The Rise of SIM Swap Attacks and How to Prevent Them

May 02, 2024
Written by
Twilio
Twilion

What is SIM swapping fraud and how to prevent it

SIM swap fraud has continued to be a growing security threat, prompting the Federal Communications Commission in the US to consider strengthening regulatory actions for protecting consumers and businesses. Businesses seeking to protect themselves against SIM card fraud need to understand how this attack method works and establish security procedures to prevent it.

SIM swap attacks bypass normal security measures by letting criminals intercept standard one-time password messages. This can expose your company and customers to hackers, harming your reputation and finances.

Fortunately, these risks can be mitigated by combining SIM swap detection tools with security best practices. In this blog, we'll explain how SIM swapping fraud works, how it can compromise your company, and what you can do to detect and prevent it.

What is SIM swapping?

SIM swapping is a legitimate practice where someone can transfer access to smartphone information from the owner's device to theirs. While SIM swapping can occur between consenting parties, it is also used by criminals to gain access to an unsuspecting person's phone. When done for criminal purposes, a SIM swap scam is also known as a port-out scam or sim jacking.

SIM cards are smart cards that contain unique identifying information used to authenticate smartphone user identity. Mobile carriers allow smartphone customers to transfer SIM cards from one device to another for purposes such as upgrading devices or traveling.

SIM swap fraud exploits this by deceiving carriers into transferring a mobile number from its owner's device to another device with a different SIM card. Transferring the number sends calls, voicemails, and texts to the new device rather than the owner's device. This allows the identity thief to intercept messages used for security checks, such as one-time password (OTP) messages. Using this method, identity thieves can impersonate victims to gain access to sensitive personal, business, and financial data, such as bank accounts and social media accounts.

SIM swap attacks can affect any phone that has a SIM card. SIM cards come installed on all mobile phones that use Global System for Mobile (GSM) networks. Phones on Code Division Multiple Access (CDMA) networks don't necessarily require SIM cards but may use them for long-term evolution (LTE) headsets. Manufacturers are phasing SIM cards out in favor of digital alternatives called eSIM cards, but they remain in widespread use.

How does a fraudulent SIM swap work?

SIM swap attacks typically unfold over several steps:

  1. The identity thief picks their target and gathers enough information about them to persuade phone carriers to transfer their number.

  2. There are different ways to gain access to the SIM. Sometimes, the perpetrator contacts the victim's mobile carrier to request the phone number to be ported to a device with another SIM card. In other cases, the user’s carrier account is accessed and personal account information is updated by the fraudster. This bypasses talking to the carrier directly.

  3. The criminal uses the compromised number to impersonate the smartphone owner and intercept OTPs that either authorize access to an account or other actions like transferring money.

  4. Finally, to avoid alerting the smartphone owner that their number has been compromised, the cybercriminal may transfer the number back to the SIM card on the original device.

To begin the process, identity thieves may obtain information about their victim through various methods. They may buy it from criminal groups, send phishing emails, or use other social engineering techniques to trick the victim into giving them information.

To arrange the phone transfer, the identity thief may impersonate the smartphone owner and contact their carrier, pretending they lost their phone or using some other pretext to request the transfer. Alternatively, they may bribe a phone company employee into performing the transfer.

After the number has been ported to the new device, the perpetrator may begin exploiting it. For instance, if they already have the owner's bank account password from hacking their computer, they may use the password to initiate the login process, and then complete the login by intercepting the SMS OTP message sent to the victim's smartphone.

Once the number has been transferred to the new device, the legitimate owner loses their ability to receive calls and texts on their own device. They may be unable to access other accounts, and they may notice other suspicious activity, such as logins from other locations or transactions they didn't authorize. To avoid arousing suspicion, the identity thief may perform SIM swaps temporarily or at odd hours, reducing the likelihood of being detected.

What is a SIM farm?

A SIM farm is a setup that involves multiple SIM cards being managed and operated through specialized hardware and software. These setups are often used for various legitimate purposes such as bulk SMS marketing, automated notifications, and testing mobile services across different regions and carriers. However, SIM farms can also be exploited for financial gain via fraud.

SIM box vs. SIM bank

A SIM box, also known as a SIM gateway, is a device that holds and operates multiple SIM cards simultaneously. Each SIM card within the box represents a different phone number, allowing the device to distribute calls and texts across various carriers. These devices are typically used by fraudsters to route international calls as local calls, bypassing the international rates, or send marketing messages and spam from many different phone numbers to avoid detection.

A SIM bank is a device designed for the centralized management and housing of hundreds of SIM cards. It connects to GSM gateways and allows remote access of the SIM cards. Telecommunication companies use SIM banks for managing large-scale deployments, bulk SMS marketing, or to manage their network resources efficiently.

Although SIM banks are more commonly used for legitimate business activities, they can also be used in SIM boxes by fraudsters. SIM banks assist fraudsters in efficiently managing a large pool of SIM cards and frequently swapping them out to prevent detection and blocking by telecom providers.

How does a SIM farm work?

SIM farming is a very detailed operation. Here are the steps fraudsters commonly take to set up and run SIM farms:

  1. Acquisition of SIM cards: Fraudsters acquire large numbers of prepaid SIM cards from various network providers to avoid easy detection. Diversifying the SIM cards across different telecom operators further minimizes the risk of pattern recognition and blocking.

  2. Setup with a SIM bank: The SIM cards are inserted into a SIM bank for centralized storage and management. The SIM bank is configured to switch the SIM cards automatically based on various criteria, such as usage limits, time intervals, or detection risk.

  3. Integrating with SIM boxes: SIM banks are connected to one or more SIM boxes to route calls or send SMS messages using the SIM cards stored in the SIM bank.

