How Sim-swap Fraud Works

Simple but Effective

At its core, Sim-swap fraud is very simple. Fraudsters seek to gain control of a user’s mobile phone number, either by swapping the victim’s number to a new Sim card on the same network, or by moving the number to a different network altogether by requesting the Porting Authorisation Code (PAC), which in legitimate circumstances enables users to move networks without losing their phone number.

Password Guessing & Social Engineering

As Elliott explained, perpetrators will typically begin by seeking out the answers to the security questions asked by mobile networks – such as the user’s birthday, place of birth or mother’s maiden name – so that they can present these to the mobile operator and gain control of the number. If they can’t access such information, they may try social engineering techniques such as claiming to have suffered a recent bereavement, to convince the mobile operator to grant them access anyway. Either way, they focus on gathering intelligence and then convincing the network that they are the owner of the number in question – at which point they can ask for the number to be switched to a Sim card that they own.

Forgotten my Password

Once the phone number is compromised, an agile attacker can quickly use the ‘I’ve forgotten my password’ function online – say, on a banking website – which then sends a code to the phone number in question. Provided the criminal has already gathered other credentials, such as usernames, this could be the final piece of the jigsaw, enabling them to access a bank account.

Commercialised Cyber-criminals

End goals such as ‘inbox viewing’ and ‘social media account takeover’ are often advertised as products on the dark web, underlining just how commercialised some aspects of the cybercriminal world have become. A myriad of different tools and techniques are incorporated into these packages, with the perpetrators simply using anything at their disposal to accomplish the objective. Illicit Sim-swapping can be a hugely effective part of this. Our research suggests that such packages can cost as little as $100.

“Reports of this scam to Action Fraud have increased by 400% over the past five years.”

How Can we Combat it?

Act fast!

As with so much of cybersecurity, a number of factors need to come together to battle Sim-swap fraud effectively. Users who receive unexpected texts supplying their PAC, or warning that a Sim port is being processed should contact their network immediately. Unfortunately, as outlined in the Which? article, no mobile network currently offers a 24/7 customer services telephone helpline, although out-of-hours services can still put restrictions on users’ accounts in order to block unauthorised access.

Get help

Sometimes users may not notice that anything is wrong: however, until their phone unexpectedly loses service. In these instances, they should contact both their bank and their mobile network, just to be on the safe side.

It’s time for other industries to step up

But we can get more collaborative than this. As pointed out in the article, Mozambique now has a system in place whereby mobile networks flag to banks mobile numbers which have recently swapped Sims. This enables banks to carry out their own checks and cross-referencing. We need to see techniques like this taken up more broadly by major retailers and other online businesses. Whilst banks will typically require an additional level of verification beyond text and email, making them less susceptible to Sim-swapping, many e-commerce and digital businesses are not yet so stringent.

The cybersecurity landscape is constantly evolving, with new threats constantly developing. To combat them, companies and end-users need to work together to spot and escalate suspicious activity.