Most Significant Mobile Phones in History
The mobile phone (or cell phone) has come a long way. For the older readers out there, it probably feels like only yesterday when owning a mobile phone was considered to be a…
September 15, 2020
SIM swap scamming—also known as SIM splitting, SIM hijacking, or SIM port-outs—is a type of fraud that scammers can use to steal your identity and gain access to your online accounts and banking through your phone.
The scam itself is fairly simple and takes advantage of weaknesses in two-factor authentication schemes and exploits patterns in passwords people use.
Here’s a quick explainer on how it’s done, and what you need to know to protect yourself from this dangerous scam.
Think about your phone for a moment and all the apps it has on it. More importantly, think about all the sensitive information your phone might have access to: bank accounts, emails, credit cards, addresses, passwords, and more. All of that information is valuable to someone trying to steal your identity or defraud you.
The scammer starts by gathering personal information about you: personal information shared on social media, login info stolen with phishing emails, and malware downloaded on your computer are all common tools to gain this information.
Next, the scammer contacts your mobile service provider. The scammer pretends to be you and explains that “you’ve” lost your SIM card or need help switching to a new phone. They then ask the representative on the phone to change your phone number over to a new SIM card the scammer owns. This will transfer, also called a port (or porting), your existing phone number to their new SIM card.
The service representative will no doubt ask them security questions you provided when you signed on with your provider. This is where that information they found about you comes into use: it is very common for passwords and security questions to be things that are familiar to us and easy to remember: birthdays, names of relatives, places you’ve lived, etc. This information is not difficult for the scammer to find out using the techniques mentioned earlier.
Having fooled the service representative, now they control a phone number associated with your account. The first thing they’re going to do look through apps that you’re likely to use, especially valuable banking apps. If the apps require two-factor authentication the will sending the authentication codes via text message to your phone number, which they now have access to through the port the performed earlier.
And just like that, they’re in. You might start seeing social media posts you didn’t make, you’ll be unable to make calls or send texts, and you’ll be locked out of all your most important apps. Worse yet: fraud alerts from your bank or credit cards don’t even reach you because your phone number is now controlled by the scammer.
While it’s extremely difficult to know whether you’re completely protected from this kind of scam, there’s a number of things you can do right now to reduce the risk:
Furthermore, if you’re given the choice, avoid using text message-based authentication, using app or email-based choices instead. At the very least, if given enough time, a scammer might be able to get through this, but it buys you time to contact your service provider and report the fraud.
Note: if you’re using an authentication app don’t forget to create, print, and store manual authentication codes in a safe place in case of an emergency like this!
It’s easy to forget that social media is accessible outside of your circle of friends and family and accidentally overshare. Even seemingly innocuous information like your birthday wishes, your pets, family members, or where you grew up can be used to create a profile with information that can be used to answer security questions. Try to avoid sharing personal information, especially if that information also frequently used in security questions. If possible, try to use custom security questions rather than common default like mother’s maiden name, pet’s name, or what high school you attended.
If you receive an email or text that asks you to update account information, confirm a password, or provide any sensitive personal information, check it very carefully. Is it from an email address you recognize? If you’re not sure, it might be a phishing email or text. If you’re in doubt, talk to a real person before you put information in an email. Even better: only verify or change information by visiting an official website rather than clicking links.
Let’s face it, people are terrible with passwords. Even though we know we should use long, random passwords like ‘uI6?fW9&xN0!d$E9’ we get lazy and use the easier to remember ‘Fido123’ instead. A password manager makes it easy to generate strong passwords, store them securely, and even share them between devices so you can log in to everything from anywhere. Check out online password managers like LastPass or Fastlane which make managing passwords a snap.
Finally, if you think your phone number has been compromised, contact your service provider and financial institutions immediately. The longer you wait, the more time you give the scammer to hack into your apps.