What is a SIM Swap? The SIM card in your phone contains all the information about your mobile account including your phone number. A SIM swap is transferring your mobile account info to a new SIM card that can be used in a different phone.
How is this being used to commit crime? SIM swaps are the latest cyber security threat. Cyber criminals get the phone company to transfer your mobile account to a SIM card they own. They can now get calls and texts to your number. Then they log into an online account with 2 factor authentication that sends a text code and the code goes to their phone instead. Or they will do a password reset that uses a text message to verify your identity. At that point they have access to your sensitive accounts. (They are also using this to steal cryptocurrencies. For example, cryptocurrency investor Michael Terpin had $24 Million worth of cryptocurrency stolen after crooks did a SIM Swap on his mobile phone account in early 2018.)
How are they getting the phone company to do the SIM swap? Criminals use social engineering and phishing to gain information about you. Then they use that information to convince the phone company it is you and get the phone company to move your account to a SIM card in a phone that they own. Sometimes criminals are bribing or blackmailing phone company employees.
What can you do? Unfortunately, you cannot 100% prevent all chances of SIM swap since of criminals can always bribe or blackmail a phone company employee to make the swap. There are steps you can take to protect yourself however:
- Use state-of-the-art anti-phishing technology. This reduces the opportunities for the criminal to gain valuable personal information from you. As a Managed Services Company GizmoFish is responsible for protecting our clients against all kinds of cyber security threats. For email protection we deploy Mimecast to our customers. In our opinion Mimecast has the best security against a wide variety of email threats. Microsoft offers an Office 365 add-on service called “Advanced Threat Protection” that is comparable to Mimecast. These email security packages go beyond just spam and virus filtering. They use a variety of advanced techniques to detect fraudulent emails.
- Invest in user education. End user education is one of the most overlooked aspects of Cyber Security. Employees all know they should “be careful” but they may not realize all the ways that cyber criminals try to trick them. At GizmoFish we like a service called KnowBe4 which allows you to send fake phishing emails to your company and measure the response. You can see what percentage of employees actually fall for it. The goal is not to chastise or embarrass the employee, but to remind them to be alert. In our experience the percentage of employees clicking on or responding to bogus emails goes down steadily once you start using KnowBe4 to send fake phishing campaigns. KnowBe4 also includes many informative security training videos that alert your employees to some of the common scams and cyber-attacks they should be on the lookout for.
- Put a PIN on your mobile account: If you put a PIN on your mobile account, the phone company Customer Service Representative won’t do the SIM swap if the caller doesn’t know the PIN. Unless the criminals have bribed or blackmailed someone inside the company, they will be unable to do the SIM swap on your account without this PIN.
- Use an authenticator app instead of text message for 2-factor authentication: Microsoft Authenticator, Duo Mobile, Authy, and Google Authenticator are some of the most popular authenticator apps and they are free. The authenticator app does NOT get transferred when a SIM swap is done so the cyber criminals cannot get into your accounts using that.
- Use answers to security recovery questions that are not tied to your personal information: In addition to phishing and other scams, criminals can also get personal information from social media. If an online account is protected by having to answer security recovery questions, make sure the answers are not easily gleaned from easily obtainable personal information.
Cyber criminals are always coming up with new tactics and no one is 100% safe all the time. Even the CEO of Twitter Jack Dorsey got his twitter account hacked by someone doing a SIM swap! But you can take steps to reduce the chances this will happen to you or that, should it happen, the criminals can do any real damage.
GizmoFish is a Boston area Managed IT Services Company that serves small to mid-size companies. We take care of all of your IT needs to you can focus on your business. We pride ourselves on providing State-of-the-art Cyber Security protection so that our clients are fully protected against the latest Cyber Security threats. If you would like to ensure your company is protected call us at 857-254-1704 or provide your contact information below and we’ll contact you.