SIM swapping is a process whereby scammers convince mobile phone operators that they are you and that you want to move your number to a new device.
Also known as a port-out scam, SIM splitting, Smishing and simjacking, SIM swapping is a type of account takeover fraud which, if successful, can allow attackers to pretend they are you when trying to create new accounts, or to takeover your other existing accounts which are usually protected via two-factor authentication or two-step verification in which the second step is a text message or call placed to a mobile telephone.
Method of compromise
Most people are aware that mobile phone providers can a move (port) a phone number to another device containing a different SIM (Subscriber Identity Module). This is a common activity performed when a customer changes phones to a new model, or brand.
SMS-porting can also be done if a customer loses a phone, or has a phone stolen, so that they don’t have the added hassle of telling everyone that they now have a new number.
The SIM swap scam is performed by attackers initially conducting an amount of OSINT – Open Source Intelligence on a prospective victim. The OSINT is done by scouring Social Media for data the victim posts about themselves, or by purchasing data-breach information which contains email addresses, names, D.OB.’s , etc.
In many cases, social engineering campaigns are used to try to get data directly from the would-be victims – This is often done in the form of Phishing attacks, or in more rare occasions, by Vishing (voice phishing) the victim by actually calling them on the phone.
Social media games and quizzes might seem like a harmless bit of fun, but when you look at the types of questions being asked – they are ALL questions to which the answers could also be security question answers.
I occasionally get calls from people pretending to be from Carphone Warehouse calling me about my “3” phone. The immediate tell for me that this is a scammer is that whilst my mobile number was an original 3 number, I’ve ported it to Vodaphone, and then to O2 over the last 20+ years, so when they mention 3, I immediately close the call-down – occasionally with a few choice words, depending on my mood.
Armed with a victims personal details, the scammers contact the victim’s mobile telephone provider and using more social engineering techniques, they try to convince the telco to port the victim’s phone number to the fraudster’s SIM.
In some countries, notably India and Nigeria, the fraudsters will be on the phone to both the victim and the telco at the same time because the victim will need to approve the SIM swap by pressing 1 on their phone.
In other cases, SIM numbers are changed directly by telecom company employees bribed by criminals.
Post SIM swap activities
Once this SIM swap has taken place, the victim’s phone will lose connection to the network, and the scammer will now receive all the SMS and voice calls intended for the victim.
This is where the attack starts to ramp up.
The scammers will now try to access as many accounts owned by the victim as possible – in many cases, they will attempt to change account passwords using the “forgot password” options and then intercept any one-time passwords or telephone calls spawned by the process.
Because so many services allow password resets with the use of a recovery phone number, the scam allows the criminals to gain access to almost any account tied to the hijacked number. This may allow them to directly transfer funds from a bank account, extort the rightful owner, or sell accounts on the black market for identity theft.
Staying safe
Thankfully, this type of attack is quite rare in the UK, but regardless of the controls in place with most UK mobile operators, you should always be cautious of divulging too much personal data to others.
If you feel concerned about this type of attack, there are some really good places online where you can get more information about staying safe:
- Take Five to Stop Fraud – straightforward and impartial advice to help you protect yourself against financial fraud
- FFA UK – information about the various types of payment fraud, plus helpful tips and advice
- Action Fraud – the UK’s national reporting centre for fraud and cybercrime
- Get Safe Online – a resource for unbiased, factual and easy-to-understand information on online safety
- Which – advice on scams