What is SIM Swap Fraud & How to prevent it?
The telecom and financial services have drastically changed over the last 15-20 yrs. and this means that you can do lots of things over your phone now. You don’t need to go to bank for everything. Now your mobile itself is a bank and it will let you transfer money to anyone and transact with just a click of the button.
While this is wonderful news, it’s also a bad news because various kind of cyber frauds have started happening from last few years. Today I am going to share about one such fraud called as “SIM Swap Fraud”
I also requested one of person I know personally who actually lost money because of this fraud, and I requested him to jot down what exactly happened and steps they took after the fraud happened.
What is SIM Swap Fraud?
SIM swap fraud is a very sophisticated type of cyber fraud, where the attacker first blocks your sim card, and then gets a duplicate sim issued and gets access to all OTP/SMS which are required to make the transactions. This also means that they put a request to your mobile company with forged documents or online and if you have not secured your data/documents – it’s not very tough to get it done.
On top of it, if you do not act fast or take things lightly – the chances of fraud getting successful is very high.
People have lost amounts ranging from few Lacs to few crores. Just have a look at the below screenshot
The sim swap frauds are also known as SIM splitting, SIM jacking, SIM hijacking, or port-out scamming in different countries.
A real life case of an NRI who lost money from his bank account
So a few weeks back, one of the NRI readers of this blog mailed me asking for help on a fraud which happened in his bank account and he lost money.
Luckily the amount was just in thousands. I looked at his email and soon realized that this is a case of SIM SWAP fraud. While he has not got the money till now, I asked him to share the entire incident with all of us so that we can learn from this incident.
Please go through his experience which I got by email.
Hello Manish,
Greetings and appreciate your thoughtfulness to create awareness to this fraud,
So the story goes this way
My wife has a savings account in ICICI and me being NRI she travels to visit me for more than 5 months in a year as such I had linked my Sisters Phone number for net banking and all was going well. as local numbers don’t work in the country I live.
Recently my sister was having issues with idea sim card and she had registered a complaint with idea, and she was told a customer care will coordinate with her. then there was the lockdown and curfew and banks shops etc all closed.
One day a person called her and said he was from idea customer care and she needs to upgrade her sim from 3G to 4G and to do that she needs to text him a code and a sim card no a 20 digit number, due to lockdown since idea center is closed this is her option, which she did, she got a call back saying it will take about 4 hours for this upgrade and she may not get coverage until then.
my email was linked to that ICICI account and I got an email that there was a failed attempt to access my online account.
I replied to ICICI customer care and there was no reply. ( Got reply after two days, Standard written email do not share otp, password etc with any one and if suspicious report to ICIC customer care)
But I was able to log into net banking and did not find anything suspicious.
The next day I was off and was not online to check emails for full day in the evening I saw 8 emails from ICICI auto emails, password changed, new beneficiary added, OTP sent to Registered mobile, amount transferred to beneficiary account. balance in my account is now zero.
Now it’s a Saturday bank is closed, Lockdown cannot go out, customer care lines are busy and on hold for 25 min, and finally when she got on line with customer care they said she is not calling from registered mobile and they cannot help us.
The damage was done. The hacker took control of the sim and was getting OTP and had reseted the password using registered phone number.
The complaints we made
Sister went to idea and narrated the incident and idea said this normally does not happen this way and only authorized person in idea can do the sim swap and said they will investigate it
Wife went to police to complain, they are clueless on this matter and were more interested on knowing the fraud for their personal reason and challenging wife stating what she was telling can never happen and they never heard of such case and there must me something else which has happened and not sim swap. but when my wife raised her tone they took the complaint and said they will forward it to cyber branch.
Till date no positive lead.
Wife went to bank to complain, they saw the log and found the transaction is done through correct channel and there is no fraud, Password changed by registered mobile, otp sent to registered mobile and all things done legally without breach..
However as there was a police complain they traced the beneficiary account and put a freeze and lien on that account (In case he deposits money that money will be directly transferred to my account).
We changed the mobile number and now my wife gave her new local number, and they said not to use the account for some time till the investigation is over.
that night wife get a call from ICICI customer care saying we have registered your complain and your money will be transferred to your account tomorrow.
Wife goes to ICIC and meets manager she say no this case is not solved and normally it takes more than 15days for this and this call is not from us.
Wonder how the hacker got this number which was just given to ICICI, also though ICICI said they deleted the old phone number and registered the new phone number my sister is still getting messages when we complain to ICICI they say it cannot be and when shown proof via screen shots said we will forward to our IT dept.
So till date this is the final summary
Idea mobile operator claims no responsibility of damage done to bank account but their responsibility is to give control of the sim card back to my sister in 24 hours and they did it
Bank does not take any responsibility as the transaction was done by the registered mobile number
Police claims it was out carelessness to give the 20 digit number to the hacker and they can do nothing
I Learnt a very good lesson and will be more careful in these matters.
Jerry
From the real life incident of the above, I can see that it’s a bit of everything. Some bad luck, some carelessness, some ignorance and a lot of smart work by fraudster. These sim swap frauds are not easy to achieve as there are lots of things which needs to happen.
Let us now look at exactly what are the steps which are involved into Sim swap fraud.
4 Steps of Sim Swap Fraud – How it can happen to you?
Let’s understand how exactly a sim swap fraud happens through 4 steps process
Step 1 – Fraudster steals your important data
In this first step, the fraudster gets your personal information like your PAN number, Bank account number, phone number, your net banking password, and any other details which are essential for an online transaction. These things can be acquired using various methods like Email/Phone/SMS frauds or by hacking into your personal devices .
