Let's assume you have never been a victim of a sim-swap attack; then, you must wonder what this is all about. If your sim has been swapped before, then you understand the feelings.
But irrespective of your group, does it bother you that we are still talking about a sim-swap attack? Humans have sent people to the moon and mars, we have cracked a technology that can send gigabytes of data in a few seconds, and a whole virtual world is making waves right now. Today, your phone number is more important than your social security number. An attack as simple as SIM swapping may result in severe losses.
But we are still battling with sim swapping? It's ridiculous, but this is our reality, like a few other things you might not appreciate right now. But, the critical question is, what will you do when it happens? Because if you are reading this, you are a potential victim.
If you have heard the terms sim-swapping, sim porting, port out fraud, phone porting, or sim hijacking; don't be alarmed; they all mean the same thing.
In this not-so-short piece, I will discuss the fuss about a sim swap attack, how it works, what to do if your sim is swapped, how to prevent it, and a few other things about the topic.
But, first thing first, what is a sim-swap?
A sim-swap attack is a trick hackers use to threaten their victim's life. It happens that they call your cell phone company, pretend to be you, and convince the customer care rep that they are you. They will probably tell how they lost their sim and would like the old sim details to be transferred to a new sim. If they convince you, the mobile carrier agent will innocently share the details of your sim card to the hacker's new number.
That can mean many things – none of which is good for your health – but the hackers will now have access to all accounts associated with your number. But that's not all; you will be logged out. You are the rightful owner, but you will no longer have access because ownership has been transferred.
They will see all your saved passwords, bookmarks, and payment methods stored in Chrome. Sim-swapping also means hackers can have unrestricted access to your images through Google Photos, steal paper wallet backup stored in Google Drive, access your private email messages, see all apps you have ever installed, and so much more than you can remember right now.
It might not entirely be your fault, but you will suffer the most. Needless to say that you should pay attention to all I will discuss in this piece.
Sadly, many are still victims of sim-swap worldwide today. Eight in ten attacks on mobile numbers are still thriving. As long as mobile phone carrier representatives are not equipped to make social engineering difficult, if not impossible, the number will remain high.
An attacker only has to call your mobile phone carrier and pretend to be you or authorized personnel; within minutes, all your number details are transferred to their number.
Unfortunately, your PIN or any other protection you have enabled might not help. When you understand the situation better, you will pity these support agents or mobile phone carriers who innocently make this mobile number porting.
Most of their calls are from legitimate users calling to have their mobile number details transferred to a new number. Now, if you don't have extra training on this attack, how do you determine that someone at the other end isn't authorized?
You may ask how attackers know about the support agents' security questions. Truthfully, there are a few ways they go about that. First, they can swerve the internet for behaviours and patterns. And with their training, sometimes, to gain access to your account, all they need is a pattern.
Aside from that, hackers also get users' information from the dark web. With that data, they are well equipped to carry out their malicious activity with this information.
Understanding that you are at risk, how do you know if you have been sim-swapped?
Several things can happen when you are about to or have successfully been sim-swapped. Because they are numerous, the activity you will notice will depend on the hacker's difficulty in swapping your sim.
Here is a list of activities to look out for.
Don't hesitate to inform your mobile phone carrier immediately when you or someone near you experience any of those. Now, how do you reduce the chances of being sim-swapped? Let's find out.
There is sadly no guaranteed method for SIM swap prevention. However, that does not mean you can't make things difficult for those hackers.
To achieve this, you would want to do two things. The first is to reduce the chances of having your sim swapped. And secondly, reduce the damage as much as possible if your sim is swapped.
The steps you would take to prevent this aren't easy but think about all that can go wrong if your sim is swapped. Your personal information, bank details, crypto, other investment assets, and your loved ones' assets can all be lost to hackers within minutes. And I haven't even discussed the emotional and mental turmoil that can arise from the incident.
To reduce the chance of having your sim swapped, the first step is to apply for in-person presence with your mobile phone carrier before your sim can be swapped. The unfortunate thing is that not many mobile phone carriers allow this.
And even if your mobile phone carrier allows it, the support agent that receives customers' calls and complaints doesn't know about it. So, even if you visit the phone carrier's nearest location, you must exercise patience.
Next, you would have to separate concerns to reduce the damage as much as possible when your sim is swapped. This essentially means that you have to manually secure each of your accounts.
It starts with creating a new Google Voice number. You can use this number when you must put a number online when making an account.
Once you do this, I can begin discussing securing your accounts. At this point, it is essential to say that you should forget about the security you might think you have in place earlier. The downside here is that it will take some time.
This article by CipherBlade and MyCrypto explains what accounts you have to secure and how to go about it. The table below shows the accounts you might have to secure manually and how long it is estimated to take.
You must go over the process once if you have multiple Google or Apple accounts. While that can make things difficult for hackers, there is no proof that they won't get in and cause havoc.
That was the situation I was in years ago before starting Efani. One morning, I woke up and discovered that I had lost access to my mobile number. Worse is, it happened again and again. And that was what brought about Efani.
It is an effective solution that replaces your existing mobile monthly plan while prioritizing security. Some people have asked what Efani's competitive advantage is. Here is it: today, a typical mobile operator is automated to handle their enormous requests for SIM cards daily. At Efani, we understand that is a hacker's goldmine, so we take a different approach.
Efani separates your details from your mobile number. That makes it extremely difficult to access our users' data without authorization. Essentially, Efani blocks all swaps by default.
