How Sim Swap Fraud Happens and What to Do
I received a strange SMS on one afternoon recently. Upon opening it I was informed that my mobile network carrier, MTN, would be performing maintenance on their infrastructure and that if I noticed that anything went wrong with my phone I was to turn it off and on again.
I thought this was very odd. There was no branding from MTN in the message, although that could easily be included in a spoof SMS. This was also accompanied by grammar and spelling mistakes. I asked a few people about it and was told to be extremely careful because it could very well be part of a SIM swap scam.
My heart sank when I heard that and I searched online on what to do in such a situation, although the answer was clear: whatever it was that had to be done, it had to be done immediately. So a fraud report was filled out, and a few phone calls were made. After being passed around for about an hour, with my bank telling me that it wasn’t their problem, I got through to someone at MTN, who confirmed that it was indeed a legitimate SMS from MTN, and that I had nothing to worry about. I didn’t mention anything about the poor grammar or spelling mistakes in said message, which was what made me suspicious in the first place, because I was too thankful and relieved to be snarky at that point.
I was fortunate that this ended up being a false alarm, but SIM swap scams are becoming increasingly common, with MTN and ABSA in particular featuring in the news quite often lately. In this scary episode I read up about these scams and learned a bit, so naturally I felt the urge to write about it.
"I thought this was very odd. I asked a few people about it and was told to be extremely careful because it could very well be part of a SIM swap scam. My heart sank when I heard that."
What is a SIM swap scam?
A SIM swap scam is a type of fraud that involves a criminal registering an existing number of a cellular company’s client on a new SIM card (the small device that slots in your phone, that allows you to make and receive calls, SMSes, etc.). They usually do this in order to intercept notifications and OTPs, or one time passwords, that are sent to the client when he or she wishes to carry out a transaction of sorts on their online banking profile, change account security settings, etc. This allows them to steal money from the client, and he or she may not even notice before it’s too late.
SIM swaps could also potentially be carried out in order to commit other acts such as ringing up a huge voice or data bill which the client would end up paying for – which would be especially disastrous if said customer was on a contract, where out of bundle rates apply. Generally SIM swaps are used to defraud people. One way or another that person ends up losing money.
Did you know?
Vodacom and MTN have been using technology for the past few years which aids banks in thwarting SIM swap fraud. It allows banks to check the date and time of the last SIM swap, date and time of change of handset, and the number of calls made with the combination of handset and SIM card. The only two banks currently using these services are FNB and ABSA.
How SIM swap scams happen
Phase one of a SIM swap scam usually involves the criminal trying to obtain information from an individual which relates to their online banking profile. This will usually occur in the form of a phishing email, but could also happen through a practice known as SMiShing, which is by SMS on your mobile phone or vishing, which is carried out by voice call. Basically they would look to obtain your username and password for your account, either by making you reply to the email, SMS, or call with the information they’re looking for, or by making you visit a phishing website – a website designed to look exactly like the real deal – and make you enter your login details there.
But they won’t stop there, because several banks nowadays rely on a 2-step verification process which involves using your mobile phone to receive OTPs (one time passwords). Without these codes, which are usually comprised of numerical digits, the criminal can’t carry out any transactions on your account, and even if they tried, you would be alerted to the fact that someone is in your online banking account because you would receive real-time confirmations.
So begins the second phase of the SIM swap scam, which involves the criminal gathering information relating to your network operator. They will attempt to find out your number – they could do this by way of social engineering. They will call your number or SMS you, and they will try to find out information such as your name, ID number, street address, network and other information that is unique to your SIM. They can take this, perhaps along with falsified identification documents to your network operator, and pretend to be you. They can then claim that they need a replacement for a damaged or lost SIM card, and they will likely get what they want.
It is possible that the scammers may not even have to go to these lengths, as it has been suspected in several cases due to the frequency and ease of this scam, that there may be an accomplice employed by the cellular network. In other words an inside job. This is evident when specific branches of an operator are often involved in these scams.
