SIM hijacking, or ‘SIM-jacking’, is a dangerous new way that fraudsters can steal from people by secretly taking control of their phones.
In a growing trend, thieves are exploiting the ability of mobile service providers to ‘port’ a phone number between different SIM cards.
Normally this is a useful function. If a customer loses or breaks their phone, they can buy a replacement, and ask their mobile service provider to port their original phone number to the new phone.
The provider will ask for some security information to make sure the caller is genuine, before seamlessly sending the phone number to the new SIM card.
But a series of high-profile SIM-jacking cases - including Jack Dorsey, CEO of Twitter - have uncovered how fraudsters can use phone number porting to gain access to people’s personal information and steal thousands of pounds.
How does SIM-jacking work?
First, the fraudsters have to gather the security information needed to port their victim’s phone number. They can do this by:
Sending phishing scam emailsBribing employees at the victim’s mobile service providerConvincing you to give you them directly by gaining your trust
Once they have the security information or passwords they need, fraudsters will impersonate their victim on the phone to their mobile service provider and convince them to “port” the victim’s phone number to a new SIM card.
The victim’s phone will then lose a network connection, and any texts and calls intended for them will be received by the fraudster’s phone instead.
Why do fraudsters do it?
Hijacking a SIM card is the first step that fraudsters need in order to get access to their victim’s money and personal information.
If you forget a password for your email or bank account, those companies will often text you a security code as part of a verification process to reset the password.
But once scammers have hijacked a SIM card, they can have those security codes sent directly to them - allowing them to reset their victim’s passwords, and access their social media, bank, and email accounts.
They can then begin withdrawing money and stealing private information from their victim.
How do I prevent it from happening?
If you are concerned about SIM-jacking, you can call your mobile service provider and ask them to add extra security to your account - like requiring a PIN code to make changes to your details.
People should make sure that every account they have - email, bank, social media, online shopping - have strong and unique passwords. This will make it harder for fraudsters to access all your accounts, even if they manage to hack into one.
You should avoid sharing too many personal details on social media. Determined fraudsters can often find many of the security details, like dates of birth and addresses, by looking through a victim’s social media.