The FBI is warning people about a significant surge in SIM-swapping incidents in which hackers gain access to users’ credit cards and other information. The practice is being driven by a growing and increasingly lucrative cyber underworld. “The scary thing about SIM swapping is that the victim rarely does anything wrong—they never clicked on a phishing link or entered personal information into a fake website,” Austin Berglas, former Assistant Special Agent in Charge of the FBI’s New York Office Cyber Branch and global head of professional services at cybersecurity firm BlueVoyant, told Lifewire in an email interview.
Watch Your SIM
The FBI said criminals are tricking mobile carriers, through social engineering and other means, into swapping victims’ mobile numbers to SIMs in their possession. Using this method, the criminal can gain access to the victim’s bank accounts, virtual currency accounts, and other sensitive information. From January 2018 to December 2020, the FBI received 320 complaints related to SIM swapping incidents adding up to losses of about $12 million. In 2021, the agency received 1,611 SIM swapping complaints with adjusted losses of more than $68 million. “The Federal Bureau of Investigation is issuing this announcement to inform mobile carriers and the public of the increasing use of Subscriber Identity Module (SIM) swapping by criminals to steal money from fiat and virtual currency accounts,” the FBI warned in the news release. SIM attacks are fairly simple, experts say. In an email interview with Lifewire, cybersecurity consultant Joseph Steinberg explained that it starts with criminals discovering your phone number and as much information as they can about you. They then contact your mobile phone company—or one of the many stores authorized by mobile service providers to make service changes—and report, as if they were you, that your phone was stolen and ask that the number be transferred to another device. The criminal then uses the links or codes to login and reset passwords associated with the victim’s phone profile. “In some cases, they may even buy a new phone at the time—giving the sales representative involved an extra incentive to quickly fulfill their request,” Sternberg added. But why are there more SIM attacks now? Simple: they’re profitable. “As more people use mobile phones and their support of online banking and other financial activities from these devices, criminals are recognizing that they can garner high profits from these victims,” Jon Clay, vice president of threat intelligence at the cybersecurity firm Trend Micro, told Lifewire via email.
Protect Yourself
SIM swapping attacks are not always easy to defend against, but you can do things that can help. To start, Clay explained, be wary of any phishing attacks that may come via text or email. Some early warning signs could be sudden changes in your phone service or unauthorized security alerts from some of your applications. “You may not be able to send or receive calls or texts, you may receive alerts from friends or your social media community [about] suspicious activity by you,” he added. “If you suddenly get locked out of your phone apps, that is another indication.” You should also monitor your bank accounts; any suspicious activity may alert you to this threat. If you do suspect that you may be a victim, contact your phone provider immediately and, if possible, change your login credentials for the apps on your phone. The surge of SIM attacks illustrates part of the broader problem of using SMS for multi-factor authentication. SMS messages can be spoofed or used for phishing attacks, Andrew Shikiar, the executive director of the FIDO Alliance, an open industry association whose mission is to develop authentication standards, said in an email interview. But new technologies are being built into everyday devices that service providers can use instead of SMS or other legacy forms of multi-factor authentication, Shikiar said. One alternative is public-key cryptography, which establishes a unique pair of keys for each user account instead of a password. “The user just needs to use a PIN code, or biometric on their device, [which] then communicates back with the server in a way that can’t be spoofed or hacked,” he said.