Then you may or may not receive phone calls or SMSes from people pretending to be employees of your cellular network telling you to switch off your phone due to ongoing maintenance or some other story. With your phone off, you are much less likely to notice the lack of incoming calls and SMSes to your phone, because at this point the SIM swap scam is in full effect. If you were to switch your phone back on you would likely see that there is no service from your operator. The other SIM card registered with your number on it is the one that will now receive any and all calls, SMS notifications, which together with your banking details which were obtained from you earlier, they can use to clean out your bank account without you even knowing, and by the time you realise, it will be far too late.
"It has been suspected in several cases due to the frequency and ease of this scam, that there may be an accomplice employed by the cellular network. In other words an inside job. This is evident when specific branches of an operator are often involved in these scams."
What to do in the event you become a victim of a SIM swap scam
If you suspect you are the victim of a SIM swap scam, immediately call your mobile network operator for assistance. Be sure to call the right department. They may also have a form on their website for dealing with cases of fraud, which you can fill in, and they will assist you in an investigation of the matter.
Also make sure to call the appropriate department at your bank, and suspend all activity on your bank account, essentially locking it, so that nobody is even able to log in to your online banking profile.
If you are able to, you may consider accessing your online banking account, and changing your password, as well as changing your associated email address and mobile phone number, so the notifications and confirmation SMSes would arrive at a new number and email address. So even if the criminals succeed with the SIM swap operation, the number they have is no longer linked to your bank account. But I would more readily recommend that you just suspend activity on your account, especially in a panic situation or if you are unsure on how to go about doing all of that.
If money ends up getting taken out of your account, then you need to open a case with the police for theft, preferably within 48 hours of the fraudulent transfer or withdrawal of funds having taken place. During this process you may receive documentation from your bank’s claims department, which will aid in the investigation.
You might get your money back, and you might not. The banks claim that recourse depends on the circumstances of each case. In fact, some flat out refuse to reimburse a client, often claiming that it was the client’s fault – that they did something in order to help facilitate the theft. If you are fighting an uphill battle, it may be a good idea to get legal advise on the matter.
Did you know?
Most of the big banks have security centres on their websites which allows you to see all the latest scams going on, as well as view more information on what is involved with each known scam.
How to avoid becoming a victim of a SIM swap scam
- Make sure to become familiar with existing scams by reading appropriate blogs, forums, or articles in the newspaper, so when you see that email or SMS arrive in your inbox, you know it’s bogus.
- Don’t ever reply to suspicious emails. Your bank would never ask you to enter any confidential information in to an email.
- Don’t ever click through on links that may lead you to phishing websites – websites engineered to appear and operate like the official website. They may download a virus on to your PC, just by visiting them, which could serve as another means of obtaining your banking account password(s).
- Use your common sense. If you receive an email claiming to be from your bank, ask yourself if this is the same email address associated with your online banking account.
- Don’t use publicly visible email addresses for banking. Use a secure, private email address that nobody but you and your bank knows.
- Always visit the official website of you bank by typing in the address. Bookmarking the website isn't safe because there are forms of malware that could tamper with bookmarks so that they redirect you to phishing websites.
- Only ever try to log in to your online banking profile via the official website. There are ways to make sure that it’s the official website – not only by looking at the URL, but by checking the security certificate, which usually appears in the form of a padlock in your browser. You could even look up the website on a database, which would confirm whether the website is safe or not.
- Change your online banking passwords frequently. I would suggest at least once every 3 months. And make sure it’s a strong password too.
- Don’t answer calls or reply to SMSes from numbers you are not familiar with.
- Even though it may be tempting to put your phone on silent or switch it off when multiple calls come through, it may not be the best idea, as this is exactly what the criminal may want you to do so that you don’t notice anything strange going on with your phone.
- Take note of the number the call or SMS came from. You can then look up this number on smscodes.co.za, or even contact your mobile network operator and check with them for more information if you receive a suspicious call or SMS.
- Consider joining a bank that gives you better security when it comes to banking, especially with online and cellphone banking. Some banks are known for not being secure with the features they provide. The same could could be said for some cellular networks.
- If the bank only offers 2-step verification security that relies on using a mobile phone to access your account, then check whether or not you can set a backup number, or an email address where you can at least receive notifications at.
Have you ever been a victim of SIM swap fraud?
Questions & Answers
© 2013 Anti-Valentine