You did everything right. Your accounts had strong passwords, you never clicked on random links, and you had two-factor authentication set up. But you still wake up one morning to find that you’re locked out of your email and your bank account is empty.
This has happened to people who’ve fallen victim to a SIM swapping (or SIM jacking) attack. Criminals use this attack to take over someone’s phone number by transferring it to their own SIM card.
SIM swapping was especially widespread in 2017 and 2018. However, new attacks were reported in recent weeks and the victims lost large sums of money.
How do SIM swap attacks work?
Unfortunately, this attack that costs its victims thousands of dollars is relatively easy to carry out. The attacker calls your mobile provider and asks them to transfer your SIM card to a device that they control. This usually happens late at night so the victim doesn’t realize they’ve lost their mobile service or brushes it off as a minor tech issue and goes to sleep.
While you are asleep, however, the attacker uses your phone number to reset your email password. They receive a 2FA verification code and gain access to all of the accounts associated with the primary email.
Why is it so easy to transfer a phone number?
It seems that neither T-Mobile nor AT&T (both of whose customers were repeatedly targeted in SIM swapping attacks) have any serious security measures in place. AT&T’s guidelines do state that you can create a password for your account. However, employees will not always ask for it.
T-Mobile suffered a data breach in August 2018. Hackers stole over 2 million people’s information. The data did not include anything particularly valuable, like financial information. Instead, it served a different purpose.
It contained T-Mobile’s clients’ billing information, which is enough to perform a SIM swap: account number, name of the holder, and their address. Even if you have a pin or password set up, the attacker can get away by just claiming that they forgot it.
This attack is not new or particularly complicated, but mobile providers don’t do anything to stop it. It’s up to users to protect their accounts.
What should you do if you become a victim of a SIM swapping attack?
- Call your provider and explain the situation. Ask for your phone number to be transferred back to your SIM. If that’s not possible, request that they temporarily block it until you can visit a physical location to verify your identity.
- Record and save everything. Any information you find on your accounts could be useful later when you contact the authorities.
- When you have your phone number back, access your email and change the password. Make sure to check for the attacker’s back-up emails and phone numbers and delete them if you find any. Review your email provider’s security settings and see if these types of attacks can be prevented in the future.
- Check your bank account for any suspicious transactions. If something looks odd, notify the bank.
- Prioritize your accounts and secure them. Change the password, enable 2FA, and check whether the attacker changed any of the information on the account.
- Take special care with your financial accounts like PayPal or Coinbase. If you are not 100% sure they are safe, block your credit cards or transfer your money to a secure bank account. If you no longer use the service – delete it.
- Add additional security steps to your mobile account. Don’t wait for the next day, or you might lose your phone number again. Demand that changes to your account would only be made after visiting a physical store and providing identification.
- Contact law enforcement. Make sure you include your phone number, mobile provider, all the relevant dates and times, any screenshots from your accounts with additional information, and a detailed report of the steps you took.
How to protect yourself from SIM swapping
We want to trust our mobile providers, but even after these incidents were widely reported, neither AT&T nor T-Mobile implemented any new security measures. However, there are some things you can do to protect both your SIM card and online accounts.
- Ask your mobile provider for additional security measures.
- Consider disconnecting your sensitive accounts from your phone number or SIM card.
- Minimize the number of accounts your email is connected to and delete anything you are no longer using.
- Never sign up for a service using your Google, Facebook, or Twitter accounts.
- Be smart about your passwords. Choose a complicated and unique password for every website, app, or service. And never save them on your browser or Google account – use a password manager instead.
- Implement two-factor authentication where possible but opt for a method other than text message or phone call.
- Don’t store any sensitive information on your Google Drive. Use an offline hard drive or choose a less vulnerable cloud service provider.
- Make sure you minimize your digital footprint. Don’t use geotags, don’t disclose your private information online, avoid public Wi-Fi, and use a VPN when browsing.
To learn more about how you can protect yourself online, subscribe to our monthly blog newsletter below!