What is SIM swapping and why you should be concerned

SIM swapping is when you request a new SIM card from your current or new operator and transfer your existing phone number to the new SIM. 

Telco customers do it all the time for perfectly legitimate reasons. Unfortunately, so do cybercriminals, and for all the wrong  reasons.  This article explains both sides of SIM swapping and how Infobip can help protect you, your business, and your customers from external threats.

There are plenty of reasons why you would SIM swap.  Say you’ve lost your phone or bought a new one – but your old SIM card doesn’t fit. Or maybe your SIM card got damaged, or you got a better deal with a new operator. When done for reasons like these, SIM swapping is entirely legitimate. 

Thanks to SIM swap and mobile number portability services, your phone number sticks with you for years, even decades. You don’t need to go through the hassle of alerting everyone that you’ve changed your phone number; you simply get a new SIM, port your number to another operator and carry on with your life.

A SIM swap scam, however, abuses the legitimate process of swapping SIMs and results in fraudsters stealing data, money and in many cases the end-user’s identity.

The time of phones serving only as a means of communication is long gone. Today, you use your phone to contact and store email addresses, bank accounts, social network accounts, cryptocurrency accounts – just about everything about you.

Important or private accounts on your phone likely offer you two-factor authentication (2FA), which relies on your phone number.  Although 2FA is meant to keep you safe, in practical terms, this means that a single, publicly available piece of information is used for your identification and verification.

SIM swap fraud happens when cyber criminals contact MNOs pretending to be a customer and trick them into activating a new SIM card with the customer’s phone number. Once this is done, the scammer has full access to the end-user’s phone and information. Every one-time-pin (OTP) and 2FA message that is sent to that specific number is received by the fraudster.

Scammers do this by taking advantage of SIM swapping. Through loopholes in a completely legitimate process, cybercriminals can get access to all your accounts. 

Social media has become a regular part of life. Sharing details about your life online to your friends and family seems harmless enough, but without taking precautions, your post, photos and interactions online can make you vulnerable to identity theft.

People are often concerned about high value information being leaked, such as account numbers, passwords and social security numbers. What they fail to realize is that often hackers need the simplest information about your life to be able to successfully hack your accounts or steal your identity.

In 2021, Facebook had a major data breach that resulted in half a billion Facebook accounts being affected. Hackers were able to access heaps of phone numbers and successfully match them to names, birth dates and genders.

Users who attached their phone number to their Facebook account were at risk of having their identity stolen through SIM swap. Anyone with a public profile and who enabled the “search by phone number” feature was an easy target.

Users are encouraged to change their profiles to private, adjust their privacy settings to reduce the number of people who can find you online and change their passwords to reduce the risk of SIM swapping.

Scammers mastered the art of deceiving people into giving up confidential information. The type of information these criminals are after can vary,  as can the methods they employ to gain said information. But it all boils down to gaining access to your passwords and personal data. Scammers will often follow your activity on social networks and get to know everything about you – including the street you lived on, the name of your first pet, and who your best childhood friend was. 

You may be asking yourself how someone can access your SIM card, and the answer is – quite easily. By doing their homework and collecting your info, they can simply call your mobile operator pretending to be you. They already know your full name, birthday (remember all those Facebook posts?), your pet’s name, your kids’ names, your address – just about anything they need to trick someone into thinking they’re you. If they’re not skilled at acting, they can bribe someone at the store to give them a copy of your SIM card. And just like that, you’re no longer the sole owner of your mobile phone number.

The final, ultimate step in this process is performing a fraudulent act. By receiving your OTP, or any other mobile-phone-related verification method, the fraudster can easily access your email and change your address.

By step three, it’s too late for you and your data.

Not too long ago, this was a concern reserved mostly for people with a lot of money in their accounts. This situation has changed.  

Fraudsters are diversifying their portfolio and mitigating risk by taking over the accounts of regular people, like you and me, even our kids.  Children are easy targets for identity thieves because they don’t use their own credit cards and likely wouldn’t notice any discrepancies until they reach adulthood.  

In under 30 minutes, fraudsters can swap your SIM card and take over your accounts, transfer your money to themselves and take away your life savings. And they won’t stop there – they’ll take your entire identity.

Users may notice some unusual activity on their phones. Most likely, phone calls and text messages won’t go through, and they will notice email notifications that their account passwords have been reset.

Friends and family may notice some odd posts or messages on social media that don’t match up to the typical behavior of the end-user that’s been hacked.

The worst part about SIM swapping is that you won’t know it’s happened to you before it’s too late.

There are two main ways users can protect themselves:

First, change your social media accounts to private to lower the risk of your information being leaked during a data breach.

Second, changing your passwords and PINs and making them more complex can help reduce the risk of hackers getting into your accounts. Don’t use any personal information in your passwords such as birthdays, anniversaries, or names. This goes for social media and mobile provider accounts as well as online banking accounts.

Infobip’s Mobile Identity SIM swap solution checks for any changes to your IMSI (International Mobile Subscriber Identity). Mobile Identity can confirm the mobile account activation date and stop SIM swapping.

This means that if the SIM card was recently activated, the telco provider will be immediately notified and able to take fast action. Using up-to-date insights, MNOs can quickly compare the data they’ve collected from their customers in the past and compare it with the data coming from the new SIM card, flagging fraudulent activity.

Mobile authentication keeps you and your customers, as well as their accounts, protected. To find out more, download our white paper, “Mobile Authentication: The Future of Mobile Security and User Engagement”.