LevelBlue + SentinelOne Partner to Deliver AI-Powered Managed Security Operations and Incident Response. Learn More

Your Phone Number Is More Valuable to Criminals Than You Think

When people think about cybersecurity, they usually think about protecting passwords, laptops, or email accounts. Phone numbers don't make the list very often.

Maybe they should.

A phone number by itself isn't especially dangerous. Someone can't hack your phone simply because they know your number. But it is often the starting point for a much larger attack. Criminals use phone numbers to contact victims, impersonate trusted organizations, and, in some cases, take over accounts entirely through SIM swap attacks.

None of this is new. These tactics have been around for years. The problem is they're still working.

Getting your phone number isn't the hard part

If someone wants to target a broad group of people, they can simply buy a list of phone numbers organized by geography or demographic information. Those lists exist in both legitimate and underground marketplaces.

If they're after a specific person, there are more phone number lookup services than anyone could reasonably list. Finding a phone number usually isn't the difficult part of the attack.

What matters is what happens next.

 

Most attacks start with a conversation

When someone asks if a hacker can gain access just by calling you, the answer is no.

The phone call isn't the attack. It's the setup.

Almost every successful phone-based scam relies on social engineering. The attacker pretends to be someone you trust and convinces you to do something you normally wouldn't. Sometimes that's giving away information. Sometimes it's approving a login. Sometimes it's transferring money.

The technology isn't what makes these attacks successful. It's the psychology.

A good example happened to a friend of mine just last week.

She received a call from someone claiming to be with her local county police department. They told her there was a bench warrant for unpaid traffic tickets and that she would be arrested that day unless she paid a fine immediately.

Then came the part designed to keep her from verifying the story.

They told her not to go to the police station because she could be arrested on sight. Fortunately, they said, the county had just rolled out a convenient new program that allowed fines to be paid in Bitcoin.

It sounds ridiculous after the fact, but it didn't in the moment.

Like most successful social engineering attacks, it relied on two things: urgency and fear. Before she had time to stop and think, she had transferred about $4,000.

Strengthen your defenses and protect your business with LevelBlue.

Explore Services

Why SIM swaps are so dangerous

One of the more damaging attacks involving phone numbers is a SIM swap.

A SIM swap happens when a criminal convinces your mobile provider to move your phone number to a SIM card they control. Once that happens, your calls and text messages start going to their phone instead of yours.

That's a much bigger problem than missing a few text messages.

Your phone number is likely tied to password resets, banking apps, email accounts, and multi-factor authentication for countless online services. Once an attacker controls the number, they often have everything they need to begin taking over accounts.

An added bonus—for the criminal—is that your phone usually stops working immediately, which can slow down your ability to respond while they're logging into your accounts.

 

Know what the red flags look like

Phone scams come in different forms, but they tend to follow the same playbook.

  • The caller wants you to act now.
  • They want you to believe something bad is about to happen.
  • They don't want you to verify the story with anyone else.

And eventually they'll ask you to do something that doesn't quite make sense, whether that's buying Bitcoin, purchasing gift cards, installing software, or sharing information you normally wouldn't.

If you feel pressured during the call, that's probably the biggest warning sign.

Hang up.

If the call is legitimate, you can always contact the organization yourself using a phone number from its website or one you already know.

 

A few simple protections go a long way

The good news is that protecting yourself doesn't require a lot of effort.

Most mobile carriers offer additional protections that make SIM swaps much harder. Depending on the provider, that may be a PIN, additional identity verification, or the ability to lock your SIM so it can't be transferred without your approval.

It's worth taking a few minutes to see what protections your carrier offers, before these attacks happen. They have a vested interest in preventing fraud and should be happy to discuss specific protections they provide.

It's also worth moving away from SMS-based authentication when you have the option. Authentication apps or hardware security keys are much more difficult for attackers to intercept.

 

If you think it's already happened

If your phone suddenly loses service for no obvious reason, don't assume it's just a network outage.

Contact your mobile provider immediately to verify that your number hasn't been transferred.

Then contact your bank and any financial institutions you use so they can watch for suspicious activity or temporarily lock down sensitive transactions.

Finally, start changing passwords for your most important accounts, beginning with your email. If someone controls your email, recovering everything else becomes much harder.

 

The bottom line

Personal phone numbers have gone under the radar as valuable pieces of information attackers can get. Not because the number itself gives them access, but because it opens the door to everything connected to it. The tactics aren't especially sophisticated. They don't have to be. As long as criminals can convince people to act before they think, phone-based scams will continue to work.

You can assume your phone number is easy to access, so the best defense is understanding how these attacks actually happen, recognizing the pressure tactics they rely on, and remembering that it's perfectly okay to hang up and verify the story before taking any action.

About the Author

Karl Sigler is Security Research Manager, SpiderLabs Threat Intelligence at LevelBlue. Karl is a 20-year infosec veteran responsible for research and analysis of current vulnerabilities, malware and threat trends at LevelBlue. Follow Karl on LinkedIn.

ABOUT LEVELBLUE

LevelBlue secures what's next with intelligence-led security delivering visibility and speed to stop threats faster. As the world’s largest and most analyst-recognized pure-play managed security services provider, our AI-powered managed services and cyber expertise across managed, advisory, and incident response services help clients operate with confidence. Learn more about us.

https://www.levelblue.com/resources/blogs/internal-blog/how-to-create-a-blog-post/

Latest Intelligence

Discover how our specialists can tailor a security program to fit the needs of
your organization.

Request a Demo