What should I do if I fall victim to a marketing scam or phishing attack?

Use this six-step plan to reduce your risk

--

Photo by Hello I'm Nik on Unsplash

A friend sent me a text message on a Saturday morning letting me know a LinkedIn marketing scam fooled her. She had given away her home address and cell phone number. She was concerned and wanted my advice on what to do. In this post, I will share the advice I gave her.

1. Protect your mobile provider’s online account

Your mobile provider’s online account allows you to change your phone number and swap service from one phone to another. Imagine someone taking over that online account and moving the service to another phone. Now that person could get all those six-digit 2SV (two-step verification) codes for all your accounts. Any accounts protected by text message 2SV or MFA (multi-factor authentication) can be taken over too. This type of attack is called an account takeover.

One way to prevent this is to enable MFA on your mobile provider’s online account. I will expand on this later in this post.

2. Add a SIM PIN for your phone

A SIM is a physical or digital identifier that allows us to get cellular service on our mobile phones. We can add a PIN in our phone settings to protect our SIM.

When we add a SIM PIN, the SIM cannot be transferred to another device without it. Someone can transfer the service to another phone if we do not have a SIM PIN enabled. This is called a SIM-swapping attack.

Some providers have the default SIM PIN set to 0000 or 1111. When you set the SIM PIN, that is probably the PIN you will need to enter first. (See how easy it would be to steal?) If that does not work, call your provider and ask for the default SIM PIN for your phone.

Make sure the SIM PIN is eight or more numbers long.

Below is a YouTube video showing you how to set up a SIM PIN on your phone.

Below is a Wizer Security Awareness Training video about a true story of someone getting their account taken over by a SWIM-swapping attack.

--

--

Miguel A. Calles · Serverless CISO

Author of "Serverless Security" · Specializing in CMMC, SOC 2, serverless & engineering.