Over the last few years, thousands of data breaches have occurred with billions of records stolen, including the April 2021 Facebook data leak that impacted 533 million accounts.
Sim swapping has become a more common form of attack, as more and more people continue to live their lives through their mobile phones. The primary goal of SIM swap fraud is typically financial gain, often in the form of stealing bank and credit card information. However, sometimes a SIM swap attack might be intended to embarrass or humiliate the victim when compromising social media accounts.
The European Union Agency for Cybersecurity, ENISA, is the Union’s agency dedicated to achieving a high common level of cybersecurity across Europe. Recently they released the ENISA Report - Countering SIM-Swapping, providing an overview of how SIM swapping attacks work and of the extent to which the Member States are affected.
What is sim swapping?
Sim swapping procedures exist for legitimate reasons, for instance, when the Sim card is lost or damaged. Sim swapping is also used to connect mobile phones with an embedded Sim (eSIM).
A sim swapping attack is where a criminal pretends to be a customer or a mobile operator and tries a mobile phone network telling them they need a replacement Sim for a phone. The attacker will convince the telecom provider to do the sim swap, using social engineering techniques, pretending to be the real customer, claiming that the original sim card is for example damaged or lost.
When the attack is successful, the genuine subscriber’s phone will lose connection to the network and they won’t be able to make or receive phone calls.
How does a sim swapping attack take place?
Usually, the attacker begins a SIM swapping attack by gathering personal details about the targeted subscriber. There are many ways personal data can be retrieved, this can be done through social engineering, phishing, malware, exploiting information from data breaches or doing research on social media.
Having all necessary information, the attacker would be able to convince the mobile network operator to transfer the subscriber's mobile number to a new SIM card under their control, or perform the process themselves online.
As a result, the attacker takes over the account and can receive all the SMS and voice calls intended for the legitimate subscriber. Fraudsters can perform online banking frauds but can also bypass the two-factor authentication (2FA) used to secure social media and other online accounts.
How can you protect yourself from an attack?
- Don't respond to fake emails, text or phone calls, These are ways in which fraudsters use to gather personal information about you
- Be vigilant if you receive suspicious calls, texts or emails from people asking for information – even if they claim to be from a genuine company.
- Be careful what you share on social media, Avoid posting things about yourself or family members birthdates, pet names and schools as these are often questions used to reset passwords.
- Call your provider immediately if you recieve unsolicited texts or emails about your sim being ported or PAC request, or you unexpectedly lose phone service
- Tell all your banks as soon as possible in case the fraudster attempts to make a transfer online or over the phone.