M&S Cyberattacks Utilized a Rare Yet Hazardous Technique – Are You at Risk?
The recent cyberattack on Marks & Spencer (M&S) highlights the alarming rise of sim-swap fraud. While the full technical details are still under investigation, reports suggest that cyber attackers gained access to M&S’s internal systems by taking control of an employee’s mobile number. They likely convinced IT staff to reset critical login credentials. Sim-swap fraud is not a new issue, but it has become increasingly dangerous and prevalent. According to CIFAS, the UK’s national fraud prevention service, incidents of sim-swap fraud surged from under 300 in 2022 to nearly 3,000 in 2023. Initially a concern for cryptocurrency investors and online influencers, this type of cyberattack now poses a significant risk to both major companies and everyday individuals.
The mechanics of sim-swap fraud involve a scammer persuading a mobile operator to transfer a victim’s phone number to a new SIM card or an embedded SIM (eSIM) under their control. This can be achieved through various means, including phone calls, online chats, or even bribing insiders. Once the number is transferred, all calls and texts intended for the victim are redirected to the scammer. This includes critical verification codes for accessing email, banking, and messaging apps like WhatsApp. The effectiveness of sim-swap fraud is amplified by the scammer’s access to a wealth of personal data about their target, often gathered from data breaches, phishing attacks, or social media. Once in control of the number, attackers can access sensitive information, impersonate the victim, and potentially cause significant financial and emotional harm.