FBI: SIM Swapping Schemes Stealing Millions

Written by Edward Gately
February 10, 2022

The FBI issued a warning for mobile carriers and the public of the increasing use of subscriber identity module (SIM) swapping by criminals to steal money from fiat and virtual currency accounts.

From January 2018 to December 2020, the FBI Internet Crime Complaint Center (IC3) received 320 complaints related to SIM swapping incidents with adjusted losses of approximately $12 million. In 2021, IC3 received 1,611 SIM swapping complaints with adjusted losses of more than $68 million.

SIM swapping is a malicious technique where criminal actors target mobile carriers to gain access to victims’ bank accounts, virtual currency accounts and other sensitive information. Criminal actors primarily conduct SIM swap schemes using social engineering, insider threat, or phishing techniques.

Social engineering involves a criminal actor impersonating a victim and tricking the mobile carrier into switching the victim’s mobile number to a SIM card in the criminal’s possession. Criminal actors using insider threat to conduct SIM swap schemes pay off a mobile carrier employee to switch a victim’s mobile number to a SIM card in the criminal’s possession. Furthermore, criminal actors often use phishing techniques to deceive employees into downloading malware used to hack mobile carrier systems that carry out SIM swaps.

Once the SIM is swapped, the victim’s calls, texts and other data are diverted to the criminal’s device. This access allows criminals to send forgot password or account recovery requests to the victim’s email and other online accounts associated with the victim’s mobile telephone number. Using SMS-based two-factor authentication, mobile application providers send a link or one-time passcode via text to the victim’s number, now owned by the criminal, to access accounts. The criminal uses the codes to login and reset passwords, gaining control of online accounts associated with the victim’s phone profile.

Roger Grimes is a data-driven defense analyst at KnowBe4.

“SIM swapping attacks have been going on for over a decade and have likely resulted in billions in stolen cryptocurrency and other financial crime,” he said. “The U.S. government … has been recommending against using any [text], phone number or voice-call based multifactor authentication (MFA) since 2017. President Biden’s 2021 zero trust executive order also told defenders not to use it, along with other easily phishable MFA, like one-time codes and push-based MFA. Unfortunately, that describes probably 90% of MFA used by people today.”

Text-based MFA has to be the most popular MFA option used on the internet, and most of the time people do not have a choice of whether to use it, Grimes said. Their bank, vendor or service says they have to use it.

“And, let me say again, the U.S. government has said not to use it since 2017,” he said. “The better question to ask is why so many services and vendors are still using [text]-based and phone number-based MFA five years after the U.S. government said not to use it? Why are we so slow and broken?”

Tags:

Edward Gately

As news editor, Edward Gately covers cybersecurity, new channel programs and program changes, M&A and other IT channel trends. Prior to Informa, he spent 26 years as a newspaper journalist in Texas, Louisiana and Arizona.