One evidence of the rapid increase in SIM-swapping attacks is the number of related complaints received by the FBI last year. Between January 2018 and December 2020, a total of 320 such complaints were filed that led to losses of $12 million. However, in just 2021 alone, that figure rose sharply to $68 million following 1,611 SIM swapping complaints. Although SMS-based 2FA adds an extra layer of security to an account, the approach has long been considered risky as mobile carriers can still be tricked by attackers into switching a user’s phone number to a SIM card of their choice, either through malware or impersonation. A SIM-swap victim might also bring it upon themselves by advertising their financial assets on social media and public forums. This includes sharing cryptocurrency investments too, as noted in the FBI’s advisory.
Of course, users can always do a better job of picking passwords (and a password manager), as well as employing stronger 2FA methods that aren’t SMS-based. App-based authenticators that generate codes, or code-less implementations like Google’s have been shown to boost account protection. Moreover, the FBI also recommends that mobile carriers educate and train employees on SIM swapping, and deploy stricter measures to verify genuine user requests related to switching numbers to a new device.