Sim swapping is actually a genuine service offered by carriers, it allows you to keep an existing number when changing a SIM card. This is often required if the device you are using requires a different size SIM card or if it becomes damaged.
How Are Fraudsters Taking Advantage?
It is becoming a common tactic for fraudsters to gain control of a SIM even temporarily to commit fraud by SIM swapping your number to a new device. Once they have gained control they can gain access to applications by receiving a One-Time-Password (OTP) or also known as Two-Factor Authentication (2FA) code.
Access to the mobile would not be enough to gain access to your account, however, consider someone who received a phishing email perpetrating their bank or completing the online forms and then unknowingly giving account details.
Now they have your details if they also gain access to the SIM then there will be nothing stopping the fraudster from stealing your money. An article from This Money highlighted the problem, fraudsters were able to swipe £80,000 from an account when they were actually getting the password wrong.
Unfortunately, they had access to the telephone number that was transferred to a new SIM, all without authorisation.
The failure here is the Mobile Operator not following proper procedure and allowing the SIM to be transferred to the fraudster, once transferred it was easier to reset the victims Online Banking passwords.
How Does It Happen, Surely Not To Me?
A Cyber Criminal just has to convince a customer services agent that they are you, an online search of Social Media profiles or a quick google search can often be enough to gain enough personal information to then feed a sob story to a company to gain access.
So they feed a line saying they lost their mobile phone and need to swap it onto a new SIM. If the agent is provided with enough information that they feel the fraudster is the right person, they will then gain access to your SMS messages and Calls and I’m sure you will know what that means.
Now if you are reading this thinking that it will never happen to me, a Cyber Criminal doesn’t care if you have £1 or £1,000,000 if they can steal it they will. Money laundering and fraud such as this often feeds international crime and terrorism, anyone is a target.
How Do I Prevent A Sim Swap?
To be honest, it may not be possible to prevent SIM swapping, unfortunately, it relies on third parties believing fraudsters as above. This is often done via a term known as Social Engineering or Phishing Attacks.
Here are a few things to help prevent this and a few other things:
Avoid falling for Phishing Scams
Be careful of emails received, if you receive any emails with links be sure it is something you are expecting as it may take you to a fake login screen or sending you to a download that contains infections such as Ransomware. Unfortunately, if you do and fraudsters gain access to your personal details then this gives Cyber Criminals more incentive to access your data.
Reduce Online Personal Information
Online platforms such as Facebook, Instagram, Twitter and LinkedIn are the go-to places for people to discuss both business and personal items. Setting up a profile and listing your educational and work history, maybe listing your address and other contact details and even your Spouse or DOB.
All this information can be used for fraudsters, also commenting on posts can be used to target people too. We often see public posts asking people which Primary School they attended or favourite movie. Now, this may seem innocent but they are often answers to Password Recovery screens on Websites.
Answering these may be enough for people to reset personal passwords and lock you out of the account, Facebook Group polls are often set up with the primary goal of persuading people to provide personal information, please be careful what you answer online or anywhere.
Use An Authenticator App
Instead of tying a 2FA/OTP code to your mobile number, add it to an Authenticator app. This works in a similar way but instead, you must launch the application and a code will be shown and changed after 30 seconds, unfortunately forgetting or restoring your phone would result in the account being inaccessible unless you had the phone as a backup.
Not having the Sim as a backup would make it more secure against Cyber Criminals but it will be more secure against you too if you lose/damage your mobile device.
Add A Password Or Pin To Mobile Account
By adding a password to your Carrier account you add a barrier to the Cyber Criminals, the weakest link in this scenario is if the Carrier decides to let the fraudster through if they claim to have forgotten the password/pin.
While a great deterrent it is not perfect as in the above story, Cyber Criminals were able to use other details to gain access.
Do Not Personalise Security Questions
So you are completing your security questions and it asks for mothers maiden name or home town, common thought on your mind would be to use the real information.
We encourage using fake information but that you will certainly remember. Countless times I have used Liberty City as a location from the popular Grand Theft Auto series.
Use A Password Manager
Many users think that the browser storing passwords is a Password Manager, unfortunately, they are wrong as the data is often stored in plain text.
Apple does link Safari to KeyChain but I still recommend using a third-party tool such as Last Pass. They generate long unique passwords for each app and often warn you if you’ve attempted to use the password in an alternative application.
Unique Passwords For Every Application
Countless times I have warned people to use a unique password, often though people find it easy to use something personal with numbers at the end such as EmilyJade123 (example). In this example, Emily and Jade can be the person’s children’s names and 123 is a differentiator as they need numbers in a password.
The above would be very easy to guess as 123 is common numbers added and children’s names is a frequently used option for users. Often replacing letters for numbers and symbols such as the Dollar sign $ or Hash # but not all websites allow these characters so be careful what you use.
I may have been a victim what can I do?
If you have found your number swapped, communicate with your Carrier instantly and then report this instance to the police.
If you have fallen for a Phishing Scam and submitted your bank or other personal details report it to Action Fraud by completing their form.
We can provide you with any further advice and assist with securing your data, book an appointment via our scheduler below or fill in our Online Ticket Form as below.