FBI: Criminals escalating SIM swap attacks to steal millions of dollars

The federal agency says hundreds of victims have lost money due to scams over a two-year span.

As ransomware continues to be an ongoing problem with protecting users’ data, there is a cell phone scam the public needs to be aware of as well. The FBI says criminals have escalated SIM card swap attacks to hijack victims’ phone numbers and steal millions of dollars from fiat and virtual currency accounts.

The FBI reports that from January 2018 to December 2020, the FBI Internet Crime Complaint Center received 320 complaints related to SIM swapping scams, with the damages totaling $12 million altogether.

“When people wonder what the consequences of large-scale data breaches are, this is exactly it,” said Chris Clements, VP of solutions architecture at Cerberus Sentinel. “Both people and companies have become conditioned to being able to verify identity through simple questions like social security number or mother’s maiden name. Unfortunately, this falls apart completely when data breaches affecting millions of people routinely occur. Now information that was previously assumed to be relatively private is in the hands of malicious parties who can leverage it to easily impersonate their victims.”

What is SIM swapping?

SIM swapping is a scam in which malicious parties target cell phone carriers to gain access to victims’ bank accounts, virtual currency accounts and additional sensitive information by using social engineering, insider threat or phishing techniques. Social engineering involves a criminal to impersonate the victim’s mobile number by tricking the cell phone carrier into switching the victim’s mobile number to a SIM card that is in the criminal’s possession, allowing the malicious party to access the victim’s calls, texts and other data, but this is only one of the three methods used to steal funds from victims.

SEE: Google Chrome: Security and UI tips you need to know (TechRepublic Premium)

Insider threat takes place when a criminal actor pays off a mobile carrier employee to switch the victim’s SIM to a card currently in the criminal’s possession. Malicious parties can also employ phishing techniques to access victims’ sensitive data, and steal funds from the victim through their banking data or third-party services like PayPal or Venmo. This level of access to a victim’s cell data then allows a malicious party entry to everything from text message verification to SMS based two-factor authentication to exploit victims’ sensitive information.

“Service providers must move from more simplistic means of validating identity to more sophisticated ones,” Clements said. “PIN codes unique to each user’s account can be one way of adding additional security to the process, and ‘out of wallet’ questions are another alternative that works by verifying much harder to compromise information such as last three home addresses or cars. It may be more of a hassle for everyone, but it’s simply no longer viable to rely on information that has been routinely compromised to validate a person’s identity.”

Protecting yourself from SIM swapping

The FBI encourages both cell phone users and the companies that provide service to take additional security measures in protecting their personal information. For cell phone users, the agency outlines the following tips:

• Do not advertise information about financial assets, including ownership or investment of cryptocurrency, on social media websites and forums.
• Do not provide your mobile number account information over the phone to representatives that request your account password or pin. Verify the call by dialing the customer service line of your mobile carrier.
• Avoid posting personal information online, such as mobile phone number, address or other personal identifying information.
• Use a variation of unique passwords to access online accounts.
• Be aware of any changes in SMS-based connectivity.
• Use strong multi-factor authentication methods such as biometrics, physical security tokens, or standalone authentication applications to access online accounts.
• Do not store passwords, usernames or other information for easy login on mobile device applications.

SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)

For mobile carriers, the FBI recommends the following actions:

• Educate employees and conduct training sessions on SIM swapping.
• Carefully inspect incoming email addresses containing official correspondence for slight changes that can make fraudulent addresses appear legitimate and resemble actual clients’ names.
• Set strict security protocols enabling employees to effectively verify customer credentials before changing their numbers to a new device.
• Authenticate calls from third party authorized retailers requesting customer information.

If users believe they have been a victim of SIM swapping, the FBI encourages mobile users to first contact their mobile carriers immediately to regain control of their phone number, then accessing their online accounts to change their passwords that protect their sensitive data. Contacting financial institutions to put a preemptive alert out on suspicious activity is also recommended, along with reporting any concerning activity to local law enforcement or the local FBI field office.