The FBI is alerting about a spike in SIM-swapping attack that is costing an estimate of $68 million to victims of this cybersecurity attack in the past 2021 only.
The FBI published an alert in which they report that received 1,611 SIM-swapping complaints in 2021. They report that it’s a massive increase comparing to only 320 reports in the prior year with an estimated lose of $12 million only. It represent an 80% more complaints and a 82% more in loses, if we compare 2020 with 2021.
But, what is SIM-swapping?
Is the technique of a cybercriminal changing or cloning the SIM card from a victim to a new SIM card with malicious intentions. This is a technique criminal actors are using these days to gain access to user’s bank accounts, cryptocurrency accounts, emails, and any other sensitive information with the intention to take monetary benefits from it.
How does it works?
They try different ways to get into it. They first try social engineering, phishing techniques to download malware to the carrier’s employee to hack the mobile carrier system that carry out SIM swap. They also use social engineering activity to impersonate the user, in this case, the carrier, by tricking the mobile carriers to switch the victim’s mobile number to a SIM card in the bad actor’s possession.
What they can do after they get your SIM card?
When the cyber criminal have the new SIM card with your phone number active, calls, texts, and other data are delivered to the criminal’s device. And the original SIM card of the real owner of the service is automatically deactivated. They, then, send ‘Forgot Password’ or ‘Account Recovery’ requests to the victim’s emails and any other online account associated with the victims phone number. By using SMS-based 2nd Factor Authenticator, a link or code is sent to the phone owned by the criminal to access all associated account with this phone number.
“Once the SIM is swapped, the victim’s calls, texts, and other data are diverted to the criminal’s device. This access allows criminals to send ‘Forgot Password’ or ‘Account Recovery’ requests to the victim’s email and other online accounts associated with the victim’s mobile telephone number,” the FBI said.
The FCC is actively working to create stronger rules for the way carriers manages how phone numbers are transferred or swapped. Meanwhile they’re working on that, the FBI warns us to stop posting our personal information online. Sensitive information are, phone number, home or work address, personal email address, as this is the basic info needed to commit a SIM swap.
We recommend to avoid using SMS-based as a second factor authentication to protect your accounts, instead of it, use an Authenticator app like Google or Microsoft Authenticator. AT&T is one of the few carriers that have extra security control to help prevent SIM swap.