authentication methods, like standalone authentication applications, biometrics or physical security keys

If you fall victim to SIM swapping, note that texting and calling may stop working, this being the first major sign that you have been hacked. Check your email and see if you’re getting messages about account changes – if you are, change your passwords immediately and enable a different 2FA method that doesn’t involve your phone number (as noted above).

If your friends ask you about strange social media activity stemming from your accounts and you were unaware of it, chances are you’ve been hacked. Remember to follow the steps outlined above to prevent this from happening.

SIM swapping can happen to anyone, so it’s important to take pro-active measures to combat this sneaky account takeover technique. Consider using a security solution on your mobile device to limit hackers’ chances of socially engineering you, or to infect your device with data-stealing malware. Learn more at https://www.bitdefender.com/solutions/.

tags


Author



Right now

Top posts

Threat actors impersonate Canadian gas retailer to deliver malicious OneNote phishing campaign, Bitdefender Labs warns

Threat actors impersonate Canadian gas retailer to deliver malicious OneNote phishing campaign, Bitdefender Labs warns

January 26, 2023

2 min read
Spammers phish eager vacationers with travel-themed lures, Bitdefender Antispam Lab warns

Spammers phish eager vacationers with travel-themed lures, Bitdefender Antispam Lab warns

January 19, 2023

4 min read
Enhance your cyber resilience and privacy on Computer Security Day in four easy steps

Enhance your cyber resilience and privacy on Computer Security Day in four easy steps

November 29, 2022

2 min read
How to monitor your online privacy during your Thanksgiving trip

How to monitor your online privacy during your Thanksgiving trip

November 22, 2022

3 min read
Just your yearly dose of Black Friday spam: Cybercrooks get ahead of the game to steal shoppers’ info

Just your yearly dose of Black Friday spam: Cybercrooks get ahead of the game to steal shoppers’ info

November 16, 2022

6 min read
Bitdefender VPN in 2022: the new, the improved, and the soon-to-be

Bitdefender VPN in 2022: the new, the improved, and the soon-to-be

November 14, 2022

5 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Meta Pays Out Bounties for Account Takeover and Two-Factor Authentication Bypass Exploits Meta Pays Out Bounties for Account Takeover and Two-Factor Authentication Bypass Exploits
Silviu STAHIE

January 31, 2023

1 min read
Hackers steal 10 million customer details from JD Sports Hackers steal 10 million customer details from JD Sports
Graham CLULEY

January 30, 2023

2 min read
North Korean Hackers Tried to Launder $100 Million in Crypto Stolen in 2022 North Korean Hackers Tried to Launder $100 Million in Crypto Stolen in 2022
Silviu STAHIE

January 25, 2023

1 min read