Two-factor authentication adds another line of defence when it comes to phishing scams, which aim to guess or steal your valuable login credentials. This isn’t completely fool-proof, however. Criminals are rising to the challenge by reinventing an old crime: sim swap scams. Here’s what you need to know to stay protected.
Sim swap scams shouldn’t be easy pickings for criminals. They rely on someone being able to convince a mobile operator to issue a replacement sim card by claiming someone else’s identity and that their phone has been stolen or lost. This is usually achievable using personal data that has been stolen through malware or cyberattacks, which may then be sold on the Dark Web.
The mobile operator should conduct some form of ID check before issuing the replacement and disabling the victim’s sim card. However, a recent investigation by BBC Watchdog found that many phone shops – including major brands – fail to ask for photo ID or issue a text alerting the victim that someone is attempting to replace their sim. Once the new sim has replaced the victim’s, criminals can access any online service that requires verification codes which are sent by text or call to that number.
Do you use the same phone for work and your personal life? The more you mix the two, the harder it will be to detect unusual activity on your accounts, or protect one or the other if an account becomes compromised.
Let’s say you have a business bank account linked to a personal account. If you fall victim to a sim swap scam and a criminal gains access to your internet banking apps by collecting a verification code (as well as already having your personal data), your business finances could be at risk alongside your personal accounts. That could also put your customers and any supply chain at risk.
Like many types of internet fraud, there are some simple steps you can take to keep your business protected online – and keep things efficient for how you work.
Avoid over-sharing online so your data isn’t stolen in the first place. Don’t post your date of birth, address or phone number on public social media profiles or open websites, and don’t give out your data to companies unless you’re confident about how they’ll use it. It’s also good practice to check with your bank or phone operator to find out what alerts can be set up should any suspicious activity be identified.
Then there’s phishing. Many people can’t tell the difference between fake phishing emails and real ones. Over 80% of people who took part in an Intel study fell victim to phishing, with just 3% emerging completely unscathed. Never download files from unknown sources or open attachments from senders you don’t recognise. Use complex, hard-to-guess passwords which contains numbers, capital letters and symbols.
Two-step authentication is arguably miles better than single step logins, but sim swap fraud does show that text messages in particular can be easily accessed because the data isn’t encrypted. Better options include authentication apps like Google Authenticator, which produces an encrypted one-time access code.