What do superstar Selena Gomez and cryptocurrency millionaire Michael Terpin have in common with countless ordinary people? They’re victims of SIM swap fraud – the account takeover method that attackers use to bypass 2FA (two-factor authentication) and break into online accounts.
In the UK alone, reports of SIM swap have risen by a massive 400% in the past five years, and thousands of pounds are stolen in the average attack. The method is simple but devastatingly effective: the attacker obtains some personal information about you, and uses it to convince (or bribe) a mobile network employee into swapping your phone number to their SIM card.
From there, they can request password resets for your online accounts, and intercept the codes sent by SMS. Armed with that data, they can reset the passwords to lock you out, and snoop on your emails in order to get into your private accounts and digital wallets.
SIM swap fraudsters act fast and count on you not realising what’s happening. So the best way to protect yourself is to be vigilant about your online security – and to know the signs of a breach. Here are our top tips for keeping your data safe online:
Check your privacy settings on Facebook, Twitter, and other social media – and don’t let just anyone add you as a contact. If your date of birth, phone number and other personal details are visible, criminals can collect this information and use it to better impersonate you in a fraud attempt.
Remember that even seemingly innocent details, such as the first school you went to or your childhood pets’ names, might also be the answers to security questions.
Another tip: when you’re customising security answers and memorable phrases, they don’t have to be accurate – choose something obscure that you can remember.
Many mobile networks allow you to set a PIN or password for your account; contact your network to find out how. If you’re given the option, enable two-factor authentication (2FA) wherever possible on your online accounts. By adding a second factor to verify your identity, you become much more difficult to target, and this alone will put off many attackers.
Codes sent via SMS text message are a common form of 2FA. They’re still vulnerable to SIM swap attacks, but any extra form of authentication is much better than none. However, it’s safest to enable a stronger 2FA method whenever a service gives you the option.
This might include biometrics (such as your fingerprint on a smartphone), codes generated by a separate app, or SIM-based authentication which confirms your phone number and checks for SIM swap activity.
Be wary of any emails, SMS, or phone calls out of the blue asking to ‘confirm’ your personal details or claiming you’ve won something, even if they look legitimate. Phishing attempts – where criminals attempt to gather personal information fraudulently – can appear very sophisticated, often using the branding and images of the real service they’re spoofing.
Common tactics include claiming that you’ve missed a package delivery and need to reschedule, problems with your tax form or TV license, or claiming that you’ve been charged for an order you never placed. Fraudsters hope to create urgency by convincing you that there’s a mistake you need to fix.
Always check the sender’s email address and the URL before clicking any links. If you’re unsure if a communication is legitimate, contact the service with a phone number or website you know is real.
Criminals obtain your information from databases of leaked usernames and passwords. To minimise the risk, it’s best to deactivate your account on services you no longer use, and practise good password hygiene: make your passwords strong, unique, and varied, and change them regularly.
HaveIBeenPwned? is a great resource that lets you know if your email has been in a data leak. If it has, it’s time to change your password and check which accounts and passwords are linked to that email.
Google also allows you to review this by navigating to your account settings (top right of the Google homepage) and clicking ‘Security’, which will show your linked accounts and any detected security issues.
SIM swap fraudsters act quickly, hoping to change passwords and transfer money before you realise something’s amiss. As soon as the fraudster activates their new SIM card, yours will stop working. If your mobile phone suddenly loses signal with no cause, this could be why.
Most network providers send confirmation of SIM swap attempts. If you receive a surprise text or email about a SIM change or a PAC request, or that your SIM card has been activated on another device, contact your mobile network immediately.
If you think you’ve been the victim of an account takeover attack, inform your bank and any credit card providers as soon as possible. They can freeze your account before the fraudster is able to make purchases and transfers, and minimise the damage. It’s better to err on the side of caution even if you’re not sure, as your bank can provide you with a new card later.
Identity theft is a crime, so you should also contact your local police. In the UK, you can call Action Fraud to make a report and receive advice.
We hope this advice helps you feel prepared and informed to deal with fraud. Remember that security is equally vital on your mobile browser and any apps you use.
You can learn how SIM swap fraud is pulled off in more detail – and why criminals do it – here.
And if you’re concerned about your customers and brand being impacted, find out how tru.ID can help you protect your business from account takeover fraud.