SIM swapping is one of several names for a type of scam or fraud that involves an attacker moving a victim’s cellular phone number to a SIM card they control.
Also called port-out scams, SIM swap scams or simjacking, these scams typically target online accounts that use two-factor authentication (2FA) methods that rely on phone numbers. Targets can be wide-ranging, including everything from online banking to social media accounts with coveted handles. Effectively, any online account that uses phone-based 2FA to authenticate users could be vulnerable.
SIM swapping happens frequently — in the last few years, there have been several examples of SIM swapping in Canada. Plus, SIM swap attacks against high-profile targets, like Twitter CEO Jack Dorsey, have elevated the issue.
The most common way you’ll spot a SIM swap scam is if your phone suddenly loses service. Of course, there are other reasons why your phone might lose service, so one way to double-check is by logging into your carrier account and checking if the listed SIM card number matches the one on the card in your smartphone.
If the numbers are different, someone like swapped your SIM. Alternatively, if you have access to another phone, you can pop your SIM into it to check if it’s an issue with your phone. Some carriers may text users a warning before a number port takes place, but those can be unreliable (more on that later).
How SIM swapping works
At a basic level, SIM swaps start with an attacker initiating a number port. There are several ways to accomplish this, but typically, it requires the attacker to have enough basic information about the target to bypass carrier protections. If an attacker can successfully port a victim’s phone number to a SIM card they control, they can intercept incoming messages and calls.
Although that alone may be scary enough, what an attacker can do with that information is much more frightening. An attacker with a hijacked phone number may be able to log into any online account that uses the victim’s phone number as a method of authentication. You know those texts you get with a short code that you need to type in after logging into a website? Those now go to the attacker’s phone with your number.
If the attacker can gain access to a victim’s online accounts, that’s where they can do real damage. Getting into someone’s email account greatly expands access to other online accounts connected to that email. Similarly, many online banking websites rely on phone-based 2FA to authenticate users.
Moreover, SIM swapping is particularly difficult for people who only have one phone. I write from experience in this regard — last year, my wife was a victim of SIM swapping. At the time, she didn’t have access to another phone, so when her smartphone lost service, there was nothing she could do to stop the swap from happening.
To make matters worse, the SIM swap happened at around 11pm — by the time she was able to get another phone to call the carrier and stop the port, the call centre was closed. Thankfully the attacker wasn’t able to access any important accounts, and the following day she was able to have her carrier recover the number and re-activate her SIM card.
If you suspect your SIM has been swapped, you should start by calling your carrier. They should be able to prevent the port entirely, or reverse it if it already happened. You should also monitor your accounts for any signs of unauthorized access or other suspicious activity. Consider updating passwords for important services as well. Victims should also consider reporting the incident to the Canadian Anti-Fraud Centre.
How to protect yourself from SIM swapping
Unfortunately, there are fairly limited options when it comes to protecting yourself from SIM swapping attacks. Since most of these attacks start at the carrier, it’s up to them to protect customers. According to a report in 2020, Canadian carriers were not doing enough to protect customers. Worse, several carriers and the CRTC refused to share information on measures taken to prevent SIM swapping, claiming that revealing the information could help attackers.
That said, most carriers do offer some type of port protection. However, you’ll need to contact your carrier and request it for your account. Having a PIN for authenticating account changes with your carrier helps as well. If possible, avoid sharing personal data online, since attackers can use that information to convince carriers that they are the target, bypassing security and initiating a port.
Some carriers are more proactive about SIM swap. Telus flanker brand Public Mobile, for example, published a help article about SIM swapping. And, as mentioned above, some carriers send warn customers of number ports via text message, but these can be unreliable at best and completely unhelpful at worst. My wife received one of these warning messages moments before losing service. It had a phone number for her to call to stop the port, but — as mentioned above — she couldn’t call anyone without service thanks to the port.
Carriers aside, another great way to protect yourself is to avoid using phone-based 2FA. Emphasis on the phone-based, since other 2FA methods that use, for example, an app on your smartphone, don’t suffer from the same flaw as the ones that send you a text. You should check your online accounts — obviously, checking all of them may not be feasible, so prioritize your most important accounts like email and banking — and make sure they use app-based 2FA. If you need to, download a 2FA app (Google Authenticator, Microsoft Authenticator and Authy are just a few options).
Another way to protect yourself, although less to do with SIM swapping, is using a password manager. SIM swapping helps attackers bypass 2FA, but that means they still need your password since it’s a joint system. Using a password manager helps protect your accounts because it makes it much, much easier to use a unique, long and secure password for each account. Not only does that make it harder for someone to break into an account, it also prevents one compromised password from granting access to all your accounts.