It’s important to take these steps, so we don’t fall victim to a mobile device takeover—and know what to do if our number does get “hijacked.”
As a financial firm, we are on the frontlines fighting cyber fraud and protecting clients from hackers. Lately, we’ve been seeing an increase in mobile device takeovers.
What is a mobile device takeover?
Also known as “phone hijacking” or “SIM swap attack”1—it’s when fraudsters take over a mobile device without having to steal the device physically. Instead, they steal your phone number by tricking your cell phone service provider into transferring your phone number to their own device. Your cell phone number has been hijacked. And all the fraudster needed was a fake ID and maybe some answers to your security questions.
The fraudster then receives all your phone calls and text messages. What may be worse: The criminal also is able to reset passwords on accounts that have your number listed for password recovery purposes. The fraudster, not you, will get the one-time verification code sent to allow a password reset.
One of our clients, Bruce, experienced firsthand a breach in cell phone security:2
His phone was working fine while he was at an airport waiting to board a three-hour flight. After the flight, Bruce checked his phone and was surprised to see he had no new messages. He wanted an Uber to get home, but was unable to access that app. He tried to call his wife and wasn’t able to make the call.
In the short time Bruce had been in the air, a fraudster took control of his mobile number and data, accessed his banking app and managed to transfer $20,000 out of his bank account.
What does Bruce do now?
He must immediately contact his service provider and bank. Time is crucial for the recovery process. The service provider should diagnose the extent of the compromise and take steps to protect Bruce. The bank also should immediately begin its recovery and mitigation processes, which include trying to recapture lost funds and renumbering any compromised accounts.
But there is much Bruce might have done long before he was forced to take these measures.
Here is what we all can do now to protect ourselves from mobile device takeover attacks. The keys to preventing phone hacking are to know how to spot fraud, create layers of verification, and protect your identity generally.
Your cell phone security checklist
- Pay close attention to cell phone service disruptions. Bruce was on an airplane, so he didn’t notice a disruption of his service until the damage was done. But if you are unable to receive calls or text messages in a location that normally permits such service, take note. If the disruption lasts 20 minutes, call your mobile phone carrier immediately.
Create layers of verification.
- Add a verbal password to your mobile service account and lock your account to prevent your phone number from being transferred or ported without your authorization. Contact your mobile device provider immediately to do so.
- Enable multi-factor authentication for all online accounts, if offered by the mobile service provider. Enable your device to automatically lock itself after a period of inactivity.
Protect your identity.
- Protect all mobile devices and tablets with your fingerprint or facial recognition technology whenever possible. If these security features are not available, use strong, complex passwords.
- Avoid using the same PIN for multiple devices.
- Avoid answering calls from unknown individuals. Be wary of impersonators attempting to deceive you into divulging information or taking action on a financial account.
- Verify callers before providing any information. If you are unsure, call the business on a known number. For example, if you receive a call from JPMorgan Chase, call the number on the back of your card, or call your J.P. Morgan team member before providing any information.
- Never provide your full card number, PIN or one-time authentication passcode to an unknown caller, even if the caller claims to be from J.P. Morgan.
- Install anti-virus software on your mobile device and activate automatic updates to ensure the devices remain protected.
- Before trading in an old device—erase any personal information it may contain by resetting it to its factory settings.
We can help
As soon as you think you may be a victim of a cell phone security problem—or any other type of fraud—contact your J.P. Morgan team member. Our teams work around the clock and will start the recovery process immediately, and work with you to recover lost funds.
1SIM is an integrated circuit known as the subscriber identification module (aka SIM card) that is intended to store, securely, your international mobile subscriber identity number and its related key. These are used to identify and authenticate subscribers on mobile devices.
2All case studies are based on real-life stories but have been altered to preserve privacy and confidentiality. Any name referenced is fictional and may not be representative of other individuals’ experiences. Information does not guarantee future results.