Social engineering is still one of the most popular tools cybercriminals use for cyber attacks. Targeting the human aspect of cybersecurity, social engineering can occur in any form in which sensitive information can be gathered – through email, face-to-face interactions or even via a phone call. Here, we explain the newest phishing attack, SIM swapping, and provide tips on how to avoid it.
What is SIM swapping?
SIM swapping, also known as SIM hijacking or SIM splitting, is a method where cybercriminals take over various mobile phone accounts by tricking mobile carriers. Think about it – we use our phones for practically everything – work, email, online shopping, games, social media, banking and more. Even your washer and dryer can be accessed through your mobile device (too bad it can’t fold the laundry). The copious amounts of data that reside on our mobile phones and tablets make these devices a potential gold mine in the hands of a cyber-criminal.
How does it work?
In a SIM hijacking or swapping attack, cybercriminals leverage social engineering to gather information about their victims. Once enough information has been collected through social engineering, the victim’s mobile carrier is contacted. The cybercriminal will then present themselves as the victim and ask the provider to port the victim’s phone number to a SIM card in the cyber criminal’s possession. Cybercriminals often create elaborate stories about lost, stolen or broken phones. The security questions asked by the mobile provider are answered by the cybercriminal using the information gathered in the social engineering attack. A convincing tale coupled with enough personal information to satisfy a mobile carrier can lead the provider to unknowingly hand over access to the number via the SIM swap.
Once the number is swapped to the cybercriminal’s SIM card, the victim will immediately lose access to their phone number and network. All calls and texts that were meant for the victim will now go to the scammer’s phone. When cybercriminals have access to your texts and calls, they request companies to send them temporary login codes via text for many “secure” websites such as Google and Twitter. This may sound familiar. In 2019 Twitter CEO Jack Dorsey’s own Twitter account was hacked via a SIM swap scam.
Cybercriminals can also use your number to break two-factor authentication security measures. For this scam to work, the cybercriminals will have already gained access to a login and password (usually from a data breach) but haven’t been able to access a secure account due to the need for a second form of authentication. One common form is a numerical code sent to a mobile phone via SMS text. The ability to intercept these text messages can allow scammers to pry open even the most secure accounts.
How can I protect myself?
You do not have to become a statistic of cybercrime. There are simple steps you can take to ensure your information (and your organization’s information) is protected:
- Limit information you share online. Less is more. Think about the type of information you provide for security questions when verifying your identity – complete name, address or telephone number. Never share this information on your social media profiles or anywhere else online. Another helpful tip: You do not necessarily need to provide “real” information when setting up your security questions. For example, you could list your favorite vacation destination versus your city of birth. Sure, it may be easier to remember the “real” information. However, when you consider the wealth of data that can be found online today, the “real” information can be accessed in a few clicks, exposing your pet’s name, mother’s maiden name, city of birth and more. The only downside is that you will have to remember which information you provided and where. One great way to do this is by using a password manager.
- Use a password manager. A password manager is a computer program that allows you to store, generate and manage your passwords for local applications and online services. A password manager can also assist in generating (and retrieving) complex passwords, storing such passwords in an encrypted database or calculating them with the click of your mouse. Some great password managers include NordPass, Keeper or 1Password.
- Be aware of phishing. Now that you have stopped sharing too much information online, you need to be cautious of emails requesting your personal information. The best way to confirm if an email is legitimate is to check for the real number of the service provider sending the email and contact them directly. Remember, information that might have leaked online already should be considered “public” and accessible to anyone with enough motivation to find it, sometimes months or even years down the road. After all, how often do you change your phone number?
Organizations allowing the use of mobile devices to conduct business should take the following steps to keep the organization’s information secure in the event of a SIM swap attack on an employee:
- Establish a mobile device security policy. Before a mobile device is given to an employee, they must understand the security risks of smartphone use and the security measures they can take to mitigate those risks. Well-informed, responsible users are your first line of defense against cyber attacks.
- Establish a bring your own device policy. While issuing mobile devices to your employees is the most secure option, many companies allow their employees to use their personal devices for company business. If this is the policy in your organization, make sure you have a formal Bring Your Own Device (BYOD) policy in place.
- Keep devices updated with the most current software and antivirus programs. Software updates to mobile devices often include patches for various security holes that can potentially be an open door for mobile malware and other security threats. Therefore, always install updates as soon as they become available.
- Backup device content on a regular basis. Mobile devices need to be backed up regularly, just as you would backup your computer data. If a device is lost or stolen, you’ll have peace of mind knowing your organization’s valuable data is safe and can be restored.
- Choose passwords carefully. Establish password policies for your organization so that your employees are well adept at creating secure passwords.
While nothing is a 100% guarantee, being well versed in information security practices will help you keep your information and your organization’s information on all devices safe and secure