What exactly is a
“SIM-Swap” scam?
Here is one definition: “SIM Swap fraud (also known as
Port-Out scam or SIM splitting) is a type of account takeover fraud that generally
targets a weakness in two-factor authentication & two-step verification,
where the second factor or step is an SMS or a call placed to a mobile
telephone. The fraud exploits a mobile phone operator’s ability to seamlessly
port a telephone number to a new SIM destination. This feature is normally used
where a customer has lost or had their phone stolen.”
This type of fraud is not new. It has been with us for
three years, but volume levels have been low. It appears that the specifics of
this con game have been shared with the global community of organized crime,
judging from the recent preponderance of articles in various jurisdictions
about this type of crime. Victims, if they have the courage to report the
crime, and 85% elect not to, based on present estimates, have witnessed their
financial accounts, whether banking, trading, or crypto, suddenly drop to zero.
Law enforcement officials now report a 60% increase from prior complaint
levels.
How does this type
of fraud work?
This process goes in several steps. The worst part of
this fraud is that you may be targeted long before the actual crime takes
place.
·
A fraudster obtains your bank account details
and registers your mobile phone number through phishing or malware.
·
He approaches your mobile service provider with
your fake identity proof and, claiming loss of handset or SIM damage, seeks a
duplicate SIM card.
·
A SIM
swap typically happens using the following methods: Using identity theft to
convince a MNO shop assistant that they are dealing with the account holder; or
by stealing passwords from employees at the mobile operators or mobile dealers.
Bill pay cellular users’ SIM cards can be cloned through a helpdesk by
answering personal verification questions such as a home address or work
number. The situation is more complex for pre-paid customers where the personal
verification questions focus on the latest recharges or last numbers called. By
using a fake ID document and other fake documents a person can also do a SIM
swap at a mobile dealer. If a fraudster gains access (through a stolen
password) to a support agent’s account, or that of a mobile dealer assistant,
the SIM swap process becomes easy.
·
The SIM swap is typically performed late at
night to avoid detection by the victim. Some fraudsters are also encouraging
the victim to switch off their cell phone by harassing them with multiple
calls.
·
After the phone is switched off, they do the SIM
swap without fear of detection. Some mobile operators send an SMS notification
that a SIM swap has been requested. To avoid the SIM swap being stopped, the
fraudsters either use the above method or call the victim masquerading as a
mobile operator employee to tell them the SMS was sent by mistake and should be
ignored.
·
Following verification, the original SIM is deactivated
and a new one is issued to the fraudster.
·
He then initiates financial transactions from
your bank account, details of which he had earlier stolen, and receives payment
confirmation requests on the duplicate SIM. Since the original SIM has been deactivated,
the real customer remains unaware of the fraudulent transactions being made on
their account.
As one security professional noted: “A high proportion of
banking customers now have mobile phone numbers linked with their accounts, and
so this attack is becoming common in some regions where this attack was not
previously so common. Unlike mobile malware, SIM fraud attacks are usually
aimed at profitable victims that have been specifically targeted through
successful social engineering.”
Andrew Blaich, a security researcher at Lookout, recently
explained in an interview that, “Unlike mobile malware, SIM fraud attacks are
usually aimed at profitable victims that have been specifically targeted
through social engineering. It’s a way attackers are attempting to gain access
to their target’s cell phone communications. There are many public cases of
attackers social engineering their way through a cellular company’s
representative to get a SIM card issued for an account the attacker doesn’t own
or have access to. It appears to be easy to do as all you need is a willing and
susceptible representative at any cellular phone store.”
Mr. Blaich then added: “Once they’ve gained unfettered
access to a victim’s phone number, criminals target bank accounts. Many banks
will send you a code to log into an account or reset a password to a mobile
phone via SMS, which means an attacker committing SIM fraud can request and
receive the code and access your bank. Next, SIM fraudsters mask money
withdrawals using a parallel system. They create a second bank account under
the victim’s name (banks where the victim is already a customer have fewer
security checks).”
There have also been a rash of articles detailing how
employees of local phone stores have facilitated the scams taking place.
Organized crime has used this tactic in many instances around the globe to
coerce staff at the low end of the payscale to pass along critical information.
All manners of threats of physical harm are used to force compliance with the
criminal endeavor.
Can you protect
from SIM-Swap scams?
Due to the nature of this scam, it would be extremely
difficult to detect it before it happened. What does happen, once the SIM is
swapped, is that your phone literally dies — No messages or calls in or out. If
your financial account holders have the capability, request alerts in the form
of emails, if and when transfers or major withdrawals take place. Alerts to
your phone will not work.
Some banks and phone companies are already attacking the
issue from a number of other perspectives, too: “There are multiple
organizational and technical ways to combat SIM fraud — from introducing user
alerting and additional checks for SIM reissuing to sharing knowledge of SIM
swap activity between banks and phone companies. Banks can also consider
looking for behavioral changes through behavioral analysis technology that can
indicate a compromised device. It is possible to check whether your SIM card number
and your international mobile subscriber identity (IMSI) are the same. If there
is a discrepancy, your bank could contact you by email or landline to check.”
