You are probably familiar with the SIM card - that little chip that's inserted in your cellphone to identify you within the cell network and assign you your phone number.
If your phone is lost or stolen, your cellphone provider will issue you a new SIM card to activate and use on your new phone. However, some devious criminals out there have found a way to rip you off using your own SIM card against you. Yikes!
Typically, to prevent unauthorized use of your number, you can call your carrier to deactivate your old SIM card quickly - done and done. Another way to get a new SIM card is when you upgrade to a new phone that requires a card that is sized differently, from mini-SIM to micro-SIM, for example. Just call your carrier, activate the smaller card then slip it in the new phone.
In these cases, the carrier will typically ask you for your new SIM card number and your phone's IMEI number for the activation to complete.
The thing is, mobile carriers can only assign one phone number or account to one SIM card at a time. If your phone number gets re-assigned to another SIM card, your old SIM card gets deactivated. As long as you are verified as the owner of the account, SIM swapping is a quick and easy process.
But the question is since it's simple enough to do, can SIM swapping be flipped and used by criminals for nefarious ends?
According to the UK's National Fraud Intelligence Bureau, SIM swapping scams are on the rise again.
The SIM swap scam
It's an elaborate scam but it's more common than you think. This is how it works:
1st step: Through social engineering and phishing scams, criminals gather as much information from a potential victim as they can. They browse through social media posts, use search engines or engage victims in online chats in hopes of acquiring details that can be used for security questions (i.e. mother's maiden name, name of first pet, etc.).
Criminals can also use keylogging or spying malware or buy personal information databases from the Dark Web.
2nd step: With the personal information gathered, the fraudster will contact the victim's cellphone carrier and claim that their phone has been lost, damaged or stolen and they need to activate a new phone with a fresh SIM card. If they successfully pass the carrier's identity checks by answering the security questions, the old SIM card is deactivated and the SIM card in the criminal's hands is activated. All of the victim's calls and texts are now received on the criminal's phone.
Once the victim's SIM card is deactivated, their phone, of course, will stop working, usually with a "No Service" warning. This is the first warning flag you'll have to watch out for.
3rd step: The criminals then attempt to claim the victim's online banking account, again using the personal information gathered, but this time, they will also use the victim's phone number for two-factor authentication codes. With this crucial window of opportunity, they start changing profile settings then add and set up withdrawal accounts.
4th step: With these additional accounts set up, the criminals start draining the victim's bank account. The banks will ask for confirmation via two-factor authentications via text messages to your phone number, which unfortunately, is still under the criminal's control. At this point, it's game over.
Adding insult to injury is this - once you wise up and discover what's going on, it's still all up to you to prove to the phone carrier and your bank that you are the victim and you're actually who you say you are. You'll probably go through even more stringent security checks than what the criminal had to go through!
- Look out for phishing scams on emails or websites. SIM card scammers will try and get your username and password first so this is your first line of defense.
- Never open attachments from unknown sources. Another way for the criminals to gather data about you is via spying malware and keyloggers. Be mindful of what you download and install on your computer and gadget!
- Have security and anti-virus software installed on your machine. This will alert you if known malicious software is trying to infect your machine. It's also vital to keep your software and system up-to-date.
- Never over-share on social media, especially publicly. Don't post sensitive information like birthdays, pet names, relatives, family information. Remember these types of info can be used as answers to your security questions.
- Beware of social engineering. Don't reveal any personal information to strangers especially on online chats, no matter how casual and friendly the conversation may be. Also, crooks are starting to pose as people that you may know with fake Facebook accounts so please be vigilant (even with your friends).
- Create strong and unique passwords. Many people use weak passwords and even worse, use the same username and password on multiple sites. This is a terrible practice and you should never do it. If you're using the same credentials on multiple sites, change them to make them unique. Here are five password mistakes that will likely get you hacked.
- Contact your carrier immediately if your phone suddenly gets deactivated. If you're in a known area and you suddenly lose your network connection, contact your carrier immediately. Use another phone, if needed. Criminals are counting on this window of opportunity to perform their nasty deeds so you have to act quickly.