Choose your topics

What is Risk Management in Cybersecurity?

Let’s explore the essentials of risk management in the context of cybersecurity to help you understand how to identify, assess and mitigate cyber threats effectively.

Cyber Risk Management Enterprise Risk Management
3 Best Practices for Data Privacy

With more technology comes more data, and with that a greater need for data privacy enforcement. What best practices should you be following?

Data Privacy
How to Prioritize Your Third-Party Risks

How can you prioritize effectively and enhance your organization’s security posture? Here are our top tips for setting up realistic, sustainable processes.

Third-Party Risk Management GRC
Top Tips to Save Time When Assessing Third-Party Risks

Is assessing third-party risks taking up too much of your time? How can you make the process more effective and efficient? Find out in the latest post from SureCloud.

Third-Party Risk Management GRC
The GRC Trends to Look Out for in 2024

Our GRC experts at SureCloud share their 2024 predictions for the world of governance, risk and compliance.

The Top 5 Challenges of Third-Party Risk Management

With the supply chain now seen as a legitimate attack path, what can your organization do? Let’s explore 5 challenges of TPRM and how to overcome them.

Third-Party Risk Management GRC
What is Third-Party Risk Management?

What is third-party risk management and how should you approach it? Find out in this post.

Third-Party Risk Management GRC
Questions You Should Ask when Preparing For Your First Pen Test

Understand the processes that you and your chosen pentest provider will travel through for your first pen test, from the initial point to the day the test starts.

Penetration Testing
TPRM Blog 6-Writing Clear Questions

Our GRC Practice Director explores the importance of clear communication and how to achieve it in your third party questionnaires. Read more here.

Third-Party Risk Management GRC
Vector (7)
Cyber Security

How ‘Sim-Swap Fraud’ Works and Combatting it Effectively

How ‘Sim-Swap Fraud’ Works and Combatting it Effectively
Written by

Elliott Thompson

Published on

30 Oct 2020

How ‘Sim-Swap Fraud’ Works and Combatting it Effectively


SureCloud’s Principal Cybersecurity Consultant, Elliott Thompson was asked for his thoughts on the latest Which? Magazine investigation focusing on mobile phone SIMs.

Smartphones are a critical part of work and leisure for most of us today. We carry them with us everywhere. We use them to tap in and out of public transport, to pay for goods, to navigate around new places – and, of course, for online banking.

Which means that malicious cybercriminals have a whole new line of attack when it comes to stealing sensitive information. Elliott Thompson, our principal cybersecurity consultant, recently contributed to covering precisely this issue – in particular, a scam called ‘Sim-Swap Fraud’. Reports of this scam to Action Fraud have increased by 400% over the past five years.

How Sim-swap Fraud Works

Simple but Effective

At its core, Sim-swap fraud is very simple. Fraudsters seek to gain control of a user’s mobile phone number, either by swapping the victim’s number to a new Sim card on the same network, or by moving the number to a different network altogether by requesting the Porting Authorisation Code (PAC), which in legitimate circumstances enables users to move networks without losing their phone number.

Password Guessing & Social Engineering

As Elliott explained, perpetrators will typically begin by seeking out the answers to the security questions asked by mobile networks – such as the user’s birthday, place of birth or mother’s maiden name – so that they can present these to the mobile operator and gain control of the number. If they can’t access such information, they may try social engineering techniques such as claiming to have suffered a recent bereavement, to convince the mobile operator to grant them access anyway. Either way, they focus on gathering intelligence and then convincing the network that they are the owner of the number in question – at which point they can ask for the number to be switched to a Sim card that they own.

Forgotten my Password

Once the phone number is compromised, an agile attacker can quickly use the ‘I’ve forgotten my password’ function online – say, on a banking website – which then sends a code to the phone number in question. Provided the criminal has already gathered other credentials, such as usernames, this could be the final piece of the jigsaw, enabling them to access a bank account.

Commercialised Cyber-criminals

End goals such as ‘inbox viewing’ and ‘social media account takeover’ are often advertised as products on the dark web, underlining just how commercialised some aspects of the cybercriminal world have become. A myriad of different tools and techniques are incorporated into these packages, with the perpetrators simply using anything at their disposal to accomplish the objective. Illicit Sim-swapping can be a hugely effective part of this. Our research suggests that such packages can cost as little as $100.

“Reports of this scam to Action Fraud have increased by 400% over the past five years.”


How Can we Combat it?

Act fast!

As with so much of cybersecurity, a number of factors need to come together to battle Sim-swap fraud effectively. Users who receive unexpected texts supplying their PAC, or warning that a Sim port is being processed should contact their network immediately. Unfortunately, as outlined in the Which? article, no mobile network currently offers a 24/7 customer services telephone helpline, although out-of-hours services can still put restrictions on users’ accounts in order to block unauthorised access.

Get help

Sometimes users may not notice that anything is wrong: however, until their phone unexpectedly loses service. In these instances, they should contact both their bank and their mobile network, just to be on the safe side.

It’s time for other industries to step up

But we can get more collaborative than this. As pointed out in the article, Mozambique now has a system in place whereby mobile networks flag to banks mobile numbers which have recently swapped Sims. This enables banks to carry out their own checks and cross-referencing. We need to see techniques like this taken up more broadly by major retailers and other online businesses. Whilst banks will typically require an additional level of verification beyond text and email, making them less susceptible to Sim-swapping, many e-commerce and digital businesses are not yet so stringent.

The cybersecurity landscape is constantly evolving, with new threats constantly developing. To combat them, companies and end-users need to work together to spot and escalate suspicious activity.