Sim Swap Fraud

SIM swap fraud is when a fraudster convinces a mobile carrier to switch their phone number over to a SIM card they own. In simple terms, it refers to simply changing mobile SIM cards.

Courtesy

The legitimate reason for performing a SIM swap is in case of damage or loss of the old SIM card or if one is looking to upgrade to a 4G or 5G network. If a SIM swap occurs without your knowledge then it means it’s done for some fraudulent activity.

Technically SIM swap fraud is a combination of different social engineering tactics.

What is social engineering you may ask? Social engineering refers to the art of manipulating people so that they converge their confidential information. Among these social engineering, tactics are Vishing, Smishing, phishing emails, and sometimes Insider threat may also be a tactic.

Beyond just using a username and password, Social media networking platforms, email service providers, financial service providers such as banks and any digital service have measures put in place to increase security. This measure is having two-factor authentication(2FA). It is mostly delivered in form of a one-time password over SMS.

In this case, it is a good measure to take but the irony is OTP via SMS becomes the point of failure in that it is prone to Man-in-the-middle attacks. The 2FA method that is supposed to protect the users has been manipulated to bring forth the rise of SIM SWAP Fraud.

Modus Operandi.

1. The attacker calls the target(victim) mobile service provider and requests that the target's mobile number is transferred.
2. The number is transferred to a different SIM. The target is unaware of this.
3. The attacker tries to access the target's account, either using credentials they have stolen or requesting a password reset.
4. The 2FA code is sent via SMS to the attacker and they can access the account.
5. Target only becomes aware when their phone is disconnected or they’re locked out of an account.

What could go wrong in case of this attack you may ask?

This fraud could lead to Identity theft whereby an imposter gains access to your Personal Identifying Information(PII) and uses it for their gain and exploitation.

The people who fall victim to this scam fall under almost all demographics meaning that these cybercriminals take advantage of normal people.

In 30 minutes after this scam has occurred, these fraudsters may have access to all your money and all your accounts. Despite them taking your money they can also decide to take a loan from one of these money lending applications or they can even call or text your friends and family borrowing money. This can lead you the victim to be blacklisted in CRB or to end up with debts you didn’t borrow.

Over the years the way that this scam has been executed has changed drastically. In different countries, it’s done differently but the goal in all of the instances is to acquire money. Internationally we have seen cases like the Twitter CEO Mr. Dorsey who fell victim to this scam and his account was used to tweet offensive messages.

In Kenya, the scam has evolved with the times.

In 2018, the DCI George Kinoti said that they had discovered that fraudsters were using the IEBC register which was available online to register sim cards which ended up being used in criminal activities.

Due to the spread of awareness of this scam by telecommunication industries and financial institutions these criminals have gotten more sophisticated ways of executing this scam. The latest SIM Swap scam latest scam according to the DCI is where five suspects were arrested after a telephone of a dead person was used to steal from another dead person.

The scammers have begun to target dead people whose families have put their death announcements in the newspapers. The people who have traveled abroad and the elderly too are on these criminals' radar. It is said that these criminals ensure they strike before the families establish the exact wealth of the deceased.

Signs of SIM swap fraud

The most obvious sign you should look out for is when you realize that phone calls and text messages are not going through. This most likely means that your SIM card has been deactivated. Another telltale sign is when you cannot receive the OTP code even when you try it more than once.

Thirdly when your cellphone suddenly has no signal in a regular network area. Also when you are unable to access your bank and credit card accounts or any other accounts. Lastly is when you are notified of activity elsewhere or if the SIM card is activated on another device that is not yours.

How to protect yourself from this scam

When your phone has been out of network continuously for a few hours then you have to make a complaint to your service provider.

1. Ensure you regularly check your bank account statement.
2. Ensure to register for both emails as well as SMS alert
3. Be aware of the links you click on and phishing emails.
4. Have a strong password and secret questions that are difficult to guess.
5. Use different passwords on each of your accounts
6. Use alternative methods of 2FA, such as Yubikeys or mobile identification applications.
7. Avoid using your phone number as an identifier or authentication measure for your online accounts.
8. Keep your personal information private avoid posting your date of birth on social networks and don’t share other personal information online.
9. Have a callback policy in that when you receive a text message asking you for money and you are not sure you can call back to confirm.

In case you have a Truecaller Application installed on your phone ensure you report these scammers as spam. The more you report the better chances you have from saving the next person from this scam.

Conclusion

SIM swapping is one of the explanations why variety won’t be the foremost effective verifier of your identity.

Safaricom, a major telecommunications service provider in Kenya came up with another way to report any suspicious and fake messages. All that’s needed is to forward the numbers via SMS to 333. This message is free. After reporting, the conning numbers are investigated and blocked.

This article has been written by Silvia Kiragu, a Cybersecurity practitioner with a keen interest in Operation Security (OPSEC) and Open Source Intelligence (OSINT). She is also an NCSTP alumnus and a volunteer at SheHacks_KE

Follow her: Twitter @slymiles_, Linked In @Silvia Kiragu