Criminals Are Using SIM Swap Attacks to Steal Millions
The FBI Recently Warned Regarding This Technique.
Last updated on February 10, 2022
According to reports obtained by the FBI via the Internet Crime Complaint Center (IC3) in 2021, the number of complaints received from the general public in the United States is almost fivefold from 2018. The amount of claimed losses have also increased nearly fivefold.
As reported by BleepingComputer, the FBI warning comes after the Federal Communications Commission (FCC) of the United States stated in October that it had begun working on legislation that would put a stop to SIM swapping assaults in the country.
As a consequence of multiple consumer complaints, the Federal Communications Commission acted in order to protect customers from considerable anguish and financial loss as a result of SIM switching assaults and port-out fraud.
The Federal Bureau of Investigation is issuing this announcement to inform mobile carriers and the public of the increasing use of Subscriber Identity Module (SIM) swapping by criminals to steal money from fiat and virtual currency accounts. From January 2018 to December 2020, the FBI Internet Crime Complaint Center (IC3) received 320 complaints related to SIM swapping incidents with adjusted losses of approximately $12 million. In 2021, IC3 received 1,611 SIM swapping complaints with adjusted losses of more than $68 million.
HOW A SIM SWAP SCHEME WORKS
SIM swapping is a malicious technique where criminal actors target mobile carriers to gain access to victims’ bank accounts, virtual currency accounts, and other sensitive information. Criminal actors primarily conduct SIM swap schemes using social engineering, insider threat, or phishing techniques. Social engineering involves a criminal actor impersonating a victim and tricking the mobile carrier into switching the victim’s mobile number to a SIM card in the criminal’s possession. Criminal actors using insider threat to conduct SIM swap schemes pay off a mobile carrier employee to switch a victim’s mobile number to a SIM card in the criminal’s possession. Criminal actors often use phishing techniques to deceive employees into downloading malware used to hack mobile carrier systems that carry out SIM swaps.
Once the SIM is swapped, the victim’s calls, texts, and other data are diverted to the criminal’s device. This access allows criminals to send ‘Forgot Password’ or ‘Account Recovery’ requests to the victim’s email and other online accounts associated with the victim’s mobile telephone number. Using SMS-based two-factor authentication, mobile application providers send a link or one-time passcode via text to the victim’s number, now owned by the criminal, to access accounts. The criminal uses the codes to login and reset passwords, gaining control of online accounts associated with the victim’s phone profile.
Also known as SIM splitting, simjacking, SIM hijacking, and port-out scamming, SIM swapping is a type of fraud that targets your personal information so that cybercriminals can pass themselves off as you and access your bank accounts. In short, the fraud takes aim at moving control of someone’s phone account from their SIM card to one controlled by the hacker. In general, most victims don’t know they’ve been compromised until they try to place a call or send a text message which doesn’t go through.
The fraudsters do this by tricking phone service providers into shifting a target’s phone number to attacker-controlled SIM cards, either via social engineering or with the assistance of one or more bribed staff at the service provider.
The crooks would get the victims’ calls and messages once the SIM has been moved, making it extremely easy for them to circumvent SMS-based multi-factor authentication, steal passwords, and take control of their victims’ online service accounts.
In the great majority of cases, SIM swappers are motivated by financial gain, and they often target their victims’ online banking and cryptocurrency exchange accounts in order to steal money and virtual assets, as well as to lock their victims out their accounts by changing their passwords.
How to Protect Yourself from a SIM Card Swap Attack:
Never reply to calls, emails, or text messages that ask for your personal information. They’re most likely phishing attempts by scammers looking to get personal information to access your mobile phone, bank account, social media, or other accounts. If by any chance you get such a request, you should try to contact that particular company using an official phone number or website.
Mark my words: you should limit the personal information you share online as much as you can. Avoid disclosing your full name, sharing your address, or phone number on public websites. There’s nothing easier for an identity thief to track down that content, use it to answer the security questions required to authenticate your identity, and log in to your personal accounts.
Always set up a PIN or password with your service provider to access your phone for any online or phone interactions. This way, you can help protect your account from unauthorized changes. You can always check for more details on how to do this on your provider’s website.
Never use the same passwords/PINs/usernames over multiple accounts. Instead, create a strong, unique password for your sensitive personal/financial accounts. For more actionable tips on this subject, you can read our password security guide.
If You’re the Target of a SIM Swap Scam
Immediately contact your service provider to take back control of your phone number. After you re-gain access, change your account passwords.
If you notice any unauthorized charges on your credit card, bank, and other financial accounts, immediately report them to the institution in question. Additionally, you should put a security freeze on your credit report. In case of identity theft, it will prevent any openings of new accounts in your name.
Dora is a digital marketing specialist within Heimdal™ Security. She is a content creator at heart - always curious about technology and passionate about finding out everything there is to know about cybersecurity.