Criminals want to steal your phone number.
If they can get it, they can set up a new cellphone with that number – and receive all of your calls and text messages. They can send messages to your friends and colleagues tricking them into doing all sorts of bad things. And, if you use multi-factor authentication for social media sites or online banking – they can receive those messages as well, potentially, in some cases, giving them access to your social media accounts and bank accounts. Ouch!
And this scam is going on right now – and there are multiple reports of significant sums of money being stolen from bank accounts as a result. But, you can do a lot to prevent it, if you know how it works.
So, here is what you need to know to protect yourself:
What is the scam?
The scam is actually quite simple – and here is how it works:
Criminals find out your phone number and as much information as they can about you. They then contact your mobile phone company – or one of the many stores that are authorized by mobile service providers to make service changes – and report, as if they were you, that your phone was stolen and ask that the number be transferred to another device (usually by switching which small “SIM” card is associated with the number). In some cases, they may even buy a new phone at the time – giving the sales representative involved an extra incentive to quickly fulfill their request. Some criminals perpetrate the scam by transferring your phone number to a different mobile-service provider, and social engineering your provider to authorized the transfer.
Why do criminals like this scam?
Because it works – and, if they can steal your number, it does not matter how much security software you have on your phone – they gain access to your texts, calls, and more. It does not matter if you use an iPhone or Android or something else – stealing your number circumvents not only the security on your device, but also the second factor authentication texts that are so commonly used for improved security by banks, social media companies, Google, etc. They can also send texts as you – likely allowing them to scam some of your friends and relatives into installing malware by sending some link to be clicked, or even into sending them money to deal with an emergency situation.
Can stores and mobile providers stop this scam?
Stopping the scam is not simple. Mobile providers need to be able to quickly swap your number to a new device in case your phone is really stolen; criminals are exploiting that need. Can you imagine the outrage if your phone were actually stolen and your mobile provide did not let you get your number back “for security reasons?” There are additional checks that providers can do to ascertain security – but, realistically speaking, deploying them en masse will take time, and they are not foolproof either.
How do you protect yourself?
1. Do not share your mobile number on public social media.
It is obviously much harder for criminals to steal your phone number if they do not know it. Keep in mind that social media often contains information that criminals can use to try to impersonate you – if you share your cellphone number there it creates a “one stop shop” for opportunistic criminals to get the information that they need. Criminals know this, and monitor social media accounts where people are likely to share numbers, such as the Twitter accounts of mobile service providers. Do not send them your phone number in a public directed tweet.
Social media is believed to be the primary source for information gathering used to perpetuate this scam. Do not help criminals harm you.
(Full disclosure: SecureMySocial, of which I am the CEO, offers patented technology that warns people if they share their mobile numbers on social media.)
2. Use strong passwords
All SMS-based second factor authentication goes out the door if your phone number is controlled by criminals, so make sure your passwords to important systems like email, social media platforms, and online banking are strong. For tips on how to create strong, yet easy to remember passwords, please see the article: How to Create Strong Passwords That You Can Easily Remember.
3. Password protect your mobile account
Some mobile providers allow you to create a password that must be entered by anyone seeking to make any changes to your account – including for a SIM Swamp. Create such a password.
4. Call your mobile phone company if your phone suddenly switches to “emergency call service only” or something similar.
That’s what happens when your phone number has been transferred to another phone.
5. Be vigilant in general (about phishing, etc.)
Criminals may be seeking usernames and passwords before or after attempting a phone device swap – if they can get the password to your online banking account, for example, and then steal your number, they can get around both the password and the dual factor authentication. If you just shared your mobile number on social media, for example, the odds that you will receive a phishing email or text go up dramatically.
6. Use security software on your mobile device (and all computers)
In addition to trying to steal your number, criminals may try to get malware onto your device to get the files that are on it, and to wreck all sorts of other havoc. Malware could also let them steal your passwords – so that they can undermine both factors of authentication at banks, etc. Make you your device is secure.
This article originally appeared in Inc.