What it is
SIM swapping is where an attacker tricks your mobile phone provider into transferring your phone number to their SIM card without your knowledge.
How to protect yourself from SIM swapping
Here's what you can do to help prevent a SIM swapping attack.
Be careful where you share identity information
Your personal information can be used to impersonate you, particularly when it’s used as part of an identity confirmation process.
If you know your mobile phone provider confirms your identity by asking for personal information like your date of birth or address, make sure it’s hard to find online. Don’t share this information on your public social media accounts where anyone can find it.
Be creative with your account recovery questions
For some services, when you set up your account you’ll be asked to provide answers to a set of security questions – like ‘what’s your mother’s maiden name?’. These are generally used as a way to identify you if you forget your password and need a prompt.
Unfortunately, these are also easy things for an attacker to find out, and could be used to gain access to your accounts without your knowledge. Where you can, make up something memorable but untrue that an attacker couldn’t find through a simple search of your name. You can use a password manager to store these answers too.
When there’s a choice, use an app-based two-factor authentication (2FA)
SMS 2FA is better than a password alone, but there are often stronger options available. Ask your bank or service provider if they offer other forms of 2FA for account access. You might be able to use an app-based authenticator that generates a new code every 60 seconds, or one that sends you a push notification, instead of sending you a code by text.
Check your provider's policy
Talk to your provider about what they can do to help protect you against SIM swapping. Ask them what the process is for moving a mobile phone number to a new SIM card. Some providers might request a confirmation by text, whereas others will ask to see physical ID at the store before they'll do this.
If you think you’ve been targeted by a SIM swapping attack:
- report it to your mobile phone provider and get them to check if your mobile phone number has been transferred to another SIM
- reset the passwords for your important online accounts. Make your online banking and email accounts your priority.
Report the issue to CERT NZ
You can also report an online issue or security incident like this to us at CERT NZ. We can also work with the NZ Police on SIM swapping attacks, but will only do this with your permission.