Our phones carry so much of our lives these days—our social networks, access to our banks, home security apps—that keeping them safe and protected is of paramount importance. These are three of the most common ways your phone can be hacked, and how to stop them.
Besides the scams we’ve mentioned here, don’t forget all the other ways that unscrupulous parties will try and get into your various online and mobile accounts, from trying to reset and intercept your passwords, to gaining access through a third-party connected app. We’ve got more advice on staying safe here and here.
The SIM swap
The SIM swap scam is where someone impersonates you and gets your carrier to redirect your cell number to their phone by convincing them to activate a SIM card the scammer controls. It takes advantage of what is a genuinely useful service—allowing you to keep your existing number when you get new phone contract or lose your phone.
This impersonation might be attempted over the phone, in a store, or online, and it’s depressingly easy to do. While a SIM swapper will always be asked certain security questions, it seems customer service reps are fairly forgiving when potential hackers claim to have forgotten answers or set them up incorrectly in the first place. Plus, information like addresses and dates of birth can often be obtained without too much difficulty.
Having your number means someone else can make calls and texts with it, and use it to gain access to more of your accounts—anywhere that uses your phone number for verification suddenly becomes vulnerable. A lot of your data can be at risk, and hackers might also be able to log into your payment and banking apps if they have access to more of your user credentials.
When it comes to stopping a SIM swap, you’re really reliant on the security measures put in place by your carrier to recognise that the person attempting the swap isn’t you. One step you can take is to reduce your reliance on your cell number for getting into your online accounts—if you’ve got two-factor authentication set up via SMS, switch to an app like Google Authenticator or Authy instead. (Or, better yet, use a physical two-factor security key.)
Be vigilant about warning signs, which might include a sudden loss of data or call functionality on your phone. Make sure you have enabled whatever security measures your carrier offers—a PIN code, for example—and check with them as to what additional protections you might be able to put in place.
In response to recent research, carriers do seem to be putting more robust identity checks in place if someone is attempting a SIM swap, so call your wireless carrier and see what you can do. You should also ensure that any information that might be used to impersonate you—your address, your date of birth, your email address—is kept well away from public view on the web, which you can do more easily and thoroughly using a service like DeleteMe.
The phishing message
Phishing is a term most often associated with email, but this scam has spread to SMS and instant messaging as well: Any of these ways of electronic communication can catch you out on your phone, and potentially give someone else access to your device (just ask Jeff Bezos about it).
The way the scam manifests itself is that you get a message from what looks like an authentic account—your bank, your carrier, someone you know—and it contains either a dangerous attachment or a link to a site that’s been put together to try and con you out of sensitive information or secure payment details.
These scams can vary widely in their details. You might be prompted to enter your credit card details or your login information for a particular site, or you might be encouraged to download a certain file or open up an attachment. There are so many types, it’s difficult to be definitive what they all involve, and new variants are appearing all the time.
It’s a good idea to be wary of embedded links and attachments that come with emails, texts, and messages sent over chat apps, even if the sender appears to be trustworthy or someone you know—try verifying the message with the person or company who sent it, using a different mode of communication (phone your bank if you get a suspicious-looking SMS purporting to be from it, for example).
Short of keeping your phone in aeroplane mode all the time, all you can do for this one is to be on your guard: Remember that messages may not be all they appear to be. If you do get a suspicious message, a quick search on the web for the text it contains should help you work out if it’s genuine or not (like this recent FedEx-related scam our colleague was targeted by).
The usual common-sense security rules apply here, as well: Make sure your phone’s software and installed apps are always up to date, as this will minimise the risk of you getting caught out by a fraudulent message. Think twice about sharing any kind of sensitive information with anyone.
The fake call
Sometimes scammers will take the old-fashioned route and actually call you up—it’s similar to phishing, but over a voice call. The best way to protect yourself is simply to be vigilant and stay up to date with the sort of cons doing the rounds (we’ll do our best to report on the major ones). You can also simply not answer the phone when an unknown number calls you.
Most often, the calls will be trying to get something out of you: Financial details, personal information, anything that can be used for the purposes of identity theft. You may have won a prize, or you may be in trouble with the IRS, or you may have missed jury duty, or one of your family members might need some urgent assistance.
Be on the lookout for calls that leave one ring and then hang up. These are most often trying to get you to ring expensive, premium phone lines—if you do ring back, the scammer will try and keep you on the line for as long as possible, extracting money from you in the process.
Another popular scam is the tech support scam, where someone claiming to be from Microsoft, Apple, or another reputable organisation will ring up and tell you that there’s a problem with your computer—and then get you to install a ‘troubleshooting’ tool that’s actually malware. These are easy to spot because they’re all scams. Big tech companies will never call you all of a sudden to fix a problem on your individual machine.
You may also get asked to take a survey or be offered something for free, only this ‘free’ gift requires a small admin or shipping fee. If you can, report fraudulent numbers to the FTC, which helps block these scams sooner rather than later.
Remember that numbers can be spoofed—you should always ask for some kind of identity verification from the person on the line, and even then be extremely wary about revealing anything personal or secret over the phone, unless you’ve initiated the call. If you’re in any doubt, ring the company back on one of its official, published phone numbers.