Criminals want to steal your phone number.
If they can get it, they can set up a new cellphone with that number – and receive all of your calls and text messages. They can send messages to your friends and colleagues tricking them into doing all sorts of bad things. And, if you use SMS-texting-based multi-factor authentication for social media sites or online banking – they can receive those messages as well, potentially, in some cases, giving them access to your social media accounts and bank accounts. Ouch!
And this scam is going on right now – and there are multiple reports of significant sums of money being stolen from bank accounts as a result. But, you can do a lot to prevent it, if you know how it works.
So, here is what you need to know to protect yourself:
What is the scam?
The scam is actually quite simple – and here is how it works:
Criminals find out your phone number and as much information as they can about you. They then contact your mobile phone company – or one of the many stores that are authorized by mobile service providers to make service changes – and report, as if they were you, that your phone was stolen and ask that the number be transferred to another device (usually by switching which small “SIM” card is associated with the number). In some cases, they may even buy a new phone at the time – giving the sales representative involved an extra incentive to quickly fulfill their request. Some criminals perpetrate the scam by transferring your phone number to a different mobile-service provider, and social engineering your provider to authorized the transfer.
Why do criminals like this scam?
Because it works – and, if they can steal your number, it does not matter how much security software you have on your phone – they gain access to your texts, calls, and more. It does not matter if you use an iPhone or Android or something else – stealing your number circumvents not only the security on your device, but also the second factor authentication texts that are so commonly used for improved security by banks, social media companies, Google, etc. They can also send texts as you – likely allowing them to scam some of your friends and relatives into installing malware by sending some link to be clicked, or even into sending them money to deal with an emergency situation.
Can stores and mobile providers stop this scam?
Stopping the scam is not simple. Mobile providers need to be able to quickly swap your number to a new device in case your phone is really stolen; criminals are exploiting that need. Can you imagine the outrage if your phone were actually stolen and your mobile provide did not let you get your number back “for security reasons?” There are additional checks that providers can do to ascertain security – but, realistically speaking, deploying them en masse will take time, and they are not foolproof either.
How do you protect yourself?
1. Stop using SMS-based one time codes for authentication
(UPDATE:) Before we discuss securing your phone number, let’s also state the obvious: You should not be using SMS-based-texting for strong authentication anymore. Using security apps to generate one time codes used to be inconvenient – many sites did not support such authentication mechanisms, and site configurations had to be configured manually whenever you upgraded your mobile device, or otherwise moved the app to a new phone. These problems no longer exist. So, consider switching your second factor authentication from one-time texted codes to security-app-generated codes. (Note: Neither authentication mechanism is foolproof, but, in the vast majority of cases, app-based-code-generation offers better security than texted codes.)
2. Protect your mobile device.
Lock your mobile device using a strong password. And set the device to be able to be wiped by you remotely if your phone is stolen. A criminal who steals your device is significantly more likely to be able to social engineer an authorized party to transfer your phone number to another phone if the criminal enters a mobile phone provider’s facility and can demonstrate that he or she can unlock your phone than if he or she cannot. By performing such a phone number transfer, the criminal may make it more difficult and time consuming for you to get everything sorted out with your mobile service provider — and he or she may perpetrate all sorts of crimes in the meantime.
3. Use strong passwords
All SMS-based second factor authentication goes out the door if your phone number is controlled by criminals, so make sure your passwords to important systems like email, social media platforms, and online banking are strong. For tips on how to create strong, yet easy to remember passwords, please see the article: How to Create Strong Passwords That You Can Easily Remember.
4. Password protect your mobile account
Some mobile providers allow you to create a password that must be entered by anyone seeking to make any changes to your account – including for a SIM Swamp. Create such a password.
5. Do not share your mobile number on public social media – or with the public.
It is obviously much harder for criminals to steal your phone number if they do not know it. Keep in mind that social media often contains information that criminals can use to try to impersonate you – if you share your cellphone number there it creates a “one stop shop” for opportunistic criminals to get the information that they need. Criminals know this, and monitor social media accounts where people are likely to share numbers, such as the Twitter accounts of mobile service providers. Do not send them your phone number in a public directed tweet.
Social media is believed to be the primary source for information gathering used to perpetuate this scam. Do not help criminals harm you.
(Full disclosure: SecureMySocial, of which I am the CEO, offers patented technology that warns people if they share their mobile numbers on social media.)
Consider establishing a Google Voice or other virtual phone number, forwarding that number to your cellphone, and giving out that number rather than your actual cellphone number.
6. Call your mobile phone company if your phone suddenly switches to “emergency call service only” or something similar.
That’s what happens when your phone number has been transferred to another phone.
7. Be vigilant in general (about phishing, etc.)
Criminals may be seeking usernames and passwords before or after attempting a phone device swap – if they can get the password to your online banking account, for example, and then steal your number, they can get around both the password and the dual factor authentication. If you just shared your mobile number on social media, for example, the odds that you will receive a phishing email or text go up dramatically.
8. Use security software on your mobile device (and all computers)
In addition to trying to steal your number, criminals may try to get malware onto your device to get the files that are on it, and to wreck all sorts of other havoc. Malware could also let them steal your passwords – so that they can undermine both factors of authentication at banks, etc. Make you your device is secure.
An earlier version of this article appeared in Inc.