POND IoT Blog

Understanding SIM Swap Fraud and Protection Strategies | POND IoT

Written by Alex Kotler | September 24, 2020

Our love affair with our mobile phones is keeping pace with the advances in technology. The convenience to do just about anything with a couple of taps on the screen has become second nature. We store sensitive personal information like bank account and credit card numbers behind unique passwords. However, cybercriminals don’t need passwords or physical access to your phone. The only thing required to take over an account is the mobile phone number. Everyone using a mobile phone is vulnerable to a SIM swap attack, which can destroy you financially in a matter of minutes.

What is SIM Card Swap Fraud

Mobile phones all have a SIM card tucked inside of them. This tiny piece of technology identifies you to your mobile service provider and allows you to communicate through their network. SIM swapping is a function that enables you to transfer your mobile account from one SIM card to another. The benefit is when you lose your phone, upgrade it, or damage it beyond repair; your service provider can get you back up and running on a new phone. Cybercriminals take advantage of this feature to hijack your mobile account.

Here’s How They Do It

A hacker starts by collecting easily accessible personal information like your name, address, and phone number through phishing emails, malware, the dark web, or social media research. The next move is convincing your service provider you are activating your SIM card on another device. They’re actually transferring your number to their device. If it’s successful, your device will deactivate, and all your incoming texts, email, phone calls, data, and accounts tied to your phone number and SIM card will go to their device.

Why They Do It

Once a hacker has access and control over your phone number, personally identifiable information is no longer private. Now your accounts can easily be accessed. Even multi-factor authentication can’t safeguard your accounts because the verification text or phone call is sent right into the hacker’s hands. Armed with these credentials, logging into your bank accounts and emptying them takes mere minutes. The passwords to all your accounts can be changed, locking you out. Social media accounts are also at risk as the hackers can take them over and post damaging information that can take months to clean up.

Signs You’re a Victim

It’s important to recognize signs you’ve been hacked so you can recover as soon as possible. These are some of the things to look for:

  • Social Media: Activity on your accounts that isn’t yours.
  • No Service: The inability to make calls or texts could be a sign your card has been deactivated.
  • Carrier Notifications: Alerts of SIM card activity elsewhere or number activation on another device.
  • Account Access: Login credential failure of bank and credit card.

How to Protect Yourself

While many factors are out of your hands, there are things you can do to make it more difficult for hackers.

Limit the personal information you share online. Avoid posting your full name, address, birthday, or phone number. Refrain from viral posts asking you to share your high school graduation picture and a recent one to show how much you’ve changed. The hacker now has the name of your high school and town where you lived.

Don’t reply to texts, emails, or calls that request personal information. Reputable companies don’t ask for personally identifiable information in this manner. These are most likely phishing attempts created by a hacker. Always contact the company directly to confirm they are requesting the information.

Enable a unique PIN password on your account with your mobile service provider. Protect your account from unauthorized changes. Make sure it isn’t your date of birth, anniversary, house number, last 4 of your social security number, or any number that could be figured out using your personal information.

Make answers to access verification questions unique. Correct answers to these questions are like leaving the door wide open for hackers, especially if they already have your personal information. Don’t use the city you were born in; it doesn’t even have to be the name of a town.

Use an authentication App. This method doesn’t rely on your phone number for verification. A code is sent to an app on your device instead. Google Authenticator for Android and iOS gives you two-factor authentication protection tied to your device, not your phone number.

What To Do If You’re the Target of SIM Swap Fraud

It can take years to repair the damage from a SIM swap attack. Swift action is critical when you’ve been compromised. Here are some immediate steps to take if you’ve become a victim:

  • Alert your wireless provider immediately so you can take back control of your phone number.
  • Contact your credit card and financial institutions to check for unauthorized charges.
  • Change your account passwords after ensuring confirmation numbers aren’t sent to your phone number.
  • Check with local law enforcement on how to make an official report and file one immediately.
  • Visit IdentityTheft.gov and file reports with the Federal Trade Commission (FTC) and the FBI’s Internet Crime Complaint Center and create a recovery plan.

POND IoT has measures in place to help protect you from a SIM swap attack. We have a secure, three-step manual process in place that requires two employees for a port out to be initiated, making it difficult for hackers to steal your phone number. Our account managers inspect and verify each port-out request to ensure that your number does not fall into the wrong hands. For more information, contact us.