With mobile devices used as secondary authentication, threat actors have been stepping up activity, looking for ways to transfer phone numbers to cybercriminal-controlled devices.
SIM Swapping – the act of transferring a mobile phones’ actual SIM card to one controlled by threat actors – has been around for a number of years. Using social engineering, phishing attacks, and help from malicious insiders, SIM swapping has become a known element in cyber attacks – particularly those where multi-factor authentication is involved to access corporate and online applications and resources.
According to a recent warning from the FBI, the amount of reported SIM swapping attacks has materially jumped. From 2018 through 2020, there was only 320 complaints with a total loss of $12 million. In 2021 alone, those numbers have skyrocketed to over 1600 complaints and $68 million in losses!
We’ve seen recent scams attempt to collect enough account details from Verizon mobile customers to perform a SIM swap, as well as attacks that take advantage of a SIM vulnerability, dubbed Simjacker that had the potential to impact over 1 billion phones worldwide.
Employees with company-owned mobile phones should be wary of any kind of request that involves asking them to log into their mobile provider’s website, the giving up of account details, and unsolicited text messages purporting to come from the mobile provider.