Impact & Partnerships

SIM-Swapping Attacks Explained

Lisa Gibbs, Business Digital Resilience Programme Lead and Director of Philip Gibbs Insurance Brokers

Written by Lisa Gibbs
Philip Gibbs Insurance Brokers

Download a PDF version here

In recent years, a growing number of organisations have implemented stronger cyber-security measures, including multifactor authentication (MFA). This method requires a user to present two or more unique credentials, such as a password and an additional security code, to verify their identity and log into their company account. With MFA, cyber-criminals are restricted from infiltrating organisations’ IT infrastructures upon stealing users’ passwords, as they lack the extra credentials required for access.

Although this cyber-security tactic has proven useful for many organisations, some cyber-criminals have figured out a way to exploit MFA through users’ subscriber identity module (SIM) cards. These cards are an essential component of any mobile phone, as they unlock a host of information and services (eg the user’s contacts and texting and calling capabilities). By transferring their SIM card to another phone, a user can automatically shift their existing mobile profile to the new device.

Unfortunately, some cyber-criminals have begun tricking mobile carriers into transferring users’ profiles to SIM cards on their own devices, thus giving them unauthorised access to users’ mobile phone activities. Because the additional security codes required for MFA are often sent via text, cyber-criminals with fraudulent SIM cards can complete users’ extra account verification steps with ease and go on to infiltrate company networks, data and funds. As such, it’s important for organisations to understand these types of cyber-attacks, known as SIM-swapping attacks, and how to prevent and respond to them.

How SIM-Swapping Attacks Work

A SIM-swapping attack generally consists of the following steps:

  • Gathering the user’s personal information – First, a cyber-criminal collects a variety of personal details about their target, such as their name, date of birth, contact information and employment history. The cyber-criminal likely gathers these details by reviewing the user’s online profiles or tricking them into sharing this information via deceptive messages, malicious links or other social engineering tactics.
  • Manipulating the mobile carrier – After gathering their target’s personal details, the cyber-criminal leverages this information to persuade the user’s mobile carrier to conduct the SIM swap. This may occur in one of two ways: The cyber-criminal contacts the carrier while pretending to be the target and asks that the user’s phone number and mobile profile be transferred to a new SIM card, or the cyber-criminal utilises social engineering tactics to hack into the target’s mobile profile and connect the user’s phone number to a different SIM card by themself, bypassing the carrier altogether. From there, the cyber-criminal receives the user’s texts, calls and other mobile phone services on their own device.
  • Exploiting MFA – Following the SIM swap, the cyber-criminal is able to intercept their target’s MFA-related requests. For example, the cyber-criminal may receive a text containing an additional security code, also called a one-time passcode, on their SIM-swapped device, which allows them to log into the user’s company account successfully. 
  • Compromising company information and assets – Upon exploiting MFA and logging into their target’s account, the cyber-criminal is able to compromise company data and resources in various ways. This may include causing network disruptions, damaging or exposing sensitive information, and stealing company funds or intellectual property. These actions could have lasting impacts on the affected user and organisation, resulting in large-scale losses. 
  • Reversing the swap – In some cases, the target and affected organisation can detect the SIM-swapping attack immediately or shortly after it occurs. However, if this isn’t the case, the cyber-criminal may contact the mobile carrier or resort to their own hacking methods to reverse the SIM swap. Depending on how quickly the cyber-criminal accomplishes this, they may be able to avoid alerting the user that the swap took place and allow the attack to go unnoticed for some time.

SIM-swapping attacks are usually carried out by external cyber-criminals, but they could also stem from insider threats, such as disgruntled employees or vendors. Sometimes, an insider threat may even collaborate with an external cyber-criminal in exchange for payment by giving them the information needed (eg the target’s personal details or the company’s MFA requirements) to move forward with a SIM-swapping attack.

Any employee could be vulnerable to a SIM-swapping attack, but cyber-criminals may be more likely to target certain types of individuals, namely executives. These individuals are common targets because they often have a strong online presence, making it easier for cyber-criminals to gather their personal information. Furthermore, executives typically have the greatest access to critical company assets and may frequently engage in high-value transactions, thus attracting cyber-criminals who are looking to cause widespread damage or steal substantial funds. Regardless of who the target is, it’s vital for organisations to ensure all employees are prepared to protect against SIM-swapping attacks.

Prevention and Response Methods

Organisations can implement several methods to help prevent and respond to SIM-swapping attacks. Here are some best practices for organisations to consider:

  • Ensure sufficient account security measures. Cyber-criminals need users’ passwords before they can deploy SIM-swap attacks and exploit MFA. By requiring employees to create complex and unique passwords that are difficult to crack and change on a regular basis, organisations can stop cyber-criminals in their tracks. Additional account security measures that can help minimise SIM-swapping attacks include setting up account activity alerts, utilising strict access controls and leveraging a virtual private network.
  • Leverage alternative MFA options. Because SIM-swapping attacks often rely on MFA-related requests being sent via text, organisations should explore other account verification options that cyber-criminals can’t access through a stolen mobile profile. Potential MFA alternatives include biometrics (ie face or fingerprint scanning), physical security tokens or standalone authentication applications.
  • Protect personal details. Organisations should encourage employees to protect their personal details by keeping their social media accounts private and refraining from sharing this information over text or email, especially to unknown or suspicious recipients. This can make it harder for cyber-criminals to obtain the information needed to trick mobile carriers into conducting a SIM swap.
  • Consult mobile carriers. As SIM-swapping attacks become more common, some mobile carriers have developed measures to help protect against them, such as requiring users to disclose a personal identification number or answer extra security questions before they can make profile changes or transfer mobile phone services to different devices. With this in mind, organisations should discuss these security offerings with their mobile carriers and follow any other guidance provided by their carriers to reduce the risk of SIM-swapping attacks.
  • Educate employees. Organisations should train their employees on SIM-swapping attacks, detection and related incident reporting protocols. Key signs of these attacks that employees should be aware of include unanticipated mobile service outages, glitches and disruptions; suspicious account notifications; sudden account restrictions; and unauthorised network activities or transactions.
  • Have a plan. Creating cyber-incident response plans can help organisations ensure necessary procedures are taken when cyber-attacks occur, thus keeping related damages to a minimum. These plans should be well-documented and practised regularly, and they should address
    a range of cyber-attack scenarios (including SIM-swapping incidents). Specific response measures for employers to consider when planning for SIM-swapping attacks include contacting the affected user’s mobile carrier, notifying financial institutions to temporarily freeze accounts and prevent the theft of company funds, and reporting the incident to relevant authorities.
  • Secure ample insurance cover. Finally, employers should purchase adequate insurance to maintain much-needed financial protection against losses that may arise from SIM-swapping incidents. It’s best for organisations to consult insurance professionals to discuss their particular cover needs.

Conclusion

With SIM-swapping attacks a concerning trend, it’s crucial for organisations to fully comprehend these incidents and take proper steps to protect against them. In doing so, organisations can equip themselves with the knowledge and resources to mitigate related cyber-losses and successfully navigate today’s evolving digital threat landscape.

Contact Philip Gibbs Insurance Brokers today for more risk management guidance and insurance solutions.

Back to Latest News
Shaping Portsmouth

Upper 2nd Floor
Portsmouth Guildhall
Guildhall Walk
Portsmouth
PO1 2AB

Linkedin Facebook Instagram
Subscribe to our mailing list

Content Copyright © Shaping Portsmouth 2024. Graphic design by Matt Farmer. Drone photography by Solent Sky Services.

Shaping Portsmouth