SIM swapping attacks have been reported in the media since 2017. Such attacks usually target banking transactions but not only. These attacks are also perpetrated against the cryptocurrency community, social media and email accounts.
With the ENISA Report - Countering SIM-Swapping, the EU Agency for Cybersecurity gives an overview of how SIM swapping attacks work and of the extent to which Member States are affected. The Sim-Swapping Attacks also assesses services impacted and issues a range of recommendations to guide national authorities, operators, banks and citizens.
What is SIM swapping?
In a SIM swapping attack, an attacker takes over the mobile phone number of the real subscriber, by asking the mobile telecom provider to link that number to a SIM card under the attacker’s control.
SIM swapping procedures exist for legitimate reasons, for instance, when the SIM card is lost or damaged. SIM swapping is also used to connect mobile phones with an embedded SIM (eSIM). eSIMs are increasingly common.
In a SIM swapping attack, the attacker will convince the telecom provider to do the SIM swap, using social engineering techniques, pretending to be the real customer, claiming that the original SIM card is for example damaged or lost.
When the attack is successful, the genuine subscriber’s phone will lose connection to the network and they won’t be able to make or receive phone calls.
How does a SIM swapping attack happen?
The attacker typically begins a SIM swapping attack by gathering personal details about the targeted subscriber. There are many ways personal data can be retrieved, this can be done through social engineering, phishing, malware, exploiting information from data breaches or doing research on social media.
Having all necessary information, the attacker would be able to convince the mobile network operator to transfer the subscriber's mobile number to a new SIM card under their control, or perform the process themselves online.
As a result, the attacker takes over the account and can receive all the SMS and voice calls intended for the legitimate subscriber. Fraudsters can perform online banking frauds but can also bypass the two-factor authentication (2FA) used to secure social media and other online accounts.
Why do these attack take place?
Specific circumstances may open the opportunity for attackers, which can be:
- Weak customer authentication processes;
- Negligence or lack of cyber training or hygiene;
- Lack of risk awareness.
More information for the public are available in the ENISA Leaflet - How to Avoid SIM-Swapping
Key takeaways of the Countering SIM-Swapping report
A total of 48 mobile network operators from 22 countries across Europe and representatives of 14 national competent authorities responded to our survey.
Almost half of the MNOs surveyed (48%) did not face any SIM swapping incidents in the 12 months prior to the survey.
For the rest of the MNOs, 12 of them faced up to 10 incidents, while 6 of them faced more than 50 incidents in 4 different countries.
- Mobile Network Operators (MNOs), banks and authorities have already been collaborating to mitigate fraudulent SIM swapping. Banks can use an Application Programming Interface (API) provided by the MNOs to check whether a SIM swap has been recently performed. Banking institutions should consistently apply the EU regulations such as the Directive (EU) 2015/2366 (PSD2), and take advantage of the available technical solutions provided by the telecommunications operators.
- MNOs should reinforce fraudulent SIM swapping detection and blocking mechanisms, by enhancing the internal processes to provide the customer with a preferably seamless experience. Also, they should provide regular cybersecurity awareness training for both their own and third-party employees to ensure they can recognise and appropriately deal with the SIM-swapping threat.
- National authorities should encourage and enhance coordination between the MNOs and the banking sector. Cooperation with national Computer Security Incident Response Teams (CSIRTs) and law enforcement agencies should also be promoted.
- Subscribers are strongly recommended to contact their provider and/or their bank and/or change the passwords to their online accounts in case they:
- become aware of helpdesk scams, where an attacker calls and claims to be working for a telecom company or for a tech company.
- see their phone loses network connection for a longer period of time, and they are not able to make or receive phone calls.
- See suspicious transactions in their banking accounts, or lose access to their social media or email accounts or see activity they do not recognise.
Background on the ECASEC Expert Group, formerly known as the ENISA Article 13a group
Established in 2010, the European Competent Authorities for Secure Electronic Communications Expert Group (ECASEC), formerly known as ENISA Article 13a group, consists of about 100 experts from national telecom security authorities from all EU countries, the EFTA countries, and EU candidate countries.
The group is a forum for exchanging information and good practices on telecom security. It produces policy guidelines for European authorities on the implementation of EU telecom security rules, and publishes annual summary report about major telecom security incidents.
ENISA Report - Countering SIM-Swapping – December 2021
ENISA Leaflet - How to Avoid SIM-Swapping – December 2021
If you want to join the ENISA telecom security mailing list, to be kept up to date about this group and our telecom security work, and to receive invitations for events and projects, please contact us via resilience (at) enisa.europa.eu
For questions related to the press and interviews, please contact press(at)enisa.europa.eu
Stay updated - subscribe to RSS feeds of both ENISA news items & press releases!