Sometimes there can be data theft by getting access to your documents which might be lying with someone (imagine you give your laptop for repair and some file has all the data or imagine you leave your bank statement at a Xerox shop)
Step 2 – Placing a request for SIM Swap with your SIM company
The next step is quite important and the main step, where the fraudster places the request for sim swap with your sim company by posing a fake identity and giving all relevant documents or through online mode.
Here the person may also call you to inform you about you posing as the sim company representative and tells you a lie that your sim will be active in some time as there is an upgrade going on or something like that.
You will generally get a sms or email from sim company telling you that your sim swap request will be complete soon.
DONT IGNORE THIS SMS at any cost. This is exactly where a customer mind presence is required and you have to act fast. A lot of people who do not understand how thing work online fall prey to it. Imagine if your 70 yr old father gets this kind of sms, he might not understand exactly what it is!
Step 3 – Doing the transaction
Once the sim swap request is processed, the game is almost over because the fraudster now has all the login details and the main thing – THE NEW PHONE NUMBER which is linked to the net banking/card.
Now all they have to do is add a beneficiary and complete the transaction
Step 4 – The fraud happens
And finally, the OTP comes to the new phone number and the transaction is complete. This is the point, where you loose the money and getting it back it quite tough. I strongly suggest that you read these 21 tips you should follow to secure your banking transactions
Some Safety Tips which can prevent you from such Frauds –
- If your network is lost for a very long time like more than 20-30 min, be alert and enquire about it from your mobile operator
- If you ever get a sms/email alerting you that your sim swap request is received, make sure you contact your bank immediately and report this incident. If possible login to your net banking and change your passwords the same moment
- Never share your the 20 digits mentioned on the back of sim card to anyone ever on call. This 20 digits are required for a successful sim swap
- Don’t entertain anyone asking for any kind of OTP or your accounts details
- Register for Alerts (SMS and Email) so that whenever there is any activity on your bank account you will receive an alert.
- Always check your bank statements and online banking transaction history regularly to help identify any issues or irregularities.
- Have strong passwords in your phone and computers. Don’t keep simple passwords which can be guessed by others
- If there is any cyber fraud, immediately inform the cyber cell or the best thing is to file a FIR in local police station.
- Don’t root your phone, if you are not a tech expert.
- Don’t install unverified apps on your mobile or laptop. A lot of these programs can read your computer or phone data
- Don’t leave your important documents Xerox here and there. At times we feel, nothing will happen – but bad things happen!
Do watch this video on preventing sim swap fraud!
Don’t be over confident that it can’t happen to you
Whenever we come to hear about these types of frauds any kind of fraud, the first thought as an investor comes to our mind is that no matter what happens, I will not fall prey to any such frauds.
This is nothing but overconfidence. Be alert and always pay attention to small signals which might be pointing to this kind of frauds, especially when you keep too much money in your bank account.
Hi,
Thank you for sharing such an important and informative blog on the potential threats of SIM swap and split. It sure is something people should be aware of.
Keep going.
Manoharan
Welcome !
Any financial system needs dual authentication by design for financial transactions. In this case, losing just SIM/mobile is causing loss of authentication. Isn’t it security design fault of banks etc that a single authentication credential stolen can allow hacker to access financial account?
People loose their phone and many of them don’t have phone passwords (specially seniors). Financial systems should be designed in way to protect their customer.
If one loose phone, there are many other things required like your bank account details, pass etc to do full transaction. So Idont think its just this particular flaw which will have issues. We have not heard of cases where someone just lost the money by loosing mobile,. excel something was there in their wallets !
I agree with Rahul’s point. If you lose your registered SIM, fraudster can reset all other things, Internet Banking password even he may change the registered mobile number and start getting OTPs on new number and you’ll even have know idea your account is debiting. Its a really serious fraud way and anyone can be fooled easily even TECHIES.
Thanks for sharing your views Atubh
`I too received a call one day from Idea Mobile company from Noida that my sim shall be blocked if i don’t upgrade to 4G.He gave me idea helpline no 12345 which indeed is idea helpline no and asked me to send sms to them. But i felt something fishy and didn’t send request.Next day again i got a call from that person informing me that i have not sent request for upgrade. I told him that i am also a technology man and i am not going to do it at any cost.What i am surprised at is how he got info from IDEA that i didn’t send request.I went to idea store and purchased a new sim. I am suspicious that data from Mobile companies is also being stolen. One has to be always extremely careful these days. I reported the matter to IDEA but no reply from them
Thanks for sharing your experience, yes my guess is that data is getting stolen from mobile companies ..
Few months back , I wasn’t receiving OTP on my phone and called customer care of the bank. They registered complaint and told me it would take 24 hours to address the issue. To be fair enough, the executive himself spotted the reason (country code issue) and offered to do the correction so that it would fix the issue but need to wait till 24 hours to test. Next day I tried and it worked. An hour later, I got a call from a guy claiming to be a tech support guy who asked me whether I received the test OTP which I indeed received it. Because I tested earlier, I got suspicious and refuses to part the test OTP. He then started emotional blackmail that how would he answer to his superiors and to his bank client and so on. I told him bluntly that no matter what it is, am not going to share OTP and shut the phone. I was amazed that our data & complaints are getting leaked even from the reputed private banks and customers are being scammed. There is long way to go in terms of customer data protection and security to customer money in the bank accounts. This SIM Swap fraud seems very sophisticated and am afraid even informed and knowledgeable customers might find it difficult to escape. It is quite scary to have some balance or deposits in the bank accounts.
Thats a great observation Krish
And thanks for mentioning what happened to you . I agree that data compromise is a big issue in India and some kind of local nexus is there between these customer care people and nexus ! .. THe data is not safe !