SIM swapping attacks are increasingly common and can range in complexity and motive. Threat actors initiate these attacks by contacting the wireless carrier and impersonating the subscriber. They use social engineering to convince the employee to assign the subscriber’s mobile phone number to a new SIM card on a device controlled by the threat actor. The threat actor effectively hijacks the victim’s phone number, providing them unprecedented access to sensitive personal and financial information, including MFA. SIM swapping attacks
have become a considerable security threat for government agencies and corporations. These attacks were initially used by criminals to steal individuals’ cryptocurrency, but other criminal actors and nation-states now utilize them for various purposes. There has also been a growing number of targeted takeovers of influential social media accounts for pump-and- dump stock schemes, to inflict reputational damage, and spread disinformation. Despite the Federal Communications Commission’s (FCC’s) past efforts, incidents of SIM swapping continue to grow without requiring more robust authentication practices. Though
safeguards to prevent SIM swap fraud are essential to mitigate consumer harm, criminal actors’ ability to adapt means that consumer data may still be vulnerable, emphasizing the need for stronger privacy and data protection rules to protect consumers.

Recommendation

The NJCCIC recommends using strong and unique passwords, exercising caution with unsolicited texts, emails, and calls, including those urging you to act immediately and provide personal details, and enabling MFA, opting for authenticator applications over SMS, where available. If you have been the victim of a SIM swapping attack, immediately change passwords for services such as your online banking and email. Protect cryptocurrency wallet accounts with MFA using a hardware token for increased security and establishing unique and complex passwords. Additionally, users are advised to open accounts only on legitimate cryptocurrency exchanges and refrain from providing personal or payment card data to unverified individuals and websites. Additional information and recommendations can be found in the SIM Swapping Attacks NJCCIC product.

Reporting

The NJCCIC encourages recipients who discover signs of malicious cyber activity to contact the NJCCIC via the cyber incident report form at www.cyber.nj.gov/report.

Please do not hesitate to contact us here at Cyber Command with any questions.