Both have been victims of “sim-swap” fraud, a scam that has escalated in recent years and has resulted in victims losing thousands, often before they even know something is wrong. Scammers take control of a mobile phone account through a mixture of trust tricks and online harassment, then use those details to gain access to the owner’s bank accounts.
Figures from Action Fraud, the national reporting center for fraud, show that the number of people falling victim to this type of scam has increased significantly since 2015 and has resulted in losses of over £ 10million for UK consumers. So how can you make sure your phone, and therefore your bank details, is safe?
A variety known as SIM card sharing, simjacking, SIM card hijacking, and port-out scams, the fraud focuses on moving control of someone’s phone account from their SIM card to one controlled by the criminal.
Although mobile phones and security measures have changed in the five years since the scam took off, the workings of the fraud have remained constant.
“The tactics haven’t changed much over the years,” says David Emm of cybersecurity firm Kaspersky. “Criminals get personal information from a victim – bank details, address, etc. – by browsing social media or exploiting data stolen when breaching an online business’s systems. They then contact the victim’s mobile phone provider, pose as the victim, request a SIM card swap, and change personal settings. ”
Emm says that in some cases scammers work with an insider to assign the victim’s number to another SIM card. “A more recent tactic is to request a porting authorization code [PAC] to port the victim’s number to another network, ”he said. “Once they ‘own’ the victim’s number, they can intercept bank authorizations sent by SMS – or other… codes for which the cell phone number is used. “
Often times, the scammer will use information posted on social media, such as a mother’s maiden name, a birthday, or the name of a pet, to help build an information base about the victim.
Last week, we featured an Observer reader whose number was stolen by a criminal who used the identity of the reader to ask a PAC to transfer it to the criminal’s phone. Payments of over £ 1,000 were then made from the victim’s bank account to an online money transfer service.
Since the scam appeared, the number of cases has increased rapidly. Action Fraud found 483 reports in June of this year, nearly double the number for the same period last year. In 2015, there were only 144 cases.
Last year, the FBI warned of the risks of SIM swapping, saying it was a common tactic to bypass security measures such as two-factor authentication, which users must provide. two pieces of information, such as a password and a code sent to their phone. The warning prompted the UK’s National Fraud Intelligence Bureau to raise concerns. The FBI wants more complex forms of authentication introduced.
How do you know you’ve been scammed?
Usually, someone first learns that they’ve been the victim of a sim-swap scam when their phone stops working or finds out they can’t access bank and credit card accounts. Or they can receive a text or email before the exchange takes place.
“It is vital, if this happens, to contact the mobile network provider and inform them, so that they can investigate what has happened,” says Emm. “It is also essential to contact the bank or other online services where you use your mobile as an additional form of authorization for transactions. ”
Mobile phone companies have come under fire after letting customer details leak. A survey by consumer group Which one? found that despite current safeguards, criminals could still bend the rules and get the information they needed through persistence.
Jason Costain, Fraud Prevention Manager at NatWest, says: “Banks are taking action to defend against sim-swaps. However, our industry, like many others, relies on telephone companies to ensure that proper identity checks are performed before a SIM card exchange is authorized. The telephone industry is working to mitigate the threat. ”
A spokesperson for the Financial Ombudsman Service said that when money is fraudulently taken from someone’s account, they should contact their bank, where it should be considered a “contested transaction”. It is then up to the bank to investigate and decide whether to refund the money. If not, the customer can turn to the ombudsman.
“If a consumer is not happy with the result, they should contact our service and we’ll see if we can help them,” the spokesperson said. “We will make our decision on what happened using the evidence provided by the consumer, the bank and any relevant third parties. In making a decision, we will take into account the relevant laws, regulations that applied at the time, industry codes of conduct in effect at the time, and the terms and conditions of the account from which the disputed transaction was made. . “
Avoid the problem
As with many banking security scams, there are some simple ways for consumers to avoid getting scammed:
- Do not respond to unsolicited emails, texts or phone calls. These can allow attackers to access personal data which can then be used to convince the bank that they are you.
Don’t over-share your personal information on social media. Avoid putting your date of birth, that of your children or relatives, the name of your first pet or of the school, as they are all frequently used as answers to questions that banks have.
If your phone stops functioning normally, notify your bank and mobile operator.
Try using an app like Google Authenticator for one-time passcodes.
Use passwords that only you know and that are unique.