SIM SWAP FRAUD: Stepping into the fraudster’s shoes!

“Lose a credit card and the loss may be in thousands… Lose a SIM Card, the loss is irreparable”

Last week, Twitter CEO Jack Dorsey became the latest high-profile account to be targeted by SIM swappers. Dorsey’s account sent several tweets, including some with racial slurs and others that defended Nazi Germany. Luckily for him, his account was secured soon after, and the consequences weren’t catastrophic. However, there have been many instances where SIM swappers have left victims in a really troubled state – especially the ones targeted for monetary gains.

SIM swap is a type of phishing fraud that poses a serious threat to customer along with the telecom and the banking environments. The SIM SWAP fraudster in here obtains an individual’s banking details through vishing/smishing/phishing techniques or by purchasing these from organized crime networks. They then use this information, including personal details sourced via social media, to pose as the victim to the mobile network operator and fool them into cancelling and reactivating the victim’s mobile number to a SIM in their possession. As a result, all calls and texts to the victim’s number are routed to the fraudster’s phone, including one-time passwords for banking transactions. After receiving a one-time pin or password from a bank, the fraudster can then potentially access the customer’s bank account and transfer funds. The SIM SWAP fraud impacts not just the victim, financially but also the telecom operator and the bank, equally. As non-adherence to consumer interests and protection, in many countries, both the entities (the telco and the bank) are legally liable to compensate the victim for his/her financial losses. When the loss is in millions, the impact is very grave!

Have you ever taken a moment to pause and think from a fraudster’s perspective to counter the fraud? Well most blogs that you will find on the internet on SIM SWAP will tell you ways (in bulletin points) as how to protect your assets from the SIM SWAP fraud. However, I am quite sure that there will only be a handful of blogs that will tell you how a SIM SWAP fraudster thinks in-order to be able to protect your customers from such attacks.

Without much ado, let me take you through the 4 vicious stages involved in the SIM SWAP fraud attack which will help you understand your SIM SWAP fraudster better and stay ahead of them on any given day!

Stage 1 – “Cherry picking and stalking”

Fraudsters are always on the loom to pick on their fraudsters and the social media, has, in a great way helped them in getting away with their desired schemes. A SIM SWAP fraudster may look for a high-profile customer or a prosperous and wealthy business personnel who generally solicits with prospective clients over social media. The SIM SWAP fraudster here could impersonate one such client, send out a connection request and start to closely monitor the victim’s activities. The SIM SWAP fraudster can even hijack an account of the victim’s affiliate to initiate conversations/get more information about the victim. In events where the victim does not have enough digital footprints, SIM SWAP fraudsters have even taken the road of dumpster diving and shoulder surfing!

Stage 2 – “Impersonating the victim”

At this stage, the fraudster has got all the information he/she needed to pass through the authentication protocols required to get hold of the victim’s assets. Once he/she has managed to convince the bank and Telecom Operator of his/her false identity, he/she goes on to take-over the customer’s personal assets such as his/her sim card or his bank account.

Stage 3 – “Swindling at once”

Having gained total control over the victim’s assets, the SIM SWAP fraudster now tries to extract monetary benefits from the victim’s assets at a single go. Here the victim is totally cut-off from his/her mobile network even without knowing it. By the time the victim gets to know that there are transactions carried out on his/her account without their knowledge, the damage is done!

Stage 4 – “Covering it up”

After having caused enough damage to the victim, the SIM SWAP fraudster lets go of the victim’s assets and goes on to hunt for another victim. The SIM SWAP fraudster makes sure that he/she makes enough improvisations to his/her fraudulent schemes so as not to appear like a serial offender, thereby leaving the law keeping forces with very little clue of the fraudster’s whereabouts!

SIM SWAP fraud, unlike many other telecom/bank frauds requires a joint effort from the customer, the bank and the telco. However, catching hold of the SIM SWAP fraudster doesn’t require the brains of Sherlock Holmes! Vigilance and a little proactiveness on how a fraudster might possibly behave can help catch them at a very early stage. To counter the ill-effects of the fraud, top Telecom Service providers like AT&T, T-Mobile, Verizon and other are harping on customer authentication through the 2-Factor method even during telephonic conversations.

However, I personally believe that not much is being done to study transactional pattern anomalies to identify potential fraudsters in the network and its high time bank authorities joined hands with telcos in countering the fraud. E.g. the telcos can notify the banks of change in a customer’s IMEI/MAC address/addition or modification of accounts/transactional abnormalities and then the banks can monitor the customer’s transactions for that week, in priority! Masking methods can be used during exchange of information to protect consumer interests. Telcos and banks can be more proactive by creating a database for reference where any changes made to the consumer’s profiles can be stored and looked up for instances of abnormal transactions. As preventative measures, customers can be advised by both the telcos and the banks to take enough care while sharing very personal and integral information such as card details, social security number etc. on social media or the public internet.  The SIM Swap fraud is known to cause serious collateral damage and reputational loss, however, a little care taken at the right point in time can work wonders!

To know more about how you can stay vigilant about SIM Swap fraud, view this video.

Vijay Amirthraj

Vijay is a Principal Consultant in Subex’s Managed Services vertical, focusing on Fraud Management. He has over 12+ years of experience in Telecom fraud, & Revenue Assurance management professional with  progressive experience in process management and managing risks in telecom business.