NEW YORK (AP) — SIM-swapping is a growing form of identity theft that goes beyond hacking into an email or social media account. In this case, the thieves take over your phone number. Any calls or texts go to them, not to you.
Any protections consumers enabled to secure access to their financial accounts, such as two-factor authentication texts, now can aid attackers and lock out owners.
Experts say these scams will only increase and become more sophisticated, while the data show they are on the rise. The FBI Internet Crime Complaint Center reports that SIM-swapping complaints have increased more than 400% from 2018 to 2021, with associated personal losses estimated to be more than $68 million.
Advertisement 2
Story continues below
This advertisement has not loaded yet, but your article continues below.
THIS CONTENT IS RESERVED FOR SUBSCRIBERS ONLY
Subscribe now to read the latest news in your city and across Canada.
Exclusive articles from Barbara Shecter, Joe O’Connor, Gabriel Friedman, Victoria Wells and others.
Daily content from Financial Times, the world’s leading global business publication.
Unlimited online access to read articles from Financial Post, National Post and 15 news sites across Canada with one account.
National Post ePaper, an electronic replica of the print edition to view on any device, share and comment on.
Daily puzzles, including the New York Times Crossword.
SUBSCRIBE TO UNLOCK MORE ARTICLES
Subscribe now to read the latest news in your city and across Canada.
Exclusive articles from Barbara Shecter, Joe O’Connor, Gabriel Friedman, Victoria Wells and others.
Daily content from Financial Times, the world’s leading global business publication.
Unlimited online access to read articles from Financial Post, National Post and 15 news sites across Canada with one account.
National Post ePaper, an electronic replica of the print edition to view on any device, share and comment on.
Daily puzzles, including the New York Times Crossword.
Create an account or sign in to continue with your reading experience.
Access articles from across Canada with one account.
Share your thoughts and join the conversation in the comments.
Enjoy additional articles per month.
Get email updates from your favourite authors.
Sign In or Create an Account
or
Article content
Rachel Tobac, CEO of online security company SocialProof Security, says the numbers are probably a vast underestimate because most identity thefts are not reported.
How does the scheme work?
Criminals use personal information about their victims — phone numbers, addresses, birthdays and Social Security numbers — obtained through data breaches, leaks, dark web purchases or phishing scams to impersonate the victims as they contact their mobile carriers.
They will claim the original phone and SIM card were damaged, lost or sold accidentally and ask for the number to be associated with a new SIM, or eSIM, card in their possession. Once this is done, the phone number belongs to the criminals, along with the ability to receive text messages or calls to verify accounts.
Prevention is the best form of protection, according to cybersecurity experts. The tricks and habits security experts say help prevent SIM-swapping are what they have long been recommending for online security in general. They include the following:
Better password habits
If your credentials are caught in a cyber breach, the hackers could try using the stolen passwords to get into other services to gather the personal data they need to pull off a SIM swap.
Get the latest headlines, breaking news and columns.
By signing up you consent to receive the above newsletter from Postmedia Network Inc.
Thanks for signing up!
A welcome email is on its way. If you don’t see it, please check your junk folder.
The next issue of Top Stories will soon be in your inbox.
We encountered an issue signing you up. Please try again
Article content
Advertisement 3
Story continues below
This advertisement has not loaded yet, but your article continues below.
Article content
If you’ve been using the same or similar login information for multiple websites or online accounts, make sure to change it. If criminals pilfer your password from one service, they can try it on your other accounts and easily get into all of them. If you find it too hard to memorize your various credentials, consider a password manager.
Also use strong passwords that include letters, numbers and symbols. The longer they are, the better. Some experts say they should be 16 characters.
Multifactor authentication without texts
Add biometrics or multifactor authentication apps and devices that do not involve texting. These methods often use separate login methods and encryption that are not tied to your phone’s identity, making them more difficult for criminals to access.
AT&T also advises contacting your carrier to set up a unique passcode to prevent significant account changes such as porting phone numbers to another carrier. Your carrier may already have other protections in place to protect against SIM swapping, so it’s worth calling them to ask.
Watch out for phishing schemes (especially at work)
This advertisement has not loaded yet, but your article continues below.
Article content
Criminals will use email or text messages to try to trick you into giving them your personal and financial information or to expose your workplace to possible attacks, and it’s incredibly effective.
In its annual State of the Phish report, the cybersecurity firm Proofpoint found a majority of data breaches across the world still center on human lapses.
If you suspect you have received a possible phishing message or email, report it. Most of the popular email platforms have buttons or functions specifically for reporting phishing attempts. If you’re at work, follow the advice from your company’s information security team.
Steps to take if you’re a victim
All major U.S. carriers have web pages advising victims how to report a SIM fraud.
But an Associated Press reporter, who recently was hit by such an attack, advises that victims should be diligent in working with the carrier to fix the issue. Filing complaints with the Federal Trade Commission, the Internet Crime Complaint Center or with their state attorneys general can possibly expedite recovery efforts.
If card payment numbers were stolen, inform your bank or credit card company, explaining that your card is at risk of fraud and asking the company to alert you to any suspicious activity.
You can also notify credit agencies, including the three main firms: Equifax, Experian and TransUnion. They can freeze your credit, which restricts access to your credit report and makes it hard to open new accounts or issue a fraud alert and will add a warning to your credit report encouraging lenders to contact you before lending money.
Comments