What to do in the
event you become a victim of a SIM swap scam?
If you suspect you are the victim of a SIM swap scam,
immediately call your mobile network operator for assistance. Be sure to call
the right department. They may also have a form on their website for dealing
with cases of fraud, which you can fill in, and they will assist you in an
investigation of the matter.
Also make sure to call the appropriate department at your
bank, and suspend all activity on your bank account, essentially locking it, so
that nobody is even able to log in to your online banking profile.
If you are able to, you may consider accessing your
online banking account, and changing your password, as well as changing your
associated email address and mobile phone number, so the notifications and
confirmation SMSes would arrive at a new number and email address. So even if
the criminals succeed with the SIM swap operation, the number they have is no
longer linked to your bank account. But I would more readily recommend that you
just suspend activity on your account, especially in a panic situation or if
you are unsure on how to go about doing all of that.
If money ends up getting taken out of your account, then
you need to open a case with the police for theft, preferably within 48 hours
of the fraudulent transfer or withdrawal of funds having taken place. During
this process you may receive documentation from your bank’s claims department,
which will aid in the investigation.
You might get your money back, and you might not. The
banks claim that recourse depends on the circumstances of each case. In fact,
some flat out refuse to reimburse a client, often claiming that it was the
client’s fault – that they did something in order to help facilitate the theft.
If you are fighting an uphill battle, it may be a good idea to get legal advice
on the matter.
Some
recommendations
1.
Make sure to become familiar with existing scams
by reading appropriate blogs, forums, or articles in the newspaper, so when you
see that email or SMS arrive in your inbox, you know it’s bogus.
2.
The first warning signal can be your mobile
network. If your phone is out of network continuously for a few hours, it’s an
alert, and you should complain to the mobile network operator immediately.
3.
Always make sure you have suitable anti-virus
software installed and that your firewall is switched on.
4.
Don’t ever reply to suspicious emails. Your bank
would never ask you to enter any confidential information in to an email.
5.
Don’t ever click through on links that may lead
you to phishing websites – websites engineered to appear and operate like the
official website. They may download a virus on to your PC, just by visiting
them, which could serve as another means of obtaining your banking account
password(s).
6.
Use your common sense. If you receive an email
claiming to be from your bank, ask yourself if this is the same email address
associated with your online banking account.
7.
Don’t use publicly visible email addresses for
banking. Use a secure, private email address that nobody but you and your bank
knows.
8.
Always visit the official website of you bank by
typing in the address. Bookmarking the website isn't safe because there are
forms of malware that could tamper with bookmarks so that they redirect you to
phishing websites.
9.
Only ever try to log in to your online banking
profile via the official website. There are ways to make sure that it’s the
official website – not only by looking at the URL, but by checking the security
certificate, which usually appears in the form of a padlock in your browser.
You could even look up the website on a database, which would confirm whether
the website is safe or not.
10.
Never disclose your Internet banking password or
personal identification number (PIN) to anyone. Even your bank will never ask
for this.
11.
Check your banking statements regularly for
strange or unusual activity.
12.
Change your online banking passwords frequently.
I would suggest at least once every 3 months. And make sure it’s a strong
password too.
13.
Don’t answer calls or reply to SMSes from
numbers you are not familiar with.
14.
The 20 digits SIM number on the back of your SIM
card is top secret, and never share it with anyone.
15.
Even though it may be tempting to put your phone
on silent or switch it off when multiple calls come through, it may not be the
best idea, as this is exactly what the criminal may want you to do so that you
don’t notice anything strange going on with your phone.
16.
Take note of the number the call or SMS came
from. You can then look up this number on Google, or even contact your mobile
network operator and check with them for more information if you receive a
suspicious call or SMS.
17.
Consider joining a bank that gives you better
security when it comes to banking, especially with online and cellphone
banking. Some banks are known for not being secure with the features they
provide. The same could be said for some cellular networks.
18.
If the bank only offers 2-step verification
security that relies on using a mobile phone to access your account, then check
whether or not you can set a backup number, or an email address where you can
at least receive notifications at.
19.
Major carriers in the U.S. offer security that
can help protect against SIM card swapping. Use it to secure your account:
a. AT&T
has “extra security,” a feature that requires you provide a passcode for any
online or phone interactions with an AT&T customer representative. You can
turn it on by logging into AT&T’s web dashboard or the myAT&T app.
b. Sprint
asks customers to set a PIN and security questions when they establish service.
c. T-Mobile
lets subscribers create a “care password,” which it’ll require when they
contact T-Mobile customer service by phone. You can set one up by visiting a
T-Mobile store or by calling customer care.
d. Verizon
allows customers to set an account PIN, which they can do by editing their
profile in their online account, calling customer service, or visiting a
Verizon store.
Sources and
Additional Information: