Campus Cybersecurity Announcement

Cell Phone Number Phishing

Recently campus has received thousands of phishing emails, specifically seeking cell phone numbers. This is a change in tactic from the usual attempt of obtaining accounts and passwords. There are two likely reasons why this has occurred:

• Many online services, from Twitter to banks, use Multi-Factor Authentication for password resets, phone numbers are used in the MFA verification.
• There have been several large third-party breaches that effected millions of people. The data from these breaches gives the attackers almost enough information to steal identities. The cell phone number is the key to defeating MFA or otherwise tricking you through additional texting scams.

The Risk to You

Attackers could now attempt to attack and ransom your digital assets directly by stealing your phone number or directly texting you malicious links/attachments that are aimed at stealing financial and personal information. This has recently happened to one of our own NIU employees.

The attackers use the data from the breaches mentioned above to carry out a social engineering attack on the cellular service providers to steal your phone number

If that is successful, they immediately use the password reset function to intercept the MFA challenge for online banks, email accounts, and any cloud storage you have in order to steal your money, photos, and any valuable content you have online. They will then hold your digital assets for ransom.

How Would I know if an Attacker has Stolen My Phone Number?

If your phone receives no signal or says "Emergency calls only" even after restarting the phone, use another phone to contact your provider immediately and have them check the status of your account for any recent changes.

Phone hijacking can also happen via phishing attacks. Do not click on suspicious links/attached files sent to your mobile devices by SMS text or in email. Malware embedded in links/files can compromise your device. When in doubt, please send an email to abuse@niu.edu reporting the suspicious link/sender.

Review your credit card bills, bank statements and phone bills regularly. If something doesn't look right, report it immediately to your credit card, bank or phone company.

How to Protect Yourself

• Don't fall prey to phishing, vishing, or SMSishing. Always review the details of an email or text to determine if it is legitimate.
• Do not post your phone number on social media.
• Minimize the use of your phone number for MFA, instead prefer to use authenticator apps like Microsoft Authenticator or Google Authenticator.
• If possible, keep an offline backup of important digital assets.
• Protect your phone number from being stolen! Contact your service provider to implement a PIN or require an in-person phone number change.

Each cellular service provider handles additional phone number security differently

• Verizon explains how you can add a PIN to your account.
• AT&T has a guide on how to set up extra security on your account
• T-Mobile allows you to set up a customer passcode.
• Sprint lets you add an account PIN for greater security.