Social Engineering To Gain Access – SIM Swapping

SIM swapping (also known as ‘SIM splitting’) emerged several years ago but is on the increase as mobile phone numbers become more widely used as part of security checks. The scam sees attackers access victims’ texts, calls and other sensitive information, including security codes used as part of two-factor authentication (2FA).

To be successful, attackers first need personal information, gleaned through various forms of phishing, purchasing victims’ details from organised crime networks, or by conducting open source research. Social media sites can also contain sufficient information for attackers to masquerade as genuine customers.

Next, the attacker contacts the victim’s mobile phone provider, answers basic security questions and convinces the provider to transfer the phone number to a new SIM. The attacker (who has the new SIM) then has access, while the genuine account owner is blocked.

The attacker may then contact the victim’s bank, posing as the victim and claiming to have forgotten a PIN number or other details. The bank will usually send a text message containing a new activation code, allowing allow the attacker to take funds directly from the bank account.

Most victims will not discover they have been compromised until they are unable to make a call or send a text message.

SIM swapping is not new, but, with the increased use of smartphones for security checks for Internet banking and other financial transactions, incidents will likely be on the increase. UK banks are aware of SIM swapping and have taken steps to improve security after a number of cases in 2016.