All Categories
SIM swapping, password spraying, help desk attacks, evil twin WiFi, and account recovery abuse
Other Attack Methods
The Phone Call That Cost $1.2 Million
Friday, 11:32 AM. Marcus Thompson, CEO of a mid-size logistics company, answers a call from what appears to be Verizon's fraud department. The caller is professional, concerned, and knows Marcus's full name, address, and the last four digits of his Social Security number.
"Mr. Thompson, we've detected suspicious activity on your account. Someone may be trying to port your number to another carrier. I need to verify some information to block this transfer."
Marcus cooperates. He confirms his PIN. He reads back a verification code that arrives via text. He thanks the caller for the heads-up.
By 11:44 AM, his phone shows "No Service."
By 2:45 PM, $1.2 million has left his business accounts.
What Happened
The "fraud department" call was the fraud. The caller was a criminal who had already gathered Marcus's personal information from data breaches and public records. The verification code Marcus read back wasn't blocking a transfer. It was authorizing one.
With control of Marcus's phone number, the attackers received every SMS verification code his bank sent. They reset his password. They approved wire transfers. The bank's systems logged everything as "approved by authenticated user."
Marcus had unique passwords for every account. He had two-factor authentication enabled everywhere. None of it mattered. The attackers didn't try to guess his password. They convinced his phone carrier to hand over his phone number.
| Time | Attacker Action | What Marcus Saw | System Response |
|---|---|---|---|
| 11:32 | Social engineering call | Incoming call from "Verizon" | None |
| 11:44 | SIM swap executed | Phone shows "No Service" | SMS redirected to attacker |
| 11:47 | Password reset requested | Nothing (no phone service) | Reset code sent to attacker |
| 11:52 | Bank login | Nothing | "Authenticated successfully" |
| 12:15 | Wire transfer: $400,000 | Nothing | "Approved by user" |
| 14:30 | Wire transfer: $800,000 | Nothing | "Approved by user" |
| 14:45 | Phone service restored | Service returns | Marcus discovers missing funds |
This story is fictional, but the patterns are real.
Why This Matters
In ATO 101, we covered credential stuffing, where attackers test stolen username/password pairs from data breaches. In Account Security Fundamentals, we explored authentication factors and MFA. In SSO and Token-Based Attacks, we examined how attackers steal session tokens and exploit identity providers.
This article covers a different category: attacks that bypass credentials entirely by targeting the infrastructure and people that support authentication.
Marcus did everything "right" with his passwords. The attackers went around them. As organizations improve credential security, attackers increasingly target:
- Infrastructure: Phone carriers, email providers, identity systems
- Human factors: Customer service teams, help desks, account recovery processes
- Recovery mechanisms: Password reset flows, security questions, backup verification
These attacks succeed not because victims have weak passwords, but because the systems around those passwords have weaker points.
SIM Swap Attacks
A SIM swap attack targets your phone number, not your password. When attackers convince a mobile carrier to transfer your number to a SIM card they control, they receive all your calls and texts. That includes every SMS verification code sent to that number.
How SIM Swaps Work
Step 1: Intelligence gathering. Attackers collect personal information about the target. Data breaches provide names, addresses, dates of birth, and Social Security numbers. Social media fills in details like mother's maiden name or pet names (common security question answers). Public records reveal previous addresses and phone numbers.
Step 2: Social engineering the carrier. Armed with this information, attackers contact the mobile carrier. They might call customer service pretending to be the victim, visit a retail store with a fake ID, or bribe an insider at the carrier. The goal: convince someone at the carrier to transfer the phone number to a new SIM.
Step 3: Taking control. Once the swap completes, the victim's phone loses service. All calls and texts now route to the attacker's device. Password reset codes, MFA verification texts, account alerts: everything arrives in the attacker's hands.
Step 4: Account takeover. With SMS codes in hand, attackers reset passwords and bypass MFA on email, banking, cryptocurrency, and any other account linked to that phone number. High-value transfers happen within hours.
SIM Swap vs. Port-Out Fraud
Two similar attacks target phone numbers:
SIM swap: The phone number stays with the same carrier, but the carrier associates it with a different SIM card (the attacker's).
Port-out fraud: The phone number is transferred to a different carrier entirely, under the attacker's control.
Both achieve the same result: the attacker receives the victim's calls and texts. Port-out fraud is harder to execute because it involves coordinating between two carriers, but it's also harder for victims to quickly reverse.
Why Phone Numbers Matter So Much
Phone numbers have become de facto identity verification. Banks use them for MFA. Social media platforms use them for account recovery. Email providers use them as backup verification.
This creates a single point of failure. Control the phone number, control the person's digital identity.
