Telus flanker brand Public Mobile posted a detailed explanation of a fraud tactic known as SIM swapping, SIM hijacking or SIM jacking. Along with explaining what the fraud is and how to spot it, Public detailed steps customers should take if targeted by SIM swapping.
The explainer comes as Public “noticed some cases of SIM swap fraud.” Along with the community post, Public linked to a help article with the same information.
For those unfamiliar with SIM swapping, it’s a type of fraud that’s, unfortunately, growing more common in Canada. It involves attackers swapping the SIM card attached to your account for one that they control. The attacker then gains access to any communications sent to your phone number.
What’s particularly dangerous about the tactic is that many online services use phone numbers as a secondary authentication system. For example, online services will text customers a one-time code to authenticate log-ins, changes to passwords or account details and more. Attackers can use SIM swapping to intercept these messages and verify themselves to access the victim’s personal banking, e-commerce, email and social media accounts.
How to spot SIM swap fraud
Public notes that a common way to spot SIM swap fraud is if your phone suddenly and inexplicably loses service. The carrier explains that its customers can check for SIM swap fraud by logging into their Self Serve account, clicking ‘Change SIM card’ and making sure the SIM card number listed there matches the one in their phone. If it doesn’t, someone may have swapped your SIM card.
You can check your SIM card number by removing the SIM from your phone. Most SIMs have the number printed on the card.
Perhaps the worst part of SIM swap fraud is that, for many people, their cellphone is the only phone they have. That can make it particularly difficult to resolve the fraud since they cannot call their carrier and report it.
In some cases, SIM swap attackers can time the fraud to leave victims helpless for hours. Last year, my wife was a victim of SIM swapping — she received a text message from her carrier late at night informing her a number port was initiated on her account. The text included a number to call if she hadn’t initiated the report. Her service cut out moments later, preventing her from making the call with her phone. Worse, when she was able to place a call from a friend’s device, the office was closed and unable to prevent the port. Although we ultimately recovered her phone number, the attacker had access to it all night and attempted to break into several accounts.
What to do if you suspect SIM swap fraud
Public Mobile shared steps that its customers can take if they think fraudsters swapped their SIM. First, Public suggests customers change their Self Serve account password and security questions to lock fraudsters out of their account. Public also recommends using Self Serve to go to ‘Plans and Add-Ons,’ select the ‘lost/stolen phone’ option and use the ‘suspend service’ tool to cut off cell service.
Additionally, Public Mobile says customers should use its online tool to submit a ticket to restore service to the original SIM card.
Finally, you should check any online account associated with your phone number, especially critical services like online banking or email, for suspicious activity. Change your passwords immediately and report any fraudulent activity to those services.
Victims should also consider reporting the fraud to the Canadian Anti-Fraud Centre (click here to view the website or dial 1-888-495-8501). It may also be worthwhile to report the fraud to your local police department and contact the national credit bureaus, Equifax Canada and TransUnion Canada, to place a fraud warning on your file.
Protecting yourself against SIM swap fraud
Public recommended some ways customers can protect themselves against SIM swap fraud as well.
First up, protect personal information by limiting what you share online. It’s also important to avoid clicking on phishing emails, texts or other suspicious communications, especially if they ask for personal information. That information can help fraudsters gain access to online accounts.
It’s also helpful to limit where you share your phone number. If possible, avoid giving it to online accounts. If you want to use two-factor authentication (2FA), use an authentication app instead of a phone number.
Finally, use strong and unique passwords for each online account. Using the same password, or slight variations of a password, across multiple accounts can make them all vulnerable if a fraudster gains access to one account. An easy way to do this is with a password management app. Bitwarden, Dashlane and 1Password are all reliable password managers.
Carriers, regulators need to do more
Unfortunately, there’s only so much that people can do to protect themselves. The above steps can help, but ultimately both carriers and regulators need to step up efforts to protect Canadians — right now, they’re not doing enough.
Last year, both the Canadian Radio-television and Telecommunications Commission (CRTC), along with a group of telecom companies, refused to release data about SIM card fraud in Canada or explain steps they’re taking to prevent it.
The few protections carriers do offer are not adequate to keep Canadians safe. Having a phone number to call and report SIM swapping fraud is excellent, but it doesn’t help if fraud occurs when the call centre is closed. Several carriers offer account-side protections, such as port authentication that requires the account holder to verify number ports before they take place. However, in most cases, carriers don’t offer that protection to customers unless they’ve already been a SIM swapping victim.
Hopefully, more carriers follow Public’s lead and publicize information about what SIM swapping is, how to spot it and what to do if it happens. Further, carriers should do more to protect customers beyond providing resources on what to do if they’re targeted by SIM swapping fraud.