Imagine picking up your phone to send a text message or check Twitter, only to discover that all of your phone’s services are inoperable. Confused, you open your laptop to check your emails for overdue phone bills—but your email password doesn’t work, either.
This scenario has played out for many victims of SIM jacking. Also known as SIM swap fraud, it’s one of the latest strategies used by hackers to extort a person’s digital profile through their mobile phone. Many people are aware of data breaches, but don’t understand how easily hackers can take control of a person’s SIM card and what the consequences look like.
Thankfully, there are a number of strategies organizations and individuals can use to prevent this kind of attack. But first: what exactly is SIM jacking?
The Latest Technique for Sabotaging Your Digital Life
SIM jacking is the act of hijacking an individual’s phone account and moving their services to a hacker’s SIM card. Once moved, the hacker takes over the account holder’s phone services and online accounts, such as their email, social media, and bank accounts. Hackers usually extort victims into handing over cryptocurrency to regain account access.
It might seem difficult for hackers to move an individual’s services like that—after all, phone companies require users to answer security questions before making account changes, right?
It’s actually quite easy for an experienced hacker to gain account access using social engineering tactics or by digging for personal information. Social engineering is the act of manipulating an individual to perform certain actions, such as granting account permissions.It’s actually easier to take advantage of a victim’s trust or emotional vulnerabilities than to hack a computer system directly, in most cases.
- The hacker discovers a target’s cell phone number and calls its service provider. Then they bribe the agent with Paypal funds or cryptocurrency to move the account to the hacker’s SIM card.
- The hacker digs for an individual’s personal information, which can easily be found on paste sites, doxxing sites, the dark web, social media, or by phishing. These sources can provide hackers with an individual’s phone number, date of birth, account numbers, and security question answers.
SIM swapping is a common request made by legitimate customers if they lose their phone or switch providers—so as long as an agent receives valid security credentials, hackers are hard to detect.
VIPs and High-Profile Accounts Most At Risk
While anyone can fall victim to SIM jacking, attacks are usually targeted at high-profile individuals: company executives, celebrities, people with valuable social media accounts, or any individual with known access to a lot of money or information. Sometimes people are targeted as a means of harassment, but more often than not, SIM jackers are looking to obtain money or information out of the attack.
High-profile individuals are often implicated in doxxing attacks. Doxxing is a means of targeted harassment in which hackers publicly breach an individual’s personal information, including names, addresses, employment, and contact information for the victim and their family members. Doxxing is a common data breach tactic that further enables SIM jackers.
SIM Jacking Has Tragic Consequences
It might seem like an exaggeration to say SIM jacking can ruin your life—but this isn’t necessarily far off. With access to an individual’s accounts and personal information, SIM swappers can commit identity theft, drain bank accounts, and use hacked social media and email accounts to destroy an individual’s or organization’s reputation.
Even if victims pay a ransom, there are no guarantees that hackers won’t still take advantage of hacked accounts. To add insult to injury, it’s unlikely that victims will get the support they need from service providers once they have lost control of their own accounts.
There are also negative consequences for phone companies, who are often blamed more than SIM jackers themselves for having inadequate authentication and account security measures.
You’ve Been SIM-Swapped—Now What?
SIM jacking victims should attempt to regain account control as soon as possible. This means contacting their phone carrier and other online account providers if attempted logins fail. Victims should prioritize securing their email account, as hackers will use it to change passwords on other linked accounts.
The best way to deal with SIM jacking is prevention. There are a number of strategies that help individuals avoid attacks:
- Request phone service providers to add an additional validation PIN to your account.
- Use strong, non-repeating passwords and multi factor authentication tools, such as Google Authenticator, across user accounts.
- Refrain from publishing personal information on social media. Something as harmless as exposing your pet’s name could be all an attacker needs to answer a security question.
Organizations also benefit from investing in threat discovery tools like Beacon. This allows security teams to actively monitor the presence of personal information, such as an executive’s phone number, across deep and dark websites—hotspots for data breaches. If an individual’s personal information appears on the dark web or unindexed sites like Pastebin, they are at high risk for a SIM swap attack.
Finding this information efficiently is crucial for securing at-risk accounts and locating bad actors before an attack occurs. Beacon simplifies this process by allowing users to build deep and dark web searches based on phone number:
Users can pivot their search based on phone numbers discovered within search results:
Organizations, phone companies and law enforcement also benefit from this tool. For example, they can find hackers discussing or selling SIM swapping services and techniques on the dark web. This information continuously informs new security processes and protects customers against future SIM jacking attacks.
SIM Jacking how-to guide discovered using Beacon
Knowledge Is the Best Defense
Phone companies and other service providers are getting smarter with verification methods to prevent SIM jacking. However, multi-factor authentication isn’t always enough to prevent attacks, and hackers constantly adapt their methods to overcome even the most “current” security protocols.
Good password and security hygiene does give high-risk individuals an advantage—but discovering vulnerable information before it’s exploited and staying informed about the latest SIM jacking techniques are the best preventative measures. Deep and dark web discovery tools are critical for exposing this information to vulnerable VIPs, organizations, and phone companies.