The Federal Bureau of Investigation has warned of a surge in Subscriber Identity Module (SIM) swapping schemes that inflicted $68 million in losses last year, a considerable increase from $12 million in 2020.
Most people are aware of the various dangers lurking in the dark corners of the online world, such as malware or phishing schemes. When criminals succeed with any of these attacks, it usually involves a victim who mistakenly clicks on a link or installs a malicious app. SIM swapping attacks, though, can take place with no input from the victim, making them all the more dangerous.
In most SIM swapping attacks, criminals manage to persuade mobile phone operators to switch a number to a new SIM card, granting them access to victims’ bank accounts, virtual currency accounts, and other sensitive information by compromising the multi-factor authentication.
“Criminal actors primarily conduct SIM swap schemes using social engineering, insider threat, or phishing techniques,” says the FBI. “Social engineering involves a criminal actor impersonating a victim and tricking the mobile carrier into switching the victim’s mobile number to a SIM card in the criminal’s possession.”
When calls, texts and other types of data are redirected to the new phone, criminals can take control by sending “Forgot Password” or “Account Recovery” requests to the victims’ email or online accounts. All steps in these SIM schemes skip the victim, who often finds out when it’s too late.
FIB also issued the following recommendations:
- Do not advertise information about financial assets, including ownership or investment of cryptocurrency, on social media websites and forums.
- Do not provide your mobile number account information over the phone to representatives who request your account password or PIN. Verify the call by dialing the customer service line of your mobile carrier.
- Avoid posting personal information online, such as mobile phone numbers, addresses, or other personal identifying information.
- Use a variety of unique passwords to access online accounts.
- Be aware of any changes in SMS-based connectivity.
- Use strong multi-factor authentication methods such as biometrics, physical security tokens, or standalone authentication applications to access online accounts.
- Do not store passwords, usernames, or other information for easy login on mobile device applications.
While mobile carriers have implemented many security measures that help them identify the caller as the owner of the numbers, social engineering is sometimes enough for criminals to find out what they need. The FBI also advises companies to take some preventive measures:
- Educate employees and conduct training sessions on SIM swapping.
- Carefully inspect incoming email addresses containing official correspondence for slight changes that can make fraudulent addresses appear legitimate and resemble actual clients’ names.
- Set strict security protocols enabling employees to effectively verify customer credentials before changing their numbers to a new device.
- Authenticate calls from the third-party authorized retailers requesting customer information.