Spear phishing. It’s no longer just a tropical ocean sport that could provide seafood for dinner. In today’s tech world, spear phishing is when someone targets you specifically, usually with the goal of taking over your online accounts. Once that’s done, the attacker will try to siphon money from your bank account, impersonate you in an attempt to deceive family or colleagues into sending money, or attempt to ruin your reputation.
You’re probably thinking, “No one would ever target me. I’m not interesting enough.” It is true that the people who should worry the most about spear phishing attacks are high profile or have a high net worth, but modern online criminals aren’t that fussy. In particular, they’re more likely to go after older people. Why older people? Older people tend to be relatively well off and less likely to notice the symptoms of a spear phishing attempt. You should also be concerned if you’re a politician or journalist, have ever been involved in an ugly divorce or legal battle, or can easily think of people who have it in for you.
As we’ve said many times, it’s imperative that you use a secure password manager like 1Password or LastPass to create, store, and enter a strong, unique password for each of your online accounts. Plus, we strongly recommend using two-factor authentication—where you have to enter a one-time code in addition to your password—on all accounts that support it, particularly important ones like your email and banking accounts. But even if you do all that, you may be vulnerable to another tactic favored by spear phishers—the cell phone SIM takeover.
Here’s how it works. Every cell phone, including every iPhone, has inside it a SIM card that gives it a phone number. Swap that SIM into a different phone and it will adopt the SIM card’s number. The problem is that support reps at cellular carriers like AT&T, Sprint, T-Mobile, and Verizon can also move your phone number from one SIM card to another. That makes it possible for you to lose your iPhone, buy a new one, and have your phone number associated with the new one. It also lets you port the phone number to a different carrier, if you wish to switch.
All an attacker has to do is call your cellular provider, pretend to be you, say that they’ve lost their iPhone, and ask to have the number ported to a new device (one they control). It’s likely that the support person will ask a few simple questions to verify your identity, but a clever attacker will likely know your address and be able to learn details like your mother’s maiden name, first-grade teacher’s name, and favorite color, all thanks to Facebook. Criminals can acquire even information like your Social Security number through other data breaches.
Once the attacker controls your cell phone number, they can try to reset the password on various accounts, receiving any verification codes that would normally have been texted to your phone. They’ll probably focus on your email account first because, with control over it, they can reset passwords elsewhere even more easily. And once the attacker has access to your accounts, it’s game over, and you’ll be faced with the difficult and complex task of retaking control and mitigating damage.
How can you protect yourself from such an attack? Whenever possible, it’s better to generate authentication codes with an app such as 1Password, Authy, or LastPass. That removes some of your exposure, but for better or worse, your cell phone number is still the most basic form of identity for many things.
The most important thing to do, then, is to set up an additional PIN or passcode that the carrier will ask for before making any changes to your account. You’ll also have to provide it when logging in to your cellular account online. Such a PIN or passcode is different from a two-factor authentication code that changes continuously—you set your PIN or passcode just like you do for your iPhone or ATM card. And, of course, make sure to store that PIN or passcode in your password manager alongside your other credentials so you don’t forget it.
Learn more about how each of the major carriers supports PINs and passcodes at the links below, and if your carrier isn’t listed, call the company’s support line:
Don’t put this off—if you don’t already have a PIN or passcode on your cellular account, set it up right away.