We do this by putting three safety procedures in place. These are;
1. A 11-layer propriety secured client layer authentication
2. A 14-day cool-off period is mandatory before SIM swapping
3. Multiple staff members must approve any significant change and undergo a rigorous manual process.
When you discover your sim has been swapped, the first thing to do is not panic. It is not uncommon for many people to start taking irrational or counter-productive actions and further damage their chance of retrieving their number or reducing the damage the hacker can cause.
So, when you are sim-swapped, panicking isn't the solution. Don't do it. But what should you do?
The first logical step after you've been sim-swapped is to call your phone provider. It is true that at this point, your phone will no longer be able to make calls, so you can get someone to lend you theirs.
Alternatively, you can call a landline through other means requiring a sim card. Some such are Google Voice/ Hangouts, Skype, Viber, Line, or FreedomPop. Whatever option you decide, do it fast and get in touch with your mobile number carrier.
When the call connects, the first thing to do is explain your situation to them. Be clear and concise about the situation and what you want. Asking for a solution can be in the form of requesting that the phone number be blocked or switched off remotely.
Once that is done, you can request that the phone number be moved back to your sim or device. However, you must know that the support agent will require your government-issued ID to verify that you are the sim card's original owner.
It is important to note that this case might require law enforcement officers, so please take note of the support agent's name and the time you had a conversation with them to block your sim card. So the attacker won't be able to use it to cause further damage to you and others while pretending to be you.
So, ask for the case ID or support ticket number so you can keep it for future conversations with another agent or law enforcement officials. If they are reluctant to provide that, let them know it is only for reference and it would help you properly table your case with law enforcement in the future.
While on the call or in the store with your mobile service provider support agent, request that they retain all your logs. This will include the International Mobile Equipment Identity (IMEI) number, call time, employees involved in your request, and any other related information. While they may decline to give you access to this information, they should have it in case law enforcement officials need it.
Once you have that settled with your mobile phone carrier, you would want to lock down all your accounts, but before then, here are some things you must do while talking to employees and every other person you would have to talk to during retrieving or blocking your number as the case may be.
Once you have informed your mobile number carrier of the situation, securing your accounts is next. Access your email accounts, bank, investment, crypto, and other necessary accounts with critical information.
Assess the damage and gather information which may be necessary for law enforcement and investigators. Next, note every change you didn't authorize and screenshot excessively.
It would also be advisable to prioritize a list of accounts to secure. This will most likely include accounts you have received notification that the hacker has tried to access, important accounts that can cause further financial loss and accounts you saved personal information.
You should also secure all exchanges and services that hold money. This can include cryptocurrency exchange services, banks, and investment portfolios. You can withdraw the money in any of those services to accounts you are sure won't be compromised.
If you aren't sure of an account safe from compromise, you can let those service providers know your situation by email and have them lock your accounts. This will mean all withdrawals, trades, deposits, buys, sells, transfers and logins will be on hold until further notice. To get them to do this, you might need to provide a government=approved means of identification.
Next, access other essential apps on your phone like Telegram and Coinbase. Check for active sessions in Settings>> Privacy and Security>> Active Sessions. Screenshot the page. If you see suspicious activities, terminate all other sessions. You should also enable two-step verification through an email that isn't compromised.
Call your mobile number carrier again to see if they have updated information for you. This is when you also ask how you can reference your case before a law enforcement agency and see if they have any advice for you.
They may provide information on how the sim-swapped occurred and any other detail that may help your cause. Don't also forget to ensure this doesn't happen again in the future. Chances are they have new levels of security you might not know about.
Now is the time to report the case to the appropriate law enforcement agency. Depending on the country you are in, this might differ. But in the US, you will have to report through the IC3.
Take note that emotions won't help you here. You simply have t state all you know about the attack and provide all documents and screenshots that can help the agency. This can also include accounts the hacker has accessed, when they accessed it, any asset loss you have incurred if the hacker has made any contact with you, and any other information you think is essential.
Remember, your role here is to state facts and describe all you know. Nothing more!
You will feel embarrassed, ashamed, and probably angry, but the right thing is to let your professional and personal network know about the situation. This will help you stay vigilant and know that hackers or sim-swappers can access your accounts.
Often time, a simple message is all you need. And hopefully, your network will understand you are not happy about the situation and be reasonable not to blame you for the occurrence.
Now is the time to audit your bills and ensure all of them. Examine how much damage has been done and make an effort to secure them properly.
It is possible that the hacker contacts you or someone else, claiming to have sensitive information about you. While they may be tempting, don't ever engage with them. You will only be extorted if you do, and you may eventually be convicted of working with hackers.
So, what should you do? Document their messages and calls but never engage with hackers.
After you have shared with your network that you are a victim of sim-swapping, you might start getting messages from people asking for specific information with claims of trying to help you get your number back.
We advise you to be careful of such "help." Never trust people who aren't law enforcement officials with sensitive information. You should know that any information you share with someone who isn't an attorney or law enforcement can spread rapidly and beyond your control.
When sim-swaps happen, it is often a situation where more than one person is at fault. However, chances are you have your liabilities too. So, you must own these faults and plan not to repeat them in the future.
You should also share your experience with others but, more importantly, how you resolved the situation – without sharing sensitive information. That is precisely what I did. Only that I went a step further with Efani to provide a lasting solution to sim-swapping, and we are just getting started.
Sadly, sim-swapping is still prevalent in the world today. And as long as phone numbers carry so much power, hackers will continue to look for ways to exploit the technology.
However, with constant education and advancement in security, we can curb the menace and lead a world where hackers have no place to operate.