The FBI is warning mobile carriers and subscribers about an increase in Subscriber Identity Module (SIM) swapping, a scheme being used to steal millions of dollars from the U.S. public.
The FBI announced today that criminals are tricking mobile carriers, through social engineering and other means, into switching victims’ mobile numbers to SIMs in their possession. By doing so, the criminal can gain access to the victim’s bank accounts, virtual currency accounts and other sensitive information.
Once swapped, the victim’s calls, texts and other data are diverted to the criminal’s device. The criminal is then able to send requests such as “Forgot Password” or “Account Recovery” requests to providers of the account holder’s email and other online accounts that are associated with his or her cellphone number.
Mobile application providers, using SMS-based two-factor authentication, send a link or a one-time passcode via text to the victim’s number, and the criminal can access the person’s accounts.
The criminal uses the links or codes to log in and reset passwords associated with the victim’s phone profile.
Criminals often use phishing techniques to deceive mobile carrier employees into downloading malware used to hack systems that carry out SIM swaps.
The FBI Internet Crime Complaint Center received 1,611 SIM swapping complaints in 2021 with losses of more than $68 million. That was more than five times the 320 complaints from January 2018 to December 2020 with roughly $12 million in losses.
Tips to Protect Yourself:
>> Do not advertise information about financial assets, including ownership or investment of cryptocurrency on social media websites and forums.
>> Do not provide your mobile number account information over the phone to representatives requesting your account password or PIN. Verify the call by dialing the customer service line of your mobile carrier.
>> Avoid posting personal information, including mobile phone number, address or other personal identifying information.
>> Use a variation of unique passwords to access online accounts.
>> Be aware of any changes in SMS-based connectivity.
>> Use strong multi-factor authentication methods, such as biometrics, physical security tokens or standalone authentication applications to access online accounts.
>> Do not store passwords, usernames or other information for easy login on mobile device applications.
If you suspect you are a victim:
>> Contact your mobile carrier immediately to regain control of your phone number.
>> Access your online accounts and change your passwords.
>> Contact your financial institutions to place an alert on your accounts for suspicion login attempts and/or transactions.
>> Report suspicious activity to police or your local FBI field office.
>> Report the activity to the FBI’s Internet Crime Complaint Center at www.ic3.gov.
FBI recommends mobile carriers:
>> Educate employees, conduct training sessions on SIM swapping.
>> Carefully inspect incoming email addresses containing official correspondence for slight changes that may make fraudulent addresses appear legitimate and resemble clients’ names.
>> Set strict security protocols to enable employees to verify customer credentials before changing numbers to a new device.
>> Authenticate calls from third-party retailers asking for customer information.