The rise in coronavirus cases is giving cybercriminals the perfect excuse to attack again with one of the digital scams more widespread in recent times.
In recent days, cases of people having their WhatsApp account stolen after being offered false appointments to get vaccinated against covid. Once the attackers get hold of the account they ask the victim’s contacts for money.
This is another form of what is known as a “sim swap”, or swapping SIM cards, the chip that carries the telephone line. Criminals pose as official entities, such as the Ministry of Health, to request the code that WhatsApp sends via SMS for activation. Once the victim hands it over, they lose access to their account. And there they start trying to scam contacts.
This mode has already existed for several years, but the version of the booster doses against the coronavirus it’s recent.
“In three days we recorded 25 complaints regarding attempts at scams of what is called identity fraud. There is the same pattern: they are calls from WhatsApp from numbers with the characteristic 011 and a profile picture of the National Ministry of Health,” she said. Antonio Salinashead of the Consumer Defense office in Rosario.
Scammers call their victims and tell them they have an appointment to get vaccinated, but to book the appointment, they will have to communicate a code that will be sent to them via SMS.
The problem is that that code has nothing to do with the vaccinebut it is what WhatsApp sends when we introduce a SIM with our line in a new device.
However: How do criminals get a SIM card with our line? What exactly is this scam like?
SIM Swapping: how criminals operate
SIM cards are integrated circuits that store your phone number, along with other sensitive data such as international line identity and a unique serial number. Are transferable between devices: just remove the card and insert it into another phone to transfer your phone line and personal data.
Cybersecurity specialists claim that criminals use this technique to duplicate the SIM card of their victims’ mobile phones. Thus, they can access all their personal information and, above all, use it in mobile verification (sms) that applications usually require (in fact, some companies like Mercado Libre are migrating to other types of verifications due to how insecure this method is).
The problem arises from social engineering: the criminal exploits a leak of personal data (what in jargon is called data leak) to call Personal, Movistar or Claro, and request a new SIM to be taken (pickup). This SIM card contains the victim’s line.
Once in possession of the SIM, the criminals contact the victim, even along the lines of social engineering: it consists of deception through persuasion and psychological manipulation, as well as taking advantage of human error.
The code they ask for is what WhatsApp sends via SMS to activate the account: when we send it, they activate it on their device, close all WhatsApp Web sessions and activate two-step verification of the application.
In this way, we are blocked from being able to recover our account.
In order not to fall for this scam, they are here two foolproof strategies.
How to protect yourself: put a password on WhatsApp
WhatsApp has what is called “two-step authentication”. This is an extra step to be able to access WhatsApp. Something that if we have activated it, it is impossible for them to access our account, unless we also deliver this code.
The difference with SMS is that in this case the victim’s alarm can be triggered faster: it would not make sense to give the WhatsApp password to third parties.
It is an additional security step since if the application is installed on a new device, it will ask for the six-digit code that has been established, as well as the corresponding verification. And that data is known only to the legitimate user.
Second method: enter the PIN into the SIM
Few people know that in addition to the phone key, the SIM card can also be protected by a 4-digit pin.
A SIM card usually comes with a default PIN, but it’s not used for blocking purposes. The SIM card is also associated with a PUK (PIN Unblocking Key) code, which is usually only used when the line is purchased for the first time.
But the SIM card can have a key for every time the phone is turned on. In this way, if a scammer asks for a SIM with our phone and inserts it in his device, he will have to enter the password we have chosen. In this way, you will not be able to log in to access our accounts.
To do this you need to access the device’s security options.
Once there you have to activate the advanced options, where the SIM lock option will appear. There you can change the pin. It’s as simple as picking a number that we just remember.
As a tip, it’s very important not to forget this pin, it’s a good idea to write it down on a piece of paper and leave it somewhere safe at home.
Keys to avoid scams on WhatsApp and social networks
- If you receive a message requesting money, you must first verify that the number is correct. If someone suddenly has a new number and asks for money, this is already suspicious.
- Wait a moment and check the language and communication style of the message. If it’s different than usual, you need to be careful.
- Try to communicate with the person asking for the money.
- Avoid the pressure from the scammer and stay calm.
- Never send a verification code without asking the person requesting it.
Meanwhile, Apple has already migrated its system to a type of electronic SIM: that is, there is no physical SIM.
It’s not entirely clear, yet, what kind of scams might come from this, but definitely criminals are lurking.
Linda Price is a tech expert at News Rebeat. With a deep understanding of the latest developments in the world of technology and a passion for innovation, Linda provides insightful and informative coverage of the cutting-edge advancements shaping our world.