  4. Call/SMS routing: International calls are routed through the SIM box to convert them into local calls, which are cheaper. Large volumes of SMS messages are automated and sent in a coordinated manner, often for spam.

  5. Dynamic SIM switching: SIM cards are frequently swapped out using the SIM bank to avoid detection by telecom providers. Call and SMS volume is distributed evenly across multiple SIM cards to avoid reaching traffic thresholds and blockage.

  6. Monitoring and management: Fraudsters monitor the SIM farm to ensure efficiency and address blocked SIM cards or network problems. They analyze usage patterns and switch rules to optimize performance and reduce risk.

  7. Recovery and replacement: Fraudsters regularly acquire new SIM cards to replenish blocked or detected SIMS or update the SIM farm to maintain its operations.

SIM farms are common in SIM swap attacks because they allow malicious actors to evade costs, which can be detrimental to various types of businesses.

How does SIM swapping fraud affect businesses?

SIM swapping triggers a domino effect of negative consequences that can severely disrupt businesses. A SIM swap attack can undermine your security procedures, open your network to hackers, expose customer data, and harm your company's reputation, ultimately costing you money. Many businesses have been in the news recently for becoming victims of SIM swap attacks.

Bypassed security procedures

If your company uses SMS or voice OTPs for multi-factor authentication to verify the identity of employees or customers, SIM swapping can bypass your security measures. You may think your network is secure when it's actually being penetrated.

Infiltrated company network

If cybercriminals use SIM fraud to obtain access to your employees' phone numbers, they can gain access to your internal company network. This can compromise your files, financial records, and customer records, putting you at risk of theft, a major customer data breach, and the loss of vital company data.

Compromised customer data

SIM swap attacks can compromise your customers in various ways. If a hacker gets inside your internal network, they can begin stealing your customers' data and launch identity theft attacks on them. Even without penetrating your internal network, a thief who has used a SIM swap to impersonate a customer may make a fraudulent purchase in your customer's name or commit other malicious acts.

Harmed company reputation

Negative publicity from SIM swapping can damage your reputation with customers and investors. Customers may blame you for failing to detect SIM attacks, demand refunds for fraudulent purchases, or complain about your security standards on social media.

Revenue and budget loss

Through outright theft and indirect damage to customer relations, SIM card fraud can cost companies significant revenue losses. FBI data indicates that losses from SIM swapping incidents grew from $12 million during the January 2018 to December 2020 period to $68 million in 2021 alone.

How to detect a SIM swap attack

While sim jacking attacks can be subtle, it's not impossible to detect SIM swaps if you know what to look for. Disruption of service and unusual account activity can be signs of a SIM swap.

Can't make calls or send texts

Porting a phone number to another device's SIM card prevents the original device owner from making calls or sending texts. If you notice calls aren't connecting and texts aren't sending, it may indicate a SIM swap.

Loss of phone service

SIM swap attacks cut off incoming phone service as well. If expected calls aren't coming in, it may be a SIM swapping symptom.

Unrecognized activity on online accounts

SIM swapping fraud can manifest as various types of unusual account activity. Accounts may be accessed from remote networks far away from the phone owner's actual location. Social media accounts may be used without the owner's knowledge. Bank and credit card accounts may record unauthorized transactions. These can be signs of SIM swap attacks, especially if they occur in conjunction with the other symptoms described above.

How to prevent SIM swapping

SIM swapping attacks can be prevented by a strategic combination of technology and best practices. Critical defenses include SIM swap detection tools, multi-factor authentication, and awareness of common scams. 

You can scrutinize mobile phone numbers without interrupting the user flow with phone number intelligence. Additionally, you can use Silent Network Authorizations, which are less prone to social engineering scams. Biometrics is another authentication method not easily hacked like SIMs.  

Use Twilio's Lookup SIM Swap

The Twilio Lookup SIM Swap package provides companies with the means to detect SIM swaps before sending out OTP authentication messages. Because SIM swaps must be authorized by mobile carriers, carriers maintain logs of SIM swaps. Checking these records can indicate whether a SIM swap occurred recently for a particular number, raising red flags when a SIM swap precedes an attempted large transfer or high-value transaction.

Twilio Lookup SIM Swap uses an API to check a phone number's SIM swap history. Upon detecting a number that has been SIM swapped, the check returns the carrier's name, a code that identifies the mobile network operator, and details about the last SIM swap. You can use this tool to establish procedures for handling SIM-swapped numbers before sending an OTP. When a SIM swap is detected, you can require a non-phone-based verification such as a time-based one-time password (TOTP), or you can put the account on temporary hold.

Twilio's Lookup SIM Swap tool effectively identifies potentially fraudulent SIM swaps before your business sends sensitive OTPs.

Implement multi-factor authentication on all accounts

Applying multi-factor authentication checks to all accounts can reduce the ability of successful SIM swaps to escalate into hacks. Verification alternatives such as biometrics, physical security tokens, and authentication apps can ensure that even when a SIM swap has occurred, the perpetrator doesn't have an opportunity to capitalize on it.

Secure user authentication with Twilio

SIM swaps and other common cyberattacks don't have to disrupt your business or compromise your customers. The Twilio Lookup API uses mobile-based signals to detect SIM swaps and other risks, providing an integrated layer of security that minimizes fraud without compromising user experience. This transforms your phone intelligence data into trusted interactions with your customers. Lookup in conjunction with the Verify API can be a powerful tool for secure user authentication. Read more about protecting your users with the right authentication tools. 

Providing a secure experience empowers you to build onboarding and engagement experiences that improve delivery and mitigate risk seamlessly. Learn about how our customers have successfully implemented user verification with Twilio's API. Talk to our sales team about how we can help you optimize conversions with customizable verification solutions that truly build effortless onboarding and transaction experiences.