PROTECT IT: Your phone number is tied to your online identity
What is SIM Swapping?
A SIM swap scam (also known as port swap scam) is a type of account takeover fraud. Attackers exploit a mobile service provider’s ability to easily transfer a telephone number to a device which has a different SIM card which, in legitimate circumstances, is very helpful in the event that the real owner is switching their service to a new provider.
Once the attacker has access to your cellphone number, they are able to target a security weakness where you have two-factor authentication configured to use an SMS text message or a call placed to your cellphone number.
Most victims don’t have any idea that they have been compromised until they try to use their cellular data network, or place a call / send a text message which doesn’t go through.
How Does SIM Swapping Work?
The criminals begin their attack journey by trying to find some information about you like your name, email address, and phone number. They can do this in a number of ways… they may trick you into providing this information by sending you a phishing email, they can simply search online for the various pieces of information if you have published it on social media sites, or you could have your mail stolen.
Once they have collected enough personal information – usually your name, address, and cellphone number is sufficient for their purposes - they will contact their cellphone provider either on the phone or through the online chat pretending to be you and requesting the cellphone number to be transferred their account. Due to CRTC (Canadian Radio-television and Telecommunications) regulations, cell service providers have a limited time to make this switch, and their security check often consists of just an email or text to the current owner. If a service provider requests confirmation and the account holder does not respond very quickly, the change will be made. If the real owner is not looking at or actively monitoring their cellphone then it is likely that they will miss this warning.
Once the criminals have successfully secured the phone number, they now have access to all services you’ve linked to your phone, which could include bank accounts, online shopping, and access into systems which has the cellphone number listed as a 2nd factor of authentication or password recovery. In addition, any incoming calls and texts would now be going to the attackers instead of the real owner.
What Actually Happens?
Let’s say that the fraudsters manage to get hold of enough personal information to request – and successfully transfer – your cellphone number to themselves. They then use that information to log into PayPal with an email address (which they had likely found online through social media or LinkedIn) and go through the process to say that they have forgotten their password. PayPal sends a password reset PIN to the cellphone, which of course the fraudster now has. The attacker then has access to PayPal, including all of the credit or debit card information associated with that account.
With debit card information, the attacker now knows the banking preferences of the victim. They can log into online banking with the information that they now have; email address, home address, bank card reference and they can say that they have forgotten their password. What does the bank do? It helpfully allows the attacker to reset the password, but not before doing their due diligence when it comes to security! They send a password reset PIN to the cellphone first! The problem is, the attacker has that cellphone number now … you get the picture.
Once the attacker has unlimited access to the bank account or credit card then they can do a world of damage to the victim, including financial loss, identity fraud, negative credit history, and a whole lot of stress.
How To Protect Yourself
To help protect against SIM Swapping:
- Contact your cellphone provider and ensure that you have “Port Protection” enabled on your account. This will mean that a number cannot be “ported” before further verification with account holder. This may delay legitimate account changes but will provide more security. This can be done through your provider directly, or with the support of your office administrator if the cellphone contract is owned by UBC.
- Lock down your social media profile so that it is private and can be seen by your friends only.
- Don’t publish your phone number on any of your social media profiles and limit the amount of personal information you post online like your birthday, home address, elementary school names, or your pet’s name. Never complete the online “quizzes” which ask about your childhood. Fraudsters can use these clues to answer common identification questions and impersonate you.
- If available, set up a passcode/PIN with your cellphone service provider to access your phone for any online or phone interactions. Never use the same PIN as you would use for other accounts, like your bank account.
- Don’t allow your online shopping websites to “remember” your credit card or PayPal details. If the fraudster can access your online shopping, don’t make it easy for them to see what financial institutions you belong to.
- Don't use apps to sign into other apps, ie. Facebook – the fraudster would only need to enter one to gain access to all connected apps.
- Don’t use the same passwords or usernames across multiple accounts. Always create a strong, unique password for your sensitive accounts. Click here to learn more about how to create a strong password.
- Don’t click on links or attachments in suspicious emails or text messages. Remember that UBC, CRA and Financial Institutions will never send you an email, or call you on the phone, asking you to disclose personal information such as your password, credit or debit card number, or your mother’s maiden name. Click here to learn more about how to spot a phishing email.
- Destroy and dispose of your incoming mail properly. Never just recycle or throw away letters or financial information with any personal information on it without shredding or removing and destroying the personal information first. Did you know that Amazon Canada prints your full name, address, and phone number on all parcels? Ensure that this is removed or destroyed before the packaging goes into your recycling.
- Ensure that all of your online services have the maximum security settings enabled that are available. Many services allow multiple levels of authentication, rather than just username, password, and cellphone number.
If you have any questions please send a message to email@example.com
What to do if you are a victim of SIM Swapping
There is a lot to do and you need to act fast:
- Check that you can still log into all of your financial services (bank, credit card, PayPal etc.) using your own credentials. Once you are logged in, make sure to remove your cellphone number as a method of contact or 2nd factor of authentication and replace it with a different number which you know is safe. Reset your password to a new, unique, hard-to-guess passwords. If you find that you cannot login using your credentials then you should assume that the account is compromised and immediately contact the fraud department for that service.
- Check that you can log into your UBC account using your CWL credentials and reset your CWL password. If you know that you have your compromised cellphone number as an option for Enhanced CWL then you should contact firstname.lastname@example.org to inform them that your cellphone number needs to be removed from Enhanced CWL settings ASAP.
- Remove your cellphone and reset your password for all online shopping services such as Amazon, Wayfair, eBay etc.
- Remove your cellphone and reset your password from all utilities such as gas, electricity, home internet, cable, Netflix etc.
- Contact the fraud department with your cellphone provider and tell them what happened. You will need to convince the support technician that you are who you say you are, and you should be prepared to have access to your old cellphone statements in order to go through enhanced security measures.
- Contact the RCMP Canadian Anti-Fraud Centre at [Toll-free] 1-888-495-8501
- Report the fraud at the two credit bureau’s in Canada: Equifax - 1-800-465-7166; TransUnion Canada - 1-877-525-3823