Envision receiving a bank notification alerting you that all the money in your account has been cleaned out. At first you are shocked, frightened and bewildered.  Once the shockwave subsides there is frustration and anger directed at your bank wandering how this could have happened.

Throughout the world people have fallen victim to various types of bank fraud which are a variable nightmare for all parties involved.  For financial institutions a fraud attack means annoyed customers, reputation loss and hours of investigation work.  For customers fraud is an invasion of their privacy, a breach of trust and a major hassle of trying to get refunded by their bank.  Few Customers truly understand the complexity of recouping their funds.

With the growth and sophistication of mobile banking, a new security vulnerability has become the smartphone. Fraudsters have shifting their focus from desktop-based fraud to mobile attacks. According to RSA Research 65% of all fraud in 2018 is mobile based. Fraudsters view the mobile is the new “weakest link” and have created creative and sophisticated mobile fraud attacks that have swindled millions and caused considerable damage to financial institutions.

The new financial fraud kid-on the-block is SIM swap. At its most basic level, a SIM swap is when someone persuades a mobile carrier to switch your phone number over to a SIM card they own. Bad-guys are not doing it to hoax you or to rack-up long-distance charges… they are doing it to amass big bucks by diverting your incoming messages, to easily over-ride text based authentication that protects your most sensitive accounts.

Recently a cryptocurrency investor claimed that a SIM swap resulted in the theft of $23.8 million-worth of tokens; he’s suing his carrier, AT&T, for over $ 200 million dollars.  The case outlines the work of a SIM swap gang that is suspected of stealing at least $5 million in cryptocurrency in similar hacks.

How does it work?

SIM hijackers often recruit retail workers at mobile shops to gain access to protected accounts.  In the UK a SIM swap gang worked with O2 and Vodafone employees to bypass basic ID checks and handing over replacement SIM cards to potential criminals.

In the past SIM swap scams were predominantly used by scammers to call and text premium numbers to rack up huge phone bills.  But the recent SIM swap modus operandi is directed at stealing big bucks.  In recent years, not only has SIM swap become more sophisticated but has also reached widespread proportions with growth of over 60% since 2016 (BBC NEWS, 2018).  In countries like Kenya and India recent SIM Swap scams have become a full-fledged epidemic with over 10 Million mobile users impacted (AllAfrica.com, 2018).

What is SIM swap and how does it work?

Scammers first obtain the victim’s internet banking details through phishing emails. They correlate and weave additional information about you via social media.  Once they have  the required basic details, they call the mobile operator and get your SIM blocked. They will know and use the home address, date of birth, and other verification details required by the bank.

Once the SIM is blocked they visit a mobile operator’s retail shop or call with the fake ID posing as the customer requesting a new SIM. In some cases they will even have an authorization letter to get a new genuine SIM card.

Alternatively, they can now access the One Time Pin sent by the bank in order to authorize whatever transaction they intend to make, which most often is clearing your bank account.

In part 2 of the blog we will outline how to you can protect from a SIM swap attack. We will outline how Paygilant prevents SIM swap ensuring you a safe, frictionless payment experience.