These days, account protection is getting smarter—but hackers are getting smarter, too.
Many of today’s banks, email providers, and e-commerce sites have a two-factor verification option that sends a one-time pin to your phone every time you attempt to log in. Since you need both this PIN and your usual password to sign in, two-factor authorisation is a great way to keep your accounts guarded against infiltration.
Unfortunately, it’s not infallible, because hackers have learned how to get around it. You may be shocked to learn that today’s fraudsters can hijack your SIM card and get access to all your messages—including your one-time PIN. This process, known as SIM hijacking or SIM swapping, has become an increasingly popular way for scammers to circumvent the two-factor security measure and get into high-value accounts. Accounts that use single-factor verification (i.e. password only) are at even greater risk since you can usually reset a password using the account’s linked phone number.
Some of the common targets of this scam include high earners and people with highly desirable social media or gaming handles, but SIM hijacking can happen to anyone. That’s why it’s important that you know how to protect yourself against it.
Cybersecurity tips for avoiding SIM hijacking
1. Understand How SIM Hijacking Works
As with any scam, the first step in protecting yourself against is to understand how the scheme works.
Scammers start the hijacking process by finding a target and collecting their personal information. They get hold of data like email addresses, mailing addresses, government-issued ID numbers, date of birth and more by trawling social media, setting up phishing attacks, or buying it from other online fraudsters.
Then, the hijackers contact your phone carrier. They use the information they’ve swiped to answer your security questions and convince your carrier to port your phone number onto a SIM card in their possession. Once they have access to your number and all your messages, the hackers can start breaking into your accounts, taking your money, stealing your social media handles and more.
2. Add a PIN to Your Phone Account
Now you know how SIM hijacking works, the first measure you can take to prevent it is clear: harden your phone account by adding a PIN code. Most of today’s cell phone providers allow you to set up a PIN that you must state to make changes to your account. If you don’t have a PIN, hackers only need to know your easily obtained personal details to convince your phone carrier to port your number to a new SIM. To set up a PIN code, check your online phone account, call the customer service department, or head to your carrier’s local store in person.
3. Change to a 2FA App
Another great way to prevent hackers from bypassing your two-factor phone verification is to use a different verification tool altogether: an app. Two-factor verification methods that use a 2FA app instead of a phone number are far more secure because they can’t be hacked using a SIM card. A fraudster would need to steal your phone and know your phone passcode to break into your account using a two-factor app, which is a very unlikely scenario given that most hackers work remotely.
4. Don’t Put Personal Information Online
Alongside hardening your accounts, you can avoid becoming a SIM hijacking victim by preventing hackers from accessing your personal information. To protect yourself against any type of fraud or identity theft, never put your phone number, date of birth, email address, or answers to security questions (like your first car, first pet, or maiden name) online. Look at your profiles on social media, online marketplaces, and web portfolios to see if you’ve put up any information that could be used to hack you. If you have, delete those posts as quickly as you can.
5. Don’t Open Phishing Emails
Phishing emails are another common way hijackers get your personal information. These fake emails are set up to look like communications from your account providers, but all the information you send them goes straight to the fraudster targeting you. In general, the best way to avoid a phishing scam is to never click on links in emails that claim to come from your bank or other account providers. If you receive an email from your bank asking you to update your details, for example, do not click on the update link. Instead, go to your bank’s official website and log into your account to see if the request is legitimate.
6. Remove Your Phone Number from Your Accounts
Remember that SIM hijacking isn’t just used to bypass two-factor verification. Hackers also use it to quickly and easily access accounts that are only secured by a password (such as Twitter, Instagram, and gaming accounts). You can stop hackers resetting your password in this way by removing your phone number from all your social media and email accounts. If you must add a number to an account, use a VoIP number (like Google Voice) as these services can’t be SIM hijacked.
7. Know How to Respond
If you do become the victim of a SIM hijacking scam, you’ll need to respond quickly and efficiently to minimise the damage. First, make sure you know how to spot a hijacking. When a scammer gets access to your phone number, you won’t be able to make calls or send texts from your phone anymore. So, if you suddenly lose service or get a message that your SIM has been deactivated, contact your carrier to secure your account.
Alongside contacting your carrier, check your email account for notifications of suspicious login activity or changed passwords. This will let you know which accounts the attacker has logged into, so you can get in touch with those companies and take anti-fraud measures. You should also change the passwords on all your sensitive accounts, just in case the hacker has accessed them or plans to in the future.
And after you’ve responded to a hijacking incident, don’t forget to stay alert. If fraudsters could find your personal information once, they can do it again.
Even though there’s no surefire way to protect against hacking, following the advice above is the best way to drastically reduce your risk.