Your smartphone, whether it is an iPhone or an Android, is your only lifeline for keeping you up to date on emails, chatting with coworkers and employees when you are out of the office. These devices are virtually owned by everyone and their popularity naturally attracts cybercriminals like hackers and scammers. In recent years there has been the emergence of a new sort of targeted cyberattack, the SIM swapping or SIM jacking attack. Both expressions are used interchangeably. SIM stands for subscriber identity module, it is a card in every smartphone and tablet with a cellular signal that allows providers like Verizon and AT&T to identify and authenticate subscribers.
Everything You Need to Know about SIM Swapping
A study conducted by Princeton University in 2020 concluded that Verizon, AT&T, T-Mobile, USMobile, and Tracfone were all vulnerable to SIM swapping. This new type of cyberattack is so sophisticated that even Twitter CEO Jack Dorsey was a victim of it. The scammer starts by gathering personal information about the target, either by using phishing emails or by conducting direct social engineering. Direct social engineering involves collecting sensitive information about the victim in-person or over the phone. They use the information collected to contact the telephone provider and impersonate the victim, claiming they have lost their smartphone and they need their phone number ported over to a new smartphone.
This sort of cyberattack is extremely dangerous because many tech companies like Microsoft, Google, and Facebook have adopted multi-factor authentication for additional security when resetting passwords. The scammer now requests a password reset for your private account and the reset code is texted to their ported smartphone instead of yours. The scammer resets your password. Now they have access to your accounts and all of the sensitive data associated with your accounts like private messages or banking information. Often these sorts of cyberattacks exist outside the scope of traditional cybersecurity and without sufficient evidence it is often difficult for IT teams to pinpoint the compromised phone as the source of the breach.
How Can You Protect Yourself from SIM Swapping?
- Do not trust anyone who reaches out to you and claims to be your telephone provider. If anyone is requesting sensitive information over the phone or by email, hang up your phone, do not reply to the email. Call your telephone provider’s support number directly to verify the authenticity of the request.
- If you have not received phone calls, text messages, or emails in an unusual amount of time but you have a strong cellular signal, use another phone to contact your telephone provider of the anomaly.
- Do not open unknown links texted to your phone, especially on Android devices where malicious software can be unknowingly installed on your phone and scrapes your device for sensitive information to use in social engineering.
Unfortunately, with this sort of cyberattack, the responsibility falls mostly on you, the end-user and we can expect SIM swapping attacks to grow in the coming years until telephone providers start to take this new threat seriously.