SIM swapping is the latest in a trend of attacks in which criminal are able to break into your online accounts despite Multi-Factor Authentication (MFA) protections. But how do they do this – it sounds complicated? Actually, it’s very simple. If you’ve ever bought a new mobile phone and called your cell carrier to upgrade from the old phone to the new phone – you did a “SIM Swap”. However, this new type of attack involves the cybercriminal pretending to be you and convincing your mobile carrier to transfer your phone number to their new phone.
So, while SIM swapping sounds like a physical activity (e.g., changing the SIM card in your mobile device), it’s the simple process of changing your phone number to a criminal’s phone so that they can intercept SMS text codes used for MFA. Yup – it’s simple and insidious!
SIM swapping attempts usually occur after what we call a ‘Credential Harvest’, whereby a criminal already has some of your data, but you have multi-factor authentication enabled that sends a text message to your phone.
Fortunately, unlike some areas of cybersecurity, there is a genuine ‘easy fix’ for this. Just call your mobile network carrier and tell them that you don’t authorise a SIM swap unless it’s performed in-person with physical ID. The carrier will flag this on your account, stopping criminals in their tracks.