The number of SIM swapping incidents reported to the FBI has soared over the past three years, with over five times more cases reported in 2021 than during 2018, 2019 and 2020 combined.
A new alert from the FBI this week revealed that its Internet Crime Complaint Center (IC3) received 320 complaints related to SIM swapping during the period January 2018-December 2020. These had combined adjusted losses of around $12m.
However, last year the IC3 received 1611 SIM swapping complaints with adjusted losses of more than $68m.
SIM swapping usually involves a fraudster socially engineering a mobile carrier operative to switch the victim’s mobile number to a SIM card in their possession.
Alternatively, they send malware-laden phishing emails to innocent staff members, enabling the attackers to remotely access the carrier’s IT systems. A third approach is to pay off a malicious insider at the phone company to carry out the SIM swap.
“Once the SIM is swapped, the victim’s calls, texts, and other data are diverted to the criminal’s device. This access allows criminals to send ‘Forgot Password’ or ‘Account Recovery’ requests to the victim’s email and other online accounts associated with the victim’s mobile telephone number,” the FBI explained.
“Using SMS-based two-factor authentication, mobile application providers send a link or one-time passcode via text to the victim’s number, now owned by the criminal, to access accounts. The criminal uses the codes to login and reset passwords, gaining control of online accounts associated with the victim’s phone profile.”
This is often used to unlock cryptocurrency accounts, such as the case of a Canadian teenager who was able to steal $36.5m from an unnamed victim in the US.
As a result, the Feds urged users not to overshare personal information online or advertise information on crypto and other financial assets on social media.
It advised individuals to use strong multi-factor authentication (MFA), which doesn’t use SMS passcodes, such as systems using biometrics and standalone MFA apps.
It also encouraged carriers to bolster internal security with better staff training, improved phishing detection and enhanced customer authentication checks.