The Federal Bureau of Investigation (FBI) reported this week that its Internet Crime Complaint Center (IC3) received more than 1,900 complaints about SIM shifting between 2018 and 2021.
SIM swapping is a type of fraud scheme in which threat actors use phishing and social engineering to deceive customer service representatives at mobile carriers into moving a victim’s phone number to a SIM card held by the attacker.
The attackers may use an insider to carry out the SIM swapping method, or they may fool wireless carrier personnel into downloading malware that will subsequently be used to infiltrate the company’s networks and undertake SIM switching.
Once the threat actors have the victim’s phone number, they can get all of their calls and texts, including two-factor authentication codes, which they can use to alter the passwords for the victim’s email accounts and seize control of them.
This gives the attackers access to the victim’s internet and bank accounts, allowing them to steal sensitive information, crypto assets, and monies from the victim’s bank account, among other things.
Over the last few years, the frequency of SIM swapping assaults has increased significantly, and law enforcement organisations have taken action against hackers who engage in such schemes.
The FBI has also seen a considerable spike in the amount of complaints it receives. Between 2018 and 2020, the FBI got 320 such complaints, but in 2021, the FBI received 1,611 SIM swapping-related complaints.
In 2021, adjusted losses from these attacks were $68 million, up from around $12 million in losses from January 2018 to December 2020.
Researchers from Princeton’s Department of Computer Science and Center for Information Technology Policy published a study in 2020 describing how major US mobile carriers’ inadequate security procedures make it easy for threat actors to undertake SIM swap attacks on prepaid accounts.
A bunch of teenagers used SIM swapping to take over high-profile Twitter accounts a few months later. The attackers were able to alter the passwords for 45 accounts in less than 24 hours.
Last year, one of the attack’s hackers was charged with using SIM swapping in a scam that resulted in the loss of $784,000 in cryptocurrencies.
The FBI issued an alert this week urging mobile carriers to educate their employees on SIM swapping, inspect all incoming email containing official correspondence carefully, implement strict security protocols requiring employees to check user credentials before switching phone numbers to new SIM cards, and authenticate calls requesting customer information.