Spearfishing: it’s no longer just a tropical ocean sport that could provide seafood for dinner. In today’s tech world, spearfishing is when someone targets you specifically, usually with the goal of taking over your online accounts or identity. Once that’s done, the attacker will try to siphon money from your bank account, impersonate you in an attempt to deceive family or colleagues into sending money, or attempt to ruin your reputation.
You’re probably thinking, “No one would ever target me. I’m not interesting enough.” It is true that the people who should worry the most about spearfishing attacks are high profile or have a high net worth, but modern online criminals aren’t that fussy. If you have a lot of public information out there (an many of us do, whether or not it’s on purpose) you may be an easy target, and they will go for the low-hanging fruit. You should also be concerned if you’re a politician or journalist, have ever been involved in an ugly divorce or legal battle, or can easily think of people who have it in for you.
As I’ve said many times, it’s extremely important that you use a secure password manager like iCloud Keychain, 1Password, or LastPass to create, store, and enter a strong, unique password for each of your online accounts. Plus, I strongly recommend using two-factor authentication—where you have to enter a one-time code in addition to your password—on all accounts that support it, particularly important ones like your email and banking accounts. But even if you do all that, you may be vulnerable to another tactic favored by spearfishers—the cell phone SIM takeover.
Here’s how it works. Every cell phone, including every iPhone, has inside it a SIM card that gives it a phone number. Swap that SIM into a different phone and it will adopt your cell phone account. The problem is that support reps at cellular carriers like AT&T, Sprint, T-Mobile, and Verizon can reassign your account to another SIM card. The reason they can do this is so if you lose your iPhone and buy a new one, your phone number can be associated with the new SIM.
All an attacker has to do is call your cellular provider, pretend to be you, say that they’ve lost their iPhone, and ask to have the number ported to a new device (one they control). It’s likely that the support person will ask a few simple questions to verify your identity, but a clever attacker will likely know your address and be able to learn details like your mother’s maiden name, first-grade teacher’s name, and favorite color, all thanks to Facebook, public records, and the recent rise in Facebook account spoofing (ever get a friend invite from someone you were already Facebook friends with? It could be a scammer trying to glean your personal information). Criminals can even acquire information like your Social Security number through those big data breaches that I’m sure you’ve been a part of.
Once the attacker controls your cell phone number, they can try to reset the password on various accounts, receiving any verification codes that would normally have been texted to your phone. They’ll probably focus on your email account first because, with control over it, they can reset passwords elsewhere even more easily. And once the attacker has access to your accounts you’ll be faced with the difficult and complex task of retaking control and mitigating damage.
How can you protect yourself from such an attack? Whenever possible, it’s better to generate authentication codes with an app such as 1Password, Authy, or LastPass. That removes some of your exposure, but for better or worse, your cell phone number is still the most basic form of identity for many things.
The most important thing to do, then, is to set up an additional PIN or passcode that the carrier will ask for before making any changes to your account. You’ll also have to provide it when logging in to your cellular account online. Such a PIN or passcode is different from a two-factor authentication code that changes continuously—you set your PIN or passcode just like you do for your iPhone or ATM card. And, of course, make sure to store that PIN or passcode in your password manager alongside your other credentials so you don’t forget it. If you don’t have a password management system, put this PIN wherever you keep important documents such as birth certificates. Losing that PIN can be a major headache.
Learn more about how each of the major carriers supports PINs and passcodes at the links below, and if your carrier isn’t listed, call the company’s support line:
Don’t put this off—if you don’t already have a PIN or passcode on your cellular account, set it up right away.