SIM swapping: How works and how to protect yourself

A 'hacker' calls the victim's telecom provider and convinces the employee to transfer the victim's mobile number to a blank SIM card the hacker has in possession.

They use excuses like the old SIM card being damaged, lost, or the entire phone was stolen. The phone number will be activated on the blank SIM and the 'hacker' has control over the mobile number.

How SIM-swapping works

Telecom providers ask a series of security questions to verify the caller's identity. These questions typically include your name, address, date of birth, and sometimes the last four digits of your bank account number.

For a well-known individual or public figure, this information may sometimes be available through a simple Google search. It can also be obtained from individuals in your immediate circle, such as employees or someone with a grudge against you.

The information may also be found online, often in data breaches. Additionally, this information can sometimes be simply purchased for a small fee from a fraudulent telecom provider employee. A simple LinkedIn search for people working as 'Vodafone customer service rep' can give you many targets.

Once all the necessary information is gathered, the hacker calls the provider and impersonates the victim.

The 'hacker' then attempts to transfer the mobile number to a SIM card they've acquired for this "sim-swap." And if it doesn't work with one employee, they may call again and try with another.

Human error

Telecom providers claim to have implemented various security layers to counter sim-swapping. Some providers send a verification SMS to the phone number to confirm the caller's identity. If the SMS code cannot be received, the new SIM card is sent by post or must be obtained in person at a store or service point. Bringing a method of identification like a drivers license or ID card.

Despite these measures, sim-swapping attacks can still occur due to "human error," where an employee is convinced or sometimes even forced by the 'hacker' to transfer the phone number. Many call center employees are poorly paid, temp workers or students that don't know or stick to all the procedures or just want to avoid hassle, and these are the people who make sim-swapping successful.

Some telecom providers make it so easy to manipulate that customers need to answer "three out of five security questions" correctly before any changes can be made over the phone.

How to protect yourself

To protect yourself against SIM swapping, it's essential to remove your phone number from your online accounts. Many accounts use your mobile number as an additional layer of security, such as two-factor authentication (2FA) or multi-factor authentication (MFA), requiring you to enter an SMS code after logging in. In such cases, it's wise to set up alternative methods for extra security.

And there are plenty!

You can achieve this by using an authenticator app for your online accounts. I even suggest not to use any services that don't provide MFA. It's possible with services from Google, Microsoft, Twitter, Facebook, Instagram, and even Reddit.

And remember! It is never to late to implement additional or stronger security measures!