Group-IB has published a report on SIM swapping attacks, finding that attackers continue to use social engineering to bypass technical security measures.
SIM swapping is a technique in which an attacker takes over a victim’s phone number, which enables them to access the victim’s accounts. This involves tricking the telecom operator into reassigning the victim’s phone number to a SIM card controlled by the attacker.
“SIM swapping fraud typically begins when the fraudster acquires sensitive information about the victim, such as their national ID, phone number, and card details,” Group-IB explains. “This information is often obtained through phishing websites that mimic legitimate services or via social engineering tactics.
Once armed with the necessary details, the fraudster initiates a request to swap or port out the victim’s SIM. This may involve converting the victim’s SIM to an eSIM with the same mobile network provider or porting the number to a different local telecom operator. These requests are often submitted through telecom provider mobile apps, enabling the process to be completed remotely.”
Mobile carriers have safeguards in place to prevent SIM swapping, but attackers can bypass these using social engineering. In some cases, the attackers also target the victims themselves and trick them into authorizing the switch.
“In some regions, this process is safeguarded by a Government E-Verification Platform, which requires users to verify their identity before any SIM swap or port-out request is approved,” the researchers write. “Verification methods may include approving a login request or using biometric authentication. To bypass these safeguards, fraudsters deceive victims into approving the verification request, often by posing as representatives of legitimate services—such as job applications or account updates.
Once the victim unknowingly authorizes the request, the telecom provider deactivates the existing SIM and activates a new one under the fraudster’s control. With control of the victim’s phone number, fraudsters can intercept SMS-based two-factor authentication (2FA) codes and carry out unauthorized transactions.”
New-school security awareness training can give your organization an essential layer of defense against social engineering attacks. KnowBe4 empowers your workforce to make smarter security decisions every day. Over 70,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.
Group-IB has the story.
New-school Security Awareness Training is critical to enabling you and your IT staff to connect with users and help them make the right security decisions all of the time. This isn't a one and done deal, continuous training and simulated phishing are both needed to mobilize users as your last line of defense. Request your one-on-one demo of KnowBe4's security awareness training and simulated phishing platform and see how easy it can be!
