SIM swapping fraud is one of the fastest growing areas of cybercrime with reports doubling year on year, according to Action Fraud, the UK national reporting centre.
An attack usually starts by scammers collecting personal data about you from social media, public records, using phishing emails and from data on the dark web from previous breaches.
They then use this either to impersonate the victim and contact the mobile phone provider or to hack into the portal to claim they require a new SIM because they have lost their phone.
Once they have the new SIM they have control of your phone number and they will change security details with the mobile provider and passwords on their portal to make it very difficult for you to regain control.
When criminals take over your phone number, they can access sensitive accounts and reset passwords in your name, usually by using one-time passwords or passcodes (OTPs) sent by text message to gain access.
Sudden loss of mobile service, unexpected text message or emails received about changes to accounts, being locked out of accounts and unauthorised transactions on credit cards and bank accounts are often experienced by the victim.
The consequences however are not just financial although these can be substantial and often difficult to recover. SIM swapping fraud usually involves causing significant distress to the victim and takes a significant amount of time, often over a period of weeks, to regain access to compromised bank, email and social media accounts.
Many report weeks or months of stress trying to recover their identities, dealing with banks and service providers, and worrying about what other information may have been exposed. The emotional toll can be just as damaging as the monetary loss.
Reported cases also suggest that the mobile phone providers are not effective in their response or well equipped to prevent such fraud.
Whilst it is not possible to prevent SIM swapping attacks with one of the main risks being the lack of secure checks by the mobile phone providers, there are actions you can take to reduce the chance of it happening to you.
Use a strong, unique password on your online account and setup multifactor authentication where possible. If you can, setup a pin or password that could not be guessed from social media or public information for telephone authorisation.
Ensure multifactor authentication is setup for any account or application you access from your phone. Where possible, avoid text message authentication, using either an app or even better, a Passkey where you have the option to. This is particularly important on your Apple iCloud or Google accounts which backup the data on your phone. We suggest reviewing all your accounts and deactivating text message authentication and replacing with a stronger alternative where possible.
Make your social media profiles private and be very careful what you post on them. Even accounts you believe are ‘friends’ could be spoofed or compromised. We also recommend reviewing or deleting historical posts in case they contain data which may put you at risk.
If you receive a call, email or text message from your phone provider to confirm or update information, don’t give them any details and call them back using the trusted customer services number on their website.
Don’t setup Apple or Google pay on your main current or savings account. Instead use another bank account with access to limited funds and spending controls enforced. You should also consider whether the convenience of phone app banking is worth the additional risks.
Using a local mobile phone business you know and trust to manage your account means the phone providers may not be able to issue new sims to people who contact them directly, reducing the risk of this fraud. You should speak to your mobile company if you have one to confirm if this is the case.
When allowing your staff to connect to your business systems to access email, Teams messages and files, ensure you have a system in place (usually called ‘Mobile Application Management’) to ensure the data is secured within those apps.
At Pro Drive, we help businesses like yours create clear, practical security plans you’re your mobile devices and the people using them. From setting up mobile application management, rolling out passkeys and security keys to helping write usage policies, we make sure your data stays protected without making life harder for your team. Get in touch with us using the form below if you would like to know more.