SIM-Swapping Fraud: How To Protect Yourself

With smartphones providing a gateway to our financial data they are becoming a prime target for fraudsters. SIM-swapping fraud occurs when someone takes control of your mobile phone number and uses it to gain access to your apps and banking.

Overview

This article addresses the following issues:

why there has been a rise in SIM-swapping fraud;
what it is;
how it works; and
how to protect yourself from this type of fraud.

Summary

In the UK, reports of SIM-swapping fraud have increased by 400% since 2015.
SIM-swapping begins with identity theft.
Be vigilant and do not give out personal information unless you are sure the request is genuine.
Red flags indicating you are a victim of SIM-swapping fraud are i) sudden loss of network; ii) communication from your network provider concerning a new SIM card or PAC code request that you have not made; iii) unable to access your bank accounts in the usual way.
Swap text based two factor authentication for a physical indicator such as touch ID or face recognition; alternatively use two factor authentication that is tied to your device not your phone number.

SIM-swapping Fraud

In March 2020 a press release from Europol announced that it had been involved in two separate operations investigating SIM-swapping fraud.

In “Operation Quinientos Dusim” 12 arrests were made of criminals who were believed to be part of a hacking ring who had stolen over 3 million euros in a series of SIM-swapping attacks. It is understood that the individuals were from across a variety of countries from Colombia to Romania and had struck over 100 times stealing from between 6,000 – 137,000 euros per attack. This was all done in a very short period of time, typically 1-2 hours which is barely enough time for the victim to realise there is something awry.

Further “Operation Smart Cash” led to arrests of 14 members of a criminal gang who emptied bank accounts in Austria by gaining control of their victims phone numbers and withdrawing money from cash machines using an authentication code sent to the phone. It is estimated that they managed to steal over half a million euros.

It is clear that this type of fraud is on the increase and in the UK reports to Action Fraud of SIM-swapping have increased by 400% since 2015.

What is SIM-swapping fraud?

SIM-swapping is when fraudsters gain access to your mobile phone number and use it to gain access to personal data and accounts.

If you access your bank accounts through text based two-factor identification you could be at risk. Two factor text based authentication means that you enter your bank account by inputting your username and password and your bank then sends an access code to your phone to allow you to complete your log-in.

How does SIM-swapping work?

Firstly, the fraudster will start by gathering personal information about the victim. This can be through any number of ways such as phishing emails, buying them on the dark web, attacking your device with malware or direct interaction. Simply put, it starts with identity theft. It is worth noting that in some cases SIM numbers can be changed directly by your provider through a bribed employee.

Once the scammer has enough information to pose as you they will contact your network provider and ask for your number to be switched to a new SIM in their possession or a request a PAC code to allow them to change the number to a new network. The result for you will mean a sudden loss of network coverage with no explanation and the fraudster will then receive all your calls and SMS messages.

In 2019, Twitter CEO Jack Dorsey’s Twitter account was hacked by this method.

Thereafter the fraudster will then use the stolen credentials to log in to your financial accounts and then validate any transactions that they undertake with the password sent by the bank to the mobile phone. In addition, where there are websites that use your phone number to reset passwords access can easily be gained. Amazon is one such website.

Signs you may have been a victim

You have a sudden loss of network in a place where it would usually have connectivity.
You are notified by your phone provider regarding the new SIM card or PAC code request.
You are no longer able to access your accounts.

What to do if your SIM has been swapped

You should report the situation to your service provider and your bank immediately. Even if no transactions have been made an alert can be placed on the account and passwords and authentication processes changed.

How to protect yourself from SIM-swapping fraud

The best way to avoid SIM-swapping fraud is not to use text based two factor authentication and instead opt for using something physical such as your fingerprint or facial recognition. Alternatively, you could use two factor authentication apps that are tied to your device rather than your number.

Protect your mobile account by adding a password or passcode to your mobile account.
Restrict who can see your social media profile as they may contain details such as your date of birth, favourite football team or pet’s name that will allow a fraudster to pass security questions.
Be vigilant and do not provide any personal information unless you are absolutely sure that the request is genuine.
Use two factor authentication apps that are tied to a physical device rather than your phone number, such as google authenticator. This also means removing your phone number from websites that use it to reset passwords.
Consider using a different authenticator that cannot be breached.
Remember that you can choose random answers to security questions. For instance, your place of birth could be onion!

If you think you may have been a victim of fraud then please do not hesitate to get in touch at hello@tenetlaw.co.uk.

Published on September 15, 2020