Everything you need to know about SIM swap fraud
In case you haven’t encountered SIM swap fraud, consider yourself fortunate. It is a relatively new, advanced kind of fraud that permits fraudsters to access bank accounts, credit card numbers, and other related information (mostly it is about individual data of any kind). It is often quite difficult to find out that you are under attack. However, it is even harder to fix the damage done.
Nowadays, SIM swap fraud is a developing pattern. The U.S. Fair Trade Commission reported about 1,038 cases of SIM swap fraud in 2013, while in 2016 this number was 2,658. You can only imagine what waits for us in 2019-2020.
Nevertheless, we are not hopeless in this regard. If you know basic signs of SIM card fraud and understand how it works, then you can protect yourself against it, and prevent identity theft. Moreover, you’ll have your wallet safe and sound.
So, as you can guess, today’s topic is SIM swap fraud, and PaySpace Magazine would like to tell you more about, its basic features and signs, and ways to avoid this kind of scam.
What is a SIM swap scam?
SIM swap fraud is a sort of account takeover scam. Mostly, it is about weaknesses in the two-factor authentication (two-step verification counts as well). You may ask how scammers find a breach. If the second step/factor in two-factor authentication/two-step verification is an SMS or a call straight to a user’s device (which probably will be true), then fraudsters have the chance to pull off the scam. The fraud is based on exploiting a mobile phone carrier’s capacity to easily port a telephone number to a new SIM. Basically, they use this feature in cases of lost and stolen mobile devices. Hackers can use such an attack not only for credential stealing and one-time password capturing (which are sent through SMS), but also for causing financial damage.
We can bet you know what a mobile phone SIM card is. There is clearly no need to explain this. But you should know that user data is stored in GSM (Global System for Mobile Communications) phones. They are primarily used to verify cell phone subscriptions. In other words, it is obvious that GSM phones simply can’t tap into any mobile network without a SIM card.
SIM swap fraud, in turn, uses the SIM system’s major fragility: Platform agnosticism.
Unlike mobile malware, SIM fraud attacks are usually aimed at profitable victims that have been specifically targeted through social engineering.
The ways to get data
Now the major question is how scammers attempt to gain access to the victim’s mobile phone communication. Sometimes, fraudsters reach a mobile provider’s representative in order to get a SIM card that was issued for an account the fraudsters do not own. And it is not the hardest mission, if you look at this matter from that point of view. Thus, all you have to do is to reach out to a willing or susceptible representative in any mobile phone store.
Emma Mohan-Satta, a fraud prevention consultant at Kaspersky Labs, explained that phone-based authorization has unwillingly turned SIM swap fraud into a lucrative fraud business, and taken this to the next level.
Initially, the core idea of a SIM swap fraud is to collect victim’s personal data. The more data fraudsters have, the better deal they might get. Such kinds of scam can also include the sending of phishing emails (for example, on behalf of credit card companies or health insurers). Therefore, they can easily confuse a victim through a mix-up related to their legal name, date of birth, address, or cell phone number.
If a criminal has collected sufficient data (everything they need to know about a victim), he/she is able to create a false identity. Now, the first step is to call the target’s phone provider and state that their SIM card has been lost/stolen/damaged. Generally, the second step is about asking representatives of client service to activate a SIM card/number they have now.
You might know that most mobile phone providers will not agree to implement such a thing unless a caller gives answers to special security questions. This is where the “magic” (actually, bad kind of magic) happens. SIM scammers are prepared for such a trick since they usually already have all the personal info they need (they have collected it beforehand).
At this stage, it is not so hard to put it together, even if the scammers are not the most experienced and sophisticated. If they have access to a target’s cell phone number, they can attack bank accounts.
Usually, a bank will send you a code via SMS in order to check whether it is you who is trying to reset a password or log into an account. If a fraudster reads your SMS messages, they can see this code. It is as simple as that.
The last step is to disguise money withdrawals. There are different ways to implement this, and you should know that these ways become more and more sophisticated. For instance, they can use a parallel system. It is about creating a second bank account using the target’s name. A bank would consider such a money withdrawal as a transfer between the two accounts of one owner (two parallel accounts).
Prevention of SIM swap fraud
Most mobile providers have different security systems and scam prevention tools, but it always depends on a provider per se, and the country you live in. At this point, contact your mobile provider for detailed information.
On the other hand, the simplest way to avoid this type of scam is to adhere to a few common-sense rules.
- Avoid revealing too much personal data online.
- Avoid using SMS as a primary method of communication.
- Use encrypted messaging applications.