The Scale of SIM Swap Fraud
The FBI's Internet Crime Complaint Center (IC3) received 982 SIM swap complaints in 2024, with reported losses of $26 million. That's an average of roughly $26,500 per victim.[1]
These numbers likely undercount the problem. Many victims don't report to the FBI, and some don't realize their losses stemmed from a SIM swap. In the UK, the fraud prevention service Cifas reported a 1,055% increase in SIM swap cases in 2024 compared to the prior year.[2]
Password Spraying
Password spraying is a "low-and-slow" approach to breaking into accounts. Instead of trying many passwords against one account (which triggers lockouts), attackers try one common password against many accounts.
How It Differs from Credential Stuffing
Credential stuffing (covered in ATO 101) uses stolen username/password pairs from data breaches. The attacker already has credentials; they're testing whether victims reused those passwords elsewhere.
Password spraying doesn't require stolen credentials. The attacker has a list of usernames (often email addresses, which are easy to enumerate) and guesses that some percentage of users chose weak passwords.
| Approach | Attackers Have | Attackers Guess | Lockout Risk |
|---|---|---|---|
| Credential stuffing | Username + password pairs | Whether passwords were reused | Low (one attempt per account) |
| Password spraying | Usernames only | Common passwords | Low (few attempts per account) |
| Brute force | Usernames only | Every possible password | High (many attempts per account) |
Why It Works
Password spraying exploits predictable human behavior. Given a million accounts, some percentage will have passwords like:
- Seasonal passwords: Spring2024!, Summer2025!, Winter2024!
- Company variations: CompanyName1!, Acme2024!
- Keyboard patterns: Qwerty123!, Password1!
- Minimal compliance: The shortest password that meets complexity requirements
Attackers try one password across thousands or millions of accounts, wait a day (to avoid velocity-based detection), then try another. With 0.1% success rate and a million targets, that's 1,000 compromised accounts.
Microsoft and Midnight Blizzard
In January 2024, Russian threat actors (APT29, also known as Midnight Blizzard) compromised Microsoft's corporate systems through password spraying. They successfully guessed the password on a test tenant account that didn't have MFA enabled.
From that foothold, they accessed a test OAuth application with elevated permissions, then pivoted to employee mailboxes. The attack expanded throughout 2024, with password spraying attempts increasing tenfold. Attackers eventually compromised source code repositories using information stolen from Microsoft emails.[3]
Microsoft wasn't breached because their security was weak. They were breached because one test account, in one test tenant, lacked MFA. Attackers found it through patient, low-and-slow password spraying.
The Scale of Password Attacks
Microsoft's 2024 Digital Defense Report found that password-based attacks make up more than 99% of identity attacks. Microsoft blocks 7,000 password attacks per second across their services.[4]
Help Desk and Customer Service Attacks
Social engineering attacks target people, not technology. A help desk agent who wants to be helpful, a customer service rep under pressure to resolve tickets quickly, a retail employee who doesn't want to create a confrontation: these are the targets.
How These Attacks Work
Authority impersonation: "This is James from the CFO's office. She's traveling internationally and locked out of her account. Can you reset it immediately?"
Urgency and pressure: "We have a wire transfer due in 20 minutes. If this doesn't go through, we lose the deal. Can you just reset it now and we'll sort out the verification later?"
Technical excuses: "I'm at the airport and my phone died. My authenticator app was on that phone. Can you bypass the MFA just this once so I can approve this payment?"
Information fishing: "I need to verify some security details before we proceed. What email address do you have on file for me? And what's the last four of the card number?"
The attacker already researched the target. LinkedIn profiles reveal job titles, reporting structures, and recent job changes. Company websites show organizational charts. Press releases announce executive travel. Social media reveals personal details.
With this intelligence, attackers craft convincing pretexts. They know enough to sound legitimate without having the one piece of information (the actual password, the MFA code) that would let them in through normal channels.
Why Help Desks Are Vulnerable
Help desk staff are measured on resolution speed and customer satisfaction. Security friction creates unhappy customers and longer handle times. This creates tension between security and service.
Attackers exploit this by:
- Calling during busy periods when staff are rushed
- Escalating to supervisors who may override security controls to resolve complaints
- Building rapport over multiple calls before making the actual request
- Threatening to escalate or leave negative feedback
For more on social engineering psychology and techniques, see the Social Engineering module.
Rogue Access Point Attacks
Evil twin attacks create fake WiFi networks with the same name as legitimate ones. Coffee shops, hotels, airports, and office buildings all become opportunities.
When victims connect to the attacker's network, all their traffic flows through attacker-controlled infrastructure. The attacker can:
- Intercept unencrypted data: Login credentials, form submissions, and session cookies sent over HTTP
- Serve fake captive portals: "Enter your email and password to access WiFi" pages that harvest credentials
- Perform SSL stripping: Downgrading HTTPS connections to HTTP, though HSTS (HTTP Strict Transport Security) makes this ineffective against major sites like Gmail, Facebook, and banks
- Inject malicious content: Serving fake login pages for sites the victim tries to access
The attack requires minimal equipment: a laptop with a WiFi adapter and freely available software. In crowded locations, attackers can simply name their network "Starbucks WiFi" or "Airport Free WiFi" and wait for devices to connect automatically.
Modern HTTPS protections limit what attackers can intercept on properly configured sites. But credential harvesting through fake captive portals remains effective because victims expect to enter credentials when connecting to public WiFi.
In 2024, an Australian man was sentenced to seven years in prison for running evil twin attacks on domestic flights and at airports in Perth, Melbourne, and Adelaide. He used a portable device to mimic legitimate WiFi networks, directing passengers to fake login pages that captured their social media credentials.[5]
Account Recovery Abuse
Account recovery mechanisms exist because people forget passwords. But they create alternative paths into accounts. Attackers target these paths.
Security Questions
"What's your mother's maiden name?" "What city were you born in?" "What was the name of your first pet?"
These questions made sense when the answers weren't easily discoverable. Today, social media profiles, public records, and data breaches often expose these "secrets." An attacker can research a target's family history, hometown, and pet names without ever interacting with them.
Backup Email Attacks
Many accounts allow password resets via a backup email address. If that backup email is an old account with weak security (or a forgotten account the victim no longer monitors), attackers can compromise it first, then use it to reset the primary account.
This creates an attack chain: compromise the old email account, use it to reset the current email account, use that to reset banking and financial accounts.
Knowledge-Based Authentication (KBA)
When you call a bank and they ask "What's the last four of your Social Security number?" or "What was your previous address?", that's knowledge-based authentication. The theory: only you would know these facts.
In practice, this information is widely available. Data breaches have exposed hundreds of millions of Social Security numbers. Public records reveal address histories. Credit reports (which attackers can sometimes access through compromised credentials) show financial history.
KBA questions aren't verification. They're a shared fiction that both parties pretend confirms identity.
Email as the Master Key
ATO 101 explained how email accounts function as a "master key" for digital identity. Whoever controls your primary email can reset passwords on almost every other account.
Account recovery abuse often starts with email compromise. A phished password, a forgotten backup account, or a SIM swap that intercepts MFA codes: once attackers control the email, they control the recovery flow for everything else.
Key Takeaways
- Infrastructure attacks bypass credential controls entirely. Marcus had unique passwords and MFA everywhere. None of it mattered because attackers convinced his phone carrier to transfer his number. Strong passwords don't help when attackers go around them.
- Phone numbers have become identity anchors with carrier-level security. Banks treat phone numbers as identity verification, but carriers protect them with security questions and underpaid customer service reps. This mismatch creates opportunity for attackers.
- Password spraying exploits predictable human behavior at scale. With millions of targets and common passwords like "Spring2025!", attackers will find accounts to compromise. The Microsoft/Midnight Blizzard breach started with one test account that lacked MFA.
- Social engineering targets helpful people, not weak technology. Help desk staff want to resolve problems quickly. Attackers exploit this by creating urgency, impersonating authority, and building rapport.
- Account recovery is often the weakest authentication path. Security questions, backup emails, and knowledge-based authentication create alternative routes into accounts. These paths often have weaker security than the front door.
What's next: The ATO Glossary provides a reference for all authentication and account takeover terminology covered in this module.
Key Terms
| Term | Definition |
|---|---|
| SIM swap | Attack where criminals convince a mobile carrier to transfer the victim's phone number to a SIM card they control |
| Port-out fraud | Attack where criminals transfer the victim's phone number to a different carrier under their control |
| Password spraying | Attack testing one common password across many accounts to avoid lockouts |
| Knowledge-based authentication (KBA) | Identity verification using personal facts (SSN, address history, etc.) that attackers can often research |
| Evil twin attack | Rogue WiFi access point mimicking a legitimate network to intercept traffic or harvest credentials via fake captive portals |
| Pretexting | Creating a fabricated scenario to manipulate targets into revealing information or granting access |
| Social engineering | Manipulating people rather than technology to bypass security controls |
References
1. FBI Internet Crime Complaint Center 2024 Report↗ - SIM swapping: 982 complaints, $26 million in losses
2. Cifas UK Fraudscape 2025 Report↗ - 1,055% increase in SIM swap cases in 2024
3. Push Security: 2024 Identity Breaches↗ - Microsoft/Midnight Blizzard password spraying attack
4. Microsoft Digital Defense Report 2024↗ - 7,000 password attacks blocked per second, 99%+ identity attacks are password-based
5. Australian Federal Police: WA man jailed for stealing intimate material and using 'evil twin' WiFi networks↗ - 7-year sentence for evil twin attacks on flights and airports
Generated with AI assistance. Reviewed by humans for accuracy.
Test Your Knowledge
Ready to test what you've learned? Take the quiz to reinforce your understanding.