Spearfishing. It’s no longer just a tropical ocean sport that could provide seafood for dinner. In today’s tech world, spearfishing is when someone targets you specifically, usually with the goal of taking over your online accounts.
Typically, the attacker will try to siphon money from your bank account, impersonate you in an attempt to deceive family or colleagues into sending money or attempt to ruin your reputation.
You’re probably thinking, “No one would ever target me. I’m not interesting enough.” It is true that the people who should worry the most about spearfishing attacks are high profile or have a high net worth, but modern online criminals aren’t that fussy. In particular, they’re more likely to go after older people. Why older people? That demographic tends to be relatively well off and less likely to notice the symptoms of a spearfishing attempt.
You should also be concerned if you’re a politician or journalist, have ever been involved in an ugly divorce or legal battle or can easily think of people who have it in for you.
As we’ve said many times, it’s imperative that you use a secure password manager such as 1Password or LastPass to create, store and enter a strong, unique password for each of your online accounts. Plus, we strongly recommend using two-factor authentication—where you have to enter a one-time code in addition to your password—on all accounts that support it, particularly email and banking accounts. However, even if you do all that, you may be vulnerable to another tactic favored by spearfishers—the cell phone SIM takeover.
Here’s how it works. Every cell phone, including every iPhone, has a SIM card inside that gives it a phone number. Swap that SIM into a different phone and it will adopt the SIM card’s number. The problem is that support reps at cellular carriers such as AT&T, Sprint, T-Mobile and Verizon can also move your phone number from one SIM card to another. That makes it possible for you to lose your iPhone, buy a new one and have your phone number associated with the new one. It also lets you port the phone number to a different carrier if you wish to switch.
An attacker could call your cellular provider, pretend to be you, say that they’ve lost their iPhone and ask to have the number ported to a new device they control. It’s likely that the support person will ask a few simple questions to verify their identity, but a clever attacker will likely know your address and be able to learn details like your mother’s maiden name, first-grade teacher’s name and favorite color, all thanks to Facebook. Criminals can even acquire information such as your Social Security number through previous data breaches.
Once the attacker controls your cell phone number, they can try to reset the password on various accounts and receive any verification codes that would normally have been texted to your phone. They’ll probably focus on your email account first because, with control over it, they can reset passwords elsewhere even more easily. Once the attacker has access to your accounts, it’s game over, and you’ll be faced with the difficult and complex task of retaking control and mitigating damage.
How can you protect yourself from such an attack? Whenever possible, it’s best to generate authentication codes with an app such as 1Password, Authy or LastPass. That removes some of your exposure, but for better or worse, your cell phone number is still the most basic form of identity for many things.
The most important thing to do is to set up an additional PIN or passcode that the carrier will request before making changes to your account. You’ll also have to provide it when logging in to your cellular account online. Such a PIN or passcode is different from a two-factor authentication code that changes continuously—you set your PIN or passcode just like you do for your iPhone or ATM card. And, of course, make sure to store that PIN or passcode in your password manager alongside your other credentials so you don’t forget it.
Learn more about how each of the major carriers supports PINs and passcodes at the links below, and if your carrier isn’t listed, call the company’s support line:
Don’t put this off—if you don’t already have a PIN or passcode on your cellular account, set it up right away.
arobasegroup has been consulting with clients and advising the best use of Apple Technology since 1998. We listen to our customers and solve problems by addressing their specific, unique needs; we never rely on a one-size-fits-all solution or require them to use a specific product. arobasegroup is your advocate in all things related to information technology. Contact us to learn how we can help: email@example.com.