If you’ve logged into any cloud-based apps or software in recent memory, you’ve probably been prompted to setup multi-factor authentication (MFA) using your phone number as a way to verify your identity. While this adds another layer of security to your account, it is also opens up new cybersecurity possibilities for potential scammers.
Companies all around have essentially built their customer authentication around phone numbers and many sites still let users reset their passwords with nothing more than a one-time code texted to the phone number on their account. This system has created a way for scammers to steal information using SIM Swapping.
What is SIM Swapping?
SIM Swapping (also known as SIM splitting and SIM jacking) is a type of account takeover fraud that generally targets a weakness in multi-factor authentication and two-step verification processes.
A scammer would take steps to hijack their target’s phone number and use it to access data, passwords, cryptocurrencies and other items of value from victims. The scammer will use social engineering to convince a mobile carrier service rep to switch your phone number to a SIM card the scammer owns. When that phone number is used as the two-factor authentication choice and the scammer has access to your usernames and passwords, the scammer can easily hijack the victim’s accounts. They would be given an avenue to reset or change the password directly from the target’s mobile phone number.
Phone numbers were never designed to be used as an authentication method, but the phone carriers were forced to accept this standard once it was in heavy use. Using this method for multi-factor authentication (MFA) is not an effective means for defending against a cyberattack on its own. You have to build a cybersecurity culture that keeps employees educated and aware so they can recognize suspicious activity such as receiving a password reset text when they didn’t ask to reset their password. In the midst of receiving one of these texts, your employees should be knowledgeable about how to handle the potential fraud.
Failure to catch these scams early can result in losing access to all of the accounts associated with the phone number. This can be a large hindrance to a company if a scammer were able to access confidential information through one of the employee’s accounts. There are many ways you can try to prevent SIM Swapping but just having the right applications isn’t enough to give you the protection you need.
How can you prevent a SIM Swapping scam?
Unfortunately, there is not a lot you can do to prevent falling victim to a sophisticated SIM Swap scam, but there are some steps you can take to lessen your risk.
Use a PIN number
Every major U.S. mobile phone carrier provides the option of setting up a PIN number in order to access your account. If you haven’t already done this, it is highly encouraged. This adds another layer of security and one additional piece of information a potential scammer will have to access in order to hijack your account.
Use better authentication methods
When possible, use alternative authentication methods instead of your phone number. Mobile apps like Microsoft Authenticator and Authy are tied to your physical device as opposed to your phone number, which would require the scammer to also have access to your physical device.
Physical authentication devices, like the YubiKey, also add a physical layer of protection because the scammer would have to steal your physical key to gain access to your accounts.
Train your employees to be the first line of defense
It takes more than the right technology to protect your business from cyberthreats. It’s necessary for your employees to know how they can help defend your business from SIM Swapping attacks.
- Train and test your staff on cybersecurity awareness
- Utilize the latest security technology
- Structure and implement the necessary IT security policies
- Establish the best-fit security procedures for your business
- Minimize your employees’ bad IT habits
- Identify and respond to cybersecurity threats
What should you do if you are the victim of a SIM Swap scam?
If your phone number has been hijacked by a SIM Swap attack, contact your mobile carrier immediately to regain access to your phone number. Once you’ve regained access, change your account passwords in order to prevent additional interruptions.
Because your personal information has been compromised, we advise checking your bank accounts and credit cards for unauthorized charges. If you notice any, report them to your financial institutions right away.
You can also visit IdentityTheft.org to learn about additional steps you can take if you are worried a scammer has access to your Social Security number or other sensitive information.