The UK's Information Commissioner's Office Reports a 200% Increase in SIM-Jacking Attacks

Even though researchers have noticed a significant increase in sim-jacking or sim-swapping attacks in the United Kingdom, such attacks still occur very rarely compared to, for example, data breaches. Not to mention, a single data breach can affect millions of people, while a fraudulent takeover of a phone number affects mainly the number’s owner. However, if sim-jacking attacks continue to grow, the situation could get much more severe. Sim-swapping attacks not only allow hackers to take over a person’s phone but also get access to various accounts that can be misused for malicious purposes, such as to steal victim’s money or collect sensitive information. So, how does sim-jacking work? What should you do to protect yourself from such attacks?

According to the Information Commissioner’s Office, around 300 sim-jacking attacks occurred in the last 12 months. While the number might not look as enormous, it does when you know that there have been only 99 cases in the previous 12 months. We believe that a 200% increase signals that it is time for more users to pose the question, how does sim-jacking work?

How does sim-jacking work?

The success of a sim-jacking attack depends on how well the attackers can impersonate their victims. It does not mean that cybercriminals have to look or talk like you. Sadly, all they need to do to transfer your phone number is to know some personal details of yours, for example, your name, address, and date of birth. Such information might be easier to gain than you imagine. For instance, cybercriminals could hack one of your accounts or check your social media profiles to gather the needed facts. Besides, there are tons of breached information on the dark web, and if you ever had an account on a website that was breached, your data could already be on the hackers’ databases, waiting to be misused.

Besides your name and other personal information alike, the attackers need to know your mobile phone number and what your phone service provider is. After obtaining such data as well as facts about you, the attacker can call your service provider and pretend to be you. If the person is convinced, he may agree to provide your PAC number that is necessary to transfer your phone number to another device. After the successful fraudulent call is made, it might take from 10 minutes to 24 hours for phone number transfer to take place. Until then, the victim should not realize what is going on because his phone should work normally.

How to protect yourself against sim-jacking attacks?

Becoming a victim of a sim-jacking attack could turn your whole world upside down. Access to your phone number could allow cybercriminals to bypass Two-Factor Authentication and take control over your accounts. Many banking applications rely on verification codes sent to a user’s mobile phone too, which is why hackers behind sim-swapping attacks might be able to gain access to their victims’ banking accounts. Consequently, all of your savings could be stolen if you do not take precautions that could protect you against sim-jacking attacks.

Since knowing your personal information is essential for hackers to take over your phone number, you should be very cautious every time you have to provide it. If you have social media accounts, it might be best to make them private and to refuse requests from people you do not know to follow you. Also, we highly recommend being cautious with messages and emails from unknown senders. For instance, Emanuel Poku, a cybercriminal responsible for many sim-jacking attacks, had overtaken around 500 thousand phone numbers. As a result, he was able to gain about 35 thousand bank card numbers and access to more than 2 million pounds. It seems the hacker tricked his victims into revealing sensitive information by sending them fake messages from banking institutions and mobile phone companies. Your bank or any other reputable institution would never ask for any confidential or private information over a text message or even a phone call. Thus, such requests should always raise a red flag.

Naturally, if hackers cannot trick you into revealing private information that they may need for the sim-jacking attack, they may try to obtain it by hacking your accounts that could contain the needed data. Consequently, we highly recommend setting up strong and unique passwords on all of your accounts. Currently, it is advisable to use 10 to 12 characters to create a secure passcode. Also, the combination should include both lower-case and upper-case letters, symbols, and numbers. You might be tempted to use a pattern that would be easy to remember, but keep in mind that patterns can be easy to guess. Thus, it is best to make your passwords as complicated as possible if you want to protect your accounts. If you fear you will not remember lots of unique passcodes, you should employ a dedicated password manager that could take care of it. To add an extra security layer, we advise enabling Two-Factor authentication on all of your accounts or at least the ones that are the most important, such as your email account.

Lastly, if you fear that you could become a victim of sim-jacking attacks, you should contact your phone service provider and ask to increase the security of your account. Your service provider should already know the answer to the question of how does sim-jacking work and have some safety precautions to offer.

What to do if you become a victim of a sim-jacking attack?

The minute the fraudulent phone number transfer is over, your phone number should stop working. In such a case, we recommend not to wait until the problem fixes itself because if you are a victim of a sim-jacking attack, things will only get worse with every wasted second. Thus, what you should do if your phone suddenly goes out of service is to contact your phone service provider at once. Describe what has happened and ask if they have received any requests to transfer your phone number.

Next, you should notify your bank because hackers will most likely try to get access to your account to steal money from it. If you let your bank know about it, they should be able to help you monitor your account and prevent cybercriminals from taking any money from it. Afterward, it is advisable to replace all of your passwords, starting with your email account as it could be connected to many other profiles, which would make them vulnerable. The process might be tiring, but you must change all passwords that could be compromised due to the sim-jacking attack if you want to ensure your cybersecurity.

All in all, the increase of sim-swapping attacks shows that we are not yet prepared to fight them. The truth is that the steps necessary to prevent such attacks should be taken not only by users who could become victims of sim-jacking attacks but also by phone service providers who unknowingly provide PAC numbers for the fraudulent phone number transfers. Perhaps, such companies could not only introduce more safety precautions to prevent sim-swapping attacks but also ensure that their clients know about them. It might take time for the situation to improve, but as said earlier, such attacks are still rare. Thus, there is yet time to protect yourself against sim-jacking attacks, and why not do it today?