From social media takeovers to million-dollar crypto heists, SIM-swapping has become a mainstream attack vector. About every week another article hits our timelines on how an unsuspecting person became the latest victim. Last year alone, SIM-swap attacks cost Americans more than $68 million, and the number of reported incidents grew by more than 400%. Earlier this year, the FBI issued a public service announcement, warning and educating consumers about SIM-swap fraud.
When it comes to SIM-swap attacks, fraudsters have a playbook. They are bounty hunting very select, high-value accounts. Whether it’s prominent social accounts and celebrities, people who are visibly active in the cryptocurrency space, or gamers who have spent countless hours unlocking achievements and leveling-up-SIM-swappers are deliberate with who and what they target. Despite being low-tech, a successful SIM-swap attack is highly sophisticated and generates high returns.
But what about enterprises?
With zero-trust security frameworks, virtual private networks, and an arsenal of additional defense tactics, businesses should be immune from low-tech attacks like SIM-swapping.
Unfortunately, that is not the case. As the cybergang LAPSUS$ has proved, SIM-swap attacks threaten enterprises as much as consumers. The gang has dominated headlines in recent weeks. They’ve allegedly penetrated internal networks at some of the largest, well-known tech companies in the world. And once they are in, LAPSUS$ accesses data, leaks code, and threatens to share it all if a ransom is not paid.
How do they gain access?
Considering the immense resources of the victims, you would think LAPSUS$ deployed a highly-technical attack to bypass multilayer security frameworks-detecting network vulnerabilities, creating backdoors, installing malware, and deploying a denial-of-service attack to gain admin access. But as it turns out, LAPSUS$ deployed many of the same old-fashioned tactics that fraudsters use to hijack one’s digital wallet.
SIM-swapping through security
The crux of the SIM-swap is a good target. For consumers, it’s fame and assets. For an enterprise, it’s an employee with the right access. That was LAPSUS$’s strategy. They followed the same tried-and-true SIM-swap playbook:
- Social engineer to gather knowledge about their targets
- Steal credentials to trigger MFA prompts
- SIM-swap to intercept OTPs and facilitate account takeover
Despite being low-tech, LAPSUS$’s series of attacks are elaborate, sophisticated, and successful. They are exploiting an enterprise’s weakest security link-their people, their employees, and their partners. After all, 95% of cybersecurity breaches are caused by humans.
LAPSUS$’ social engineering and SIM-swapping playbook should have every security team on notice. While conventional attack vectors-like email phishing and malware-will always be top of mind, LAPSUS$ has proven these low-priority tactics pose significant risks.
How can you defend against it?
It all starts with education. You should train your employees to practice good security hygiene and to always be skeptical. But even with the most cautious employees, the strongest of passwords, and multifactor authentication-every employee is at risk.
Whether it’s LAPSUS$ targeting your employees or fraudsters going after your bank account, personable identifiable information will be shared, passwords will be stolen, and one-time passcodes will be intercepted.
There is a reason 80% of SIM-swap attacks are successful. Once a fraudster has successfully ported a phone number over to their SIM card, there is nothing an end-user can do. The fraudster is one text message, six digits, and a few seconds away from taking over the account.
Detect SIM-swap activity
As the leading authentication and digital identity player, Telesign serves as the last line of defense. Before you send a one-time passcode (OTP) for your final authentication, Telesign can instantly detect if and when a phone number was SIM-swapped or ported.
Using a dynamic risk assessment, you can understand fraudulent intent and prevent OTPs from being delivered to unwanted bad actors. In 2021, the FBI received 1,611 SIM-swapping complaints. During that same time, Telesign’s SIM swap monitoring blocked more than 1 billion account takeover attempts.
Despite being a low-tech, old-school attack, SIM-swap attacks are growing, and they are here to stay-just as Telesign CEO Joe Burton predicted in his 2022 digital security predictions.