What is SIM card fraud -- and how can you avoid it?

By Marianne Curphey


You may not have heard of it, but SIM card fraud is a scam that is on the rise and involves criminal gangs gaining access to your bank account via your mobile phone. It's particularly hard to spot because it's a new and sophisticated form of fraud.

SIM card fraud is "one of the myriad creative new attack vectors cybercriminals are using to exploit more value from mobile activity, particularly in the EU and UK," Don Duncan, security engineer at NuData Security, a company that helps businesses verify identity and data, said in an emailed response to questions.

"The fraudsters get access to a victim's bank accounts by first acquiring their bank account statement," he said. "They then use social engineering to scrape additional personal information about the victim from their social media profiles and accounts including their phone number and service provider."

The fraudsters assemble a lot of personal information about you - enough to answer basic security questions that your phone company might ask. Then, they call your phone provider, pretending to be you, and claim that your phone is lost or damaged. Your mobile phone company will cancel your existing SIM and activate a new one - the one the thief has.

The fraudster, with "your" SIM card loaded into a phone they have, can now contact your bank and claim you forgot your password. The fraudster asks that a one-time access code to change the password be sent to your phone - which is really the phone in his of her hand.

The next step is to divert your money into a fake bank account the criminal has set up. Without you knowing, fraudsters start with your bank details and then set about finding out more of your personal information - via social media or other websites freely available online.

Once they have enough data to impersonate you, they open an account in your name with your existing bank. This is because your bank may make fewer security checks if you are already a customer and you appear to be requesting a money transfer to a parallel account.

You may not realize you've been a victim of SIM card fraud until your mobile has stopped working or when you can't access your mobile bank account, or if you try to use your bank cards and find the security settings have somehow been changed. By then, the fraudsters may have transferred money from your account into the false one they have opened in your name.

If you have a mobile phone and use your phone to receive notifications (e.g., texts with updates on your current account balance or card transactions) from your bank, then you are potentially at risk.

What banks are doing to fight SIM card fraud
Banks have been aware of SIM card fraud for some time. Martin Warwick, FICO's fraud chief in Europe, the Middle East and Africa, says some banks have put measures in place to check that messages are being sent to genuine customers.

"It is possible to check whether your SIM card number and your international mobile subscriber identity (IMSI) are the same," he says. "If there is a discrepancy, your bank could contact you by email or landline to check."

The IMSI identifies a mobile phone user on a network and is associated with a specific phone, so if it doesn't match up, it can be a warning sign.

Gabriel Hopkins, senior director of product management at FICO Ecommerce, says banks can also get you, the actual customer, on the phone and determine whether you got a new SIM card or if someone is potentially impersonating you.

Banks' systems not bulletproof
"Fraudsters have a clinical understanding of how banking systems work and may have insider knowledge as well," Hopkins says.

Even new safety technology, such as biometrics, is not guaranteed to work. As soon as technology experts close one loophole, organised criminals look for another.

"Biometric security is incredibly useful in terms of convenience for users," Vasily Bernstein, mobile payments systems expert at the global technology consultancy DataArt, said in an emailed response to questions. However, she says, "there have been several successful public attempts to bypass smartphones' fingerprint biometric system.

"For example, one included something as unsophisticated as a glue-cloned fingerprint. Other biometric systems, such as iris scanners, can also be fooled in relatively inexpensive ways."

The Financial Fraud Action UK (FFA UK) works with telecommunication companies to find ways to prevent SIM swapping, according to its 2016 annual report. However, you should take action, too.

"While the industry invests in new systems to stop the criminals, fraudsters are increasingly targeting people directly, so customers and businesses need to be alert to the threats posed by the continued rise in impersonation scams attempting to trick them out of their personal details and money," the report states. "Banks cannot stop all fraud on their own."

What you can do
You can take various steps to shield yourself from SIM card fraud (and other forms of fraud):

  • Be wary of phishing emails - unsolicited emails with an embedded link that you are asked to click on and which may be crafted to look as though they have come from your own bank.
  • Never enter details into a website you've accessed via a link in your email. Fraudsters are very good at making the website look as though it is your own bank's internet banking site.
  • Update your anti-virus protection on your computer and make sure you have it installed on your phone.
  • If you are receiving a lot of nuisance calls on your phone it may be a deliberate attempt by fraudsters to make you turn off your phone. Call your provider instead and raise the alarm.
  • Don't give away too much personal information on social media, such as where you live, your spouse's name, family members' information or even your own birthday. All of this is useful data for conmen. Duncan added you shouldn't save personal information in your social channels, and advised updating privacy settings of social media accounts to restrict viewing and sharing of information to friends.
  • Be aware of any suspicious activity - you should regularly check your bank, debit and credit card statements for unfamiliar payments and alert your bank or card provider immediately if you spot anything untoward.
  • Use any security measures provided. "Some telecom companies allow customers to leave a private access PIN on their account that prevents phone account access to anyone without this code, and if your telco company has this option, it could be another preventative measure to protect your account against impersonation," Duncan said.

Above all, be vigilant, Duncan said.

"Early interception can make a big difference in the financial impact that these crimes have on victims."

See related: What are banks doing to protect consumers from fraud?, How the fight against fraud impacts card users, Know your fraudster: Types of criminals and what they want from you

Published: 10 February 2017