A subscriber identity module (SIM) card is an electronic chip that stores mobile network user information, such as your phone number and authentication key used to grant access to the cellular network. A SIM card is also referred to as a universal integrated circuit chip (UICC), which is the modern day version of the original SIM card. Although the UICC is the technical term, it continues to be referred to as the SIM card.
Because of the information they store, SIMs can be valuable targets for threat actors. This publication aims to help you understand the main threat, known as SIM swapping, and provide you with recommendations to better protect yourself.
On This Page
- Difference between a SIM card and an eSIM
- SIM swapping
- How SIM swapping happens
- Consequences of SIM swapping
- The signs of SIM swapping
- How to protect your SIM
- Learn more
Difference between a SIM card and an eSIM
A SIM card is a physical card inserted into a device. It uses information stored within it to identify and authenticate the user on a mobile network. An embedded SIM (eSIM) is a non-removable electronic chip integrated into the device, making it easy to configure and activate remotely. An eSIM is capable of storing several SIM profiles at once.
Considerations for eSIMs
Providers are increasingly offering eSIMs as a format due to convenience. However, there are risks associated with them. eSIMs can make it easier for threat actors to:
- compromise and gain access to your mobile accounts
- conduct social engineering and remote attacks, as they can be digitally generated and electronically transferred
- compromise multiple profiles at a time
- leverage malicious software through arbitrary code execution
SIM swapping
SIM swapping is an attack against your mobile phone account that transfers your phone number to a threat actor’s SIM card or eSIM without your knowledge or permission. Some other common terms used for SIM swapping include SIM jacking, SIM napping and SIM porting.
If a threat actor is successful with a SIM swapping attack, they can use their device to control communications meant for you, including through impersonation. This scam is also used to access other accounts, such as your bank account, that might use your phone number as a method to verify your identity.
How SIM swapping happens
Threat actors leverage the following methods to conduct SIM swapping attacks.
Calling your provider
Threat actors attempt SIM swapping using a similar process that providers follow when they transfer a user’s phone number from their old device to a new one during an upgrade. Threat actors can try to transfer a victim’s phone number to their own device by calling the mobile network provider and fraudulently impersonate the victim. They can bypass common security questions used to verify your identity by researching the personal information you’ve shared online.
Stealing your credentials
Threat actors can also try to access your mobile account details on the provider’s website to initiate and authorize a SIM swap. They use credential stuffing, where criminals use stolen usernames and passwords, or collect personal information that has been shared online and on social media to answer security questions during account authentication.
Exploiting insider access
SIM swapping can occur due to insider threat. Employees and other insiders with internal access to a mobile service provider can falsely authorize changes to customer accounts and sell swapped SIMs.
Consequences of SIM swapping
If you are a victim of SIM swapping, a threat actor will receive your phone calls, messages and notifications on their device. Since mobile devices are often used as an authentication measure, a threat actor can impersonate you and gain access to your accounts and information, putting both you and your organization at risk.
Individual risks
As an individual, being a victim of SIM swapping possesses several risks. A threat actor can:
- change and steal other account credentials
- prevent you from accessing and managing your accounts
- steal your money and financial information
- control and handle information managed through personal accounts
- impersonate you to spread the scam to your contacts
Organizational risks
Depending on your organization’s posture on device-use (for example, company-owned or personal devices) and remote work, it is important to evaluate the level of sensitivity of the data being handled. If threat actors compromise a mobile service that handles your organization’s information, they can:
- impersonate the individual behind the account
- spread phishing scams and malware to other accounts and devices
- gain access to sensitive and confidential information
- compromise systems and processes
- damage your business’ reputation and trust with customers and partners
The signs of SIM swapping
There are signs you can look out for that signify that a threat actor may be trying to or has swapped your SIM. These include:
- abnormal reduction in messages on your device
- lack of verification messages when using multi-factor authentication (MFA)
- phishing messages asking to verify your account with a PIN or clicking a link to login
- messages indicating activity on your account that you don’t remember
- changes to account information you did not make
- losing access to online accounts (for example, banking, email and social media)
- transactions on accounts that are unknown
- disconnection from cellular network
If your SIM has been successfully swapped, you will lose cellular service as well as Wi-Fi calling capabilities. It is important to note that being connected to Wi-Fi can keep your data connection active. If you switch between cellular service and Wi-Fi automatically and frequently, you may not immediately recognize when your SIM is compromised.
How to protect your SIM
It is important to take preventative security measures to reduce the risks of being a victim of SIM swapping. The best ways to protect yourself from SIM swapping include:
- using any additional verification requirements your mobile provider offers to help protect your account
- requesting your mobile provider to enable port protection or a SIM lock on your accounts, if available
- enabling MFA that includes methods other than those that rely on your phone number (for example, a PIN, biometric or authentication app)
- keeping sensitive information related to account security questions private (for example, date of birth, home address and mother’s maiden name)
- using separate and unique email addresses for financial accounts and social media
- creating different passwords and passphrases for each of your accounts
- keeping up with your provider’s security advisories and Cyber Centre guidance and alerts
Organization-specific security measures
Alongside the security measures mentioned, there are some specific security practices your company should consider to help prevent SIM swapping.
- Have a clear device usage policy for what data can be handled on certain devices
- Enforce cellular contracts for company-owned devices that prohibit account migration without your organization’s approval
- Implement mandatory maintenance sessions for company-owned devices
- Use authenticator applications that generate one-time passcodes for MFA rather than verification measures connected to the phone number (for example, text message and phone call)
- Deploy hardware security keys to secure and authenticate highly sensitive accounts if necessary
- Classify and label data according to sensitivity levels and clearly establish how data belonging to each level should be handled
- Offer cyber security training
Learn more
- Using your mobile device securely (ITSAP.00.001)
- End user device security for Bring-Your-Own-Device (BYOD) deployment models (ITSM.70.003)
- Social engineering (ITSAP.00.166)
- Rethink your password habits to protect your accounts from hackers (ITSAP.30.036)
- Don’t take the bait: Recognize and avoid phishing attacks (ITSAP.00.101)
- Secure your accounts and devices with multi-factor authentication (ITSAP.30.030)