In June of this year (2018) an 85-year-old South African pensioner had R300 000 – roughly USD $20 000, stolen from his bank account in a SIM swap scam.
A SIM swap scam? SIM Swap fraud (also known as SIM splitting) is a type of account takeover fraud that generally targets a weakness in two-factor authentication or two-step verification, where the second factor or step is an SMS or a call placed to a mobile telephone.
How it works…
The fraud centres around exploiting a mobile phone operator’s ability to seamlessly move a telephone number to a new SIM. This feature is normally used to help a customer who has lost or had their phone stolen. The scam begins with a fraudster gathering personal and banking details about the victim, either by phishing emails, purchasing them from organised criminals, or by direct social engineering the victim. Once the fraudster has obtained these details they will then contact the victim’s mobile telephone provider. The fraudster will use social engineering techniques to convince the telephone company to move the victim’s phone number to the fraudster’s SIM. For example, by impersonating the victim and claiming that they have lost their phone. In some countries – notably India and Nigeria, the fraudster will have to convince the victim to approve the SIM swap by pressing 1. Once this happens the victim’s phone will lose connection to the network and the fraudster will receive all the SMS and voice calls intended for the victim. This allows the fraudster to intercept any one-time passwords sent via SMS or telephone calls sent to the victim; and thus to circumvent any security features of accounts (be they bank accounts, social media accounts etc.) that rely on SMS or telephone calls. South African forensic investigator Dr David Klatzow says the sim swap scam has become more prevalent over the past three years. Klatzow believes that the scam succeeds as a result of a “collaborative” effort. “The story involves two sets; the banking and the cellphone industry,” Klatzow says. “It involves firstly being able to identify where the money is, which I believe involves some dishonest component or negligent component of the banking industry. “The second thing is there’s undoubtedly a dishonest component within the cellphone industry, who are able to do SIM swaps without the proper channels being followed.”
How to protect yourself…
- It is important to note that sending one time passwords via SMS or telephone calls can be secured against SIM swap fraud if the company who sends them, checks to see if the recipient’s phone has been SIM swapped immediately prior to sending the SMS or placing the call. If one of your accounts use one-time passwords sentvia SMS or voice call contact the company and ask if they make appropriate checks before sending SMS or voice calls.
- Put a pin or password on your mobile account. More and more carriers are allowing customers to protect their accounts using either a PIN or a password. It is important to pick a password or PIN you haven’t used before.
- Practice good cyber hygiene:
1. Ensure that all your devices have adequate firewall/anti-virus protection.
2. Only download programs, apps and information from known and trusted sources. Hackers will attempt to trick you into downloading their phishing software.
3. Before entering your account details ensure the site is what it says it is. Scammers will create duplicate sites to steal your information.
4. Keep personal information which may be used to answer security questions off social media (e.g. birth date, name of first pet, name of first school).
5. Use strong passwords.
6. Do not readily give out any private information over the phone. Personal information should never be given out to strangers on the phone
7. It is also important to always be aware of your phone’s connectivity. If you suddenly cannot make or receive phone calls, it’s important to contact your network provider immediately, and not just assume that there is a problem with the network or your handset.
8. Also never ignore an SMS alerting you that a sim swap has been requested on your account.
The last thing anyone wants to experience is the horrid nightmare that comes with receiving a bank notification alerting them that all the money in their account has been wiped out – particularly when said transaction happened without their authorisation. Sadly, plenty of people have fallen victim to these types of financial scams which have seen them go through the inconvenience of trying to get refunded by their banks, often unsuccessfully so.
CybACADEMY courses powered by GoldPhish® educates employees on the cyber risk and helps build a more secure organisation with awareness training.
Our FREE Campaign is aimed at helping smaller businesses get one step ahead of the cyber criminals with Free awareness training.