A Subscriber Identity Module, more commonly known as a SIM card, is an integrated circuit that stores information used to authenticate subscribers on mobile devices, such as a cell phone. The SIM card is able to be transferred between different devices, and often is, when people update into a newer cell phone. SIM Swapping is the name for the crime where someone convinces your phone carrier to transfer your SIM card to a phone controlled by the criminal.
Identity thieves with access to their victims’ SIM cards are increasingly becoming able to intercept security codes sent by text messages for online banking as part of dual factor authentication and thereby providing the identity thief with the opportunity to empty their victims’ bank accounts and cause other financial havoc.
The best thing you can do to protect your SIM card from SIM swapping is to set up a PIN or password to be used for access to your mobile service provider account. This will help prevent a criminal from calling your carrier posing as you and convincing your mobile carrier to swap your SIM card to the criminal’s phone merely by providing personal identifying information or answering a security question.
Now, however, clever scammers are avoiding even having to do a SIM swap by using social engineering to convince their victims to provide the security code sent when dual factor authentication is used. The scam starts with the scammer getting the password of their targeted victim either through purchasing passwords stolen through data breaches that are sold on the Dark Web or by using social engineering through spear phishing emails or text messages to lure the victim into providing the password. The next step is a phone call from the scammer posing as security for your bank or another company with which you have an online account telling you that there has been unusual activity on your account and that they are sending you a security code to your phone for you to provide to confirm your identity. Of course, this is a total scam. The scammer has just used the stolen password to start access to the account. At that point the dual factor authentication on the account sends a security code to the targeted victim’s phone which the concerned victim provides to the scammer thereby enabling the scammer to get the security code and hack the account without even having to do a SIM swap.
TIPS
I have written in the past about how to avoid SIM swaps by setting up a passcode or PIN on your mobile service carrier account to avoid a scammer being able to access the account merely by answering a security question, however, that will not protect you from this type of social engineering method of defeating dual factor authentication.
B.S. Be skeptical. Whenever you receive a phone call, text message or email, you can never be sure who is actually contacting you. Even if your Caller ID indicates the call is from a trusted source, such as your bank, scammers can use a technique called “spoofing” to make their call or text appear to come from whatever number or source they wish. Therefore, whenever you are asked for personal information, to make a payment or click on a link you should refrain from doing so until you have absolutely confirmed that the communication is legitimate.
In this particular scam, remember that security code are only sent as part of dual factor authentication and if you get such a code sent to you, it is an indication that your password has been compromised and someone is trying to access your account. A call to your bank will confirm that the confirm that it was a scammer and not the bank that called you.
If you are not a subscriber to Scamicide.com and would like to receive free daily emails with the Scam of the day, all you need to do is to go to the bottom of the initial page of http://www.scamicide.com and type in your email address in the tab that states “Sign up for this blog.”