02 Feb CYBERCRIME: THE LURKING DANGER OF SIM-SWAP FRAUD
Cybercrime: the lurking danger of SIM-swap fraud
HOW TO DETECT AND PREVENT THE FRAUD THAT DRAINS BANK ACCOUNTS
Among e-frauds on the rise, SIM swapping is one of the new key trends in last year’s IOCTA, Europol’s Internet Organised Crime Threat Assessment. This modus operandi garnered considerable attention throughout 2020, as law enforcement agencies noticed a significant increase with a growing number of cases in Europe.
One of the major police operations, called Quinientos Dusim, saw investigators from the Spanish National Police together with the Civil Guard and Europol, targeting suspects across Spain believed to be part of a hacking ring which stole over €3 million. Composed of nationals between the ages of 22 and 52 years old from Italy, Romania, Colombia and Spain, this criminal gang struck over 100 times, stealing between €6,000 and €137,000 from bank accounts of unsuspecting victims per attack. 
SIM swapping is a type of identity theft consisting of a phone account takeover aimed at stealing money through the victim’s bank account. Using illegally obtained credentials, criminals make banking operations, mostly wire transfers.
Typically, this fraud manifests itself through a mobile phone line disruption due to the duplication of victims’ SIM cards, which are used to get bank’s notifications and security codes.
SIM-swapping commonly starts with a fraudulent attack (phishing, malware, unauthorized access to social media accounts, malicious apps, etc.) providing criminals with the victim’s personal data. In terms of prevention, this is a key aspect: awareness and caution are crucial to avoid any illegitimate access to sensitive information.
Once in possession of the victim’s data, criminals can act very quickly and potentially empty a bank account in just one night. After having obtained the SIM card duplication from mobile service providers with fake documents and fake lost or stolen device reports, they access banks accounts and receive the authorisation codes sent by bank to the victims’ phone numbers to confirm the transfers.
It may therefore happen that one morning, victims realise that they are no longer able to make calls and use their mobile phone. They may even receive fake customer service messages from their mobile service provider notifying them of some imaginary technical issues under resolution. When facing a sophisticated strategy like this, it could be extremely difficult to understand that a fraudulent action is in progress. One might discover they are a victim after some time, when noticing a series of never made nor authorized wire transfers or prepaid card payments on the bank account.
Let’s see how SIM-swapping can be detected, what to do in case of suspicious activity and how to prevent this fraud.
Detecting SIM-swap fraud
Here are the most common warning signs to pay attention to:
- The mobile phone loses service and signal, it is not possible to make calls and send/receive text messages
- A fake phone operator may call or send a text to notify some technical problems
- Repeated nuisance calls or text messages are received, in the attempt to get victims to turn their phone off
What to do in case of suspected SIM-swap fraud
It is imperative to stay alert and be aware of calls or text messages relating to technical problems linked to the mobile phone. It is also a good idea not to turn off the phone in case it stops working.
What to do in the case of a suspected SIM-swap:
- Promptly check the bank account
- Alert the bank and request temporary holds be put on the account
- Report the identity theft to the mobile phone provider
- Report the fraud to the local police cybercrime unit
How to prevent SIM-swap fraud
Preventing SIM-swapping consists of keeping away from personal data theft by avoiding any risky online and offline action. As suggested by Interpol:
- Keep software updated, including browser, antivirus and operating system
- Restrict information and show caution with regard to social media
- Never open suspicious links or attachments received by email or text message
- Do not reply to suspicious emails or engage over the phone with callers that request personal information
- Update passwords regularly
- Buy from trusted sources and check the ratings of individual sellers
- Download apps only from official providers and always read the apps permissions
- When possible, do not associate a phone number with sensitive online accounts
- Set up a PIN to restrict access to the SIM card and do not share it with anyone
- Frequently check your financial statement
It should be emphasised that Online Banking and Online Banking e-Payments (OBeP), such as immediate transfer MyBank, provide the highest levels of security.
As of this year, the safety of transactions is strengthened even more by the obligation –for all banks, financial institutions and players involved in e-payment processes– to implement Strong Customer Authentication (SCA) as required by EU Directive 2015/2366 on Payment Services (PSD2). SCA is an authentication process using at least two or more of the following elements: knowledge (typically a PIN or a password); possession (such as a token or a smartphone); and inherence (typically fingerprint, face or voice recognition).
Also called “Multi-Factor Authentication”, SCA makes access to the bank account and payments more secure: in case of an e-payment, the different factors required for authentication are dynamically combined by linking each transaction to a specific amount and beneficiary, thus certifying its uniqueness. Therefore, it tackles data breaches by making the lives of cybercriminals harder.
For online banking-based immediate transfer MyBank, SCA has been a key feature for payments since its launch on the market in 2013. An early-adopter, MyBank sees SCA as a valuable ally for a secure payment eco-system supporting the growth of e-commerce.
Undoubtedly, SIM-swapping shows the ability of cyber-crime to evolve and steadily find new attack methods. Nevertheless, let’s consider how easy a cybercriminal’s life would be if no authentication measure like SCA was in place.
In this respect, it should be highlighted that even though SMS verification is one of the most used authentication modalities for e-payments, it is not the only option available as far as SCA is concerned.
Cyber attacks linked to economic-financial crime saw a real boom in 2020. Already in June last year, the number of phishing attempts via email had reached + 600% globally.  SIM-swapping turns out to be one of the most insidious and difficult frauds to detect, however prevention is possible.
Awareness is key: it is important to regularly check available information about fraud methods, for example by visiting the local police cybercrime unit or Europol’s website, and to adopt the utmost caution in all situations, both online and offline, where one’s personal data are involved.
Keeping away from phishing and data theft also means preventing SIM-swap fraud: being vigilant and cautious whenever emails or text messages requiring to click on a link are received, even when they seem to come from a reliable person or service provider; never reply to suspicious emails or text messages; beware of any requests for personal data over the phone. These are some key measures for SIM-swapping prevention.
Last but not least, it should be kept in mind that neither banks nor MyBank will ever ask for personal data, authorisation codes or access credentials, via email or text message, over the phone or through social media. Beware of this kind of request.
2 Feb 2021