SIM swapping fraud: What is it and how to prevent it
SIM swapping is not just about transferring your old number to a new SIM card. It’s also a fraud tactic used by cybercriminals that can lead to financial losses for individuals and cause reputational damages for businesses such as MNOs and banks.
SIM swapping explained
SIM swapping refers to the process of transferring an existing phone number to a new SIM card.
There are plenty of reasons to SIM swap. Say you’ve lost your phone or bought a new one, but your old SIM card doesn’t fit. Or maybe your SIM card got damaged, or you got a better deal with a new. When done for reasons like these, SIM swapping is entirely legitimate.
Thanks to SIM swap and mobile number portability services, your phone number stays with you for years, even decades. You don’t need to alert everyone that you’ve changed your phone number; you get a new SIM, port your number to another operator, and continue with your life.
Unfortunately, the fact that it is so easy to transfer a phone number to a new SIM card also makes it a “lucrative” business for fraudsters.
What is SIM swap fraud and how does it work?
SIM swap fraud is a form of cybercrime where scammers exploit the process of swapping SIM cards to access a victim’s personal and financial information. They gain unauthorized control over the victim’s phone number, which enables them to take over social media or bank accounts.
In short, here’s how it works:
- Cybercriminals somehow find your mobile phone number and contact mobile network operators (MNOs) pretending to be you.
- They deceive the MNOs into activating a new SIM card with your phone number.
- Once the new SIM card is activated, fraudsters can access every One-Time-Pin (OTP) and Two-Factor Authentication (2FA) message sent to that number, effectively gaining access to all your accounts that use your phone number for verification.
Overview of how scammers trick mobile operators into transferring (swapping) the victim’s phone number to another SIM card.
Why does it happen?
SIM swap fraud occurs due to a combination of factors:
- Reliance on phone numbers: In today’s digital age, our phones are a hub for our online life. We use them to store and manage our email addresses, bank accounts, social network accounts, and even cryptocurrency accounts. Many of these important or private accounts offer two-factor authentication (2FA), which often relies on our phone numbers. While 2FA is designed to enhance security, it ironically means that a single, publicly available piece of information – a phone number – can be used for identification and verification.
- Sharing too many personal details online: Without proper precautions, our posts, photos, and interactions can make us vulnerable to identity theft. Scammers will often follow our activity on social networks to find out our personal details—including where we live and the names of our family, pets, friends, and contacts. They then use this information to try to impersonate us.
- Insufficient security systems and processes: Unfortunately, there are many cases where hackers exploit even the simplest information to hack people’s accounts or steal their identities. Simply by obtaining our phone numbers, they can contact our mobile operator pretending to be us. They might claim they’ve lost their phone and want to activate their number on a new SIM card. Mobile operators might approve that request if the scammers gathered enough information to impersonate us (or if the MNO’s due diligence is lacking).
$68 mil
in US consumer losses to SIM swapping fraud in 2021. Source: FBI
Real examples of SIM-swapping scams
In each of the cases below, scammers first obtained the victim’s phone number and personal information. They then tricked mobile operators’ and banks’ systems, committing fraud and stealing money. Consequently, banks had to refund the victims.
This shows that current cybersecurity measures and identity checks in mobile operators’ and banks’ systems are vulnerable and can be exploited. Therefore, enhanced security protocols and solutions are crucial to protect personal information and prevent fraudulent activities.
A 2020 study by Juniper Research found that, as the identity space evolves, MNOs will play an increasingly important role in providing verification of digital identity and universal login based on subscriber identity. They predicted that mobile network operator revenue from digital identity will reach $8.1 billion in 2025, up from $1.3 billion in 2020.
How to detect and prevent SIM swap fraud
To detect SIM swap fraud, mobile operators can check for changes to a mobile user’s phone number (MSISDN) and International Mobile Subscriber Identity (IMSI) number. An IMSI number is unique to each SIM card and is used to identify every mobile phone subscriber on a UMTS or GSM network. The IMSI remains unchanged even when a mobile (MSISDN) number is ported to a different SIM card.
For example, when a bank sends OTP codes for user verification, it may also carry out a SIM swap check. This will ensure the bank isn’t sending a verification code to a fraudster who has acquired a new SIM card with the same mobile number as the account they are attempting to hack.
“A SIM swap check is performed by looking at when the combination of the phone number (MSISDN) and the SIM card number (IMSI) last changed. Mobile operators keep a record of these changes. As Infobip’s customers, enterprises can ask us to check this. In some markets, they can receive the exact time a SIM swap happened. In others, they can specify a time period within which a SIM swap might have happened. In that case, the check produces a simple “yes” or “no” response.
Filip Cimermančić
Product Manager at Infobip
Our Mobile Identity solution can assist enterprises in mitigating SIM swapping by detecting recent changes in the MSISDN – IMSI combination on the side of the mobile operator.
In other words, it monitors which phone number is assigned to a particular SIM card. If a SIM swap has occurred recently, our solution alerts the enterprise, indicating a potential fraudulent transaction. This information can then be used to increase the level of verification required for that user, thereby enhancing security measures.
Additional recommendations for mobile operators from the FBI
- Educate employees and conduct training sessions on SIM swapping.
- Carefully inspect incoming email addresses containing official correspondence for slight changes that can make fraudulent addresses appear legitimate and resemble actual clients’ names.
- Set strict security protocols enabling employees to effectively verify customer credentials before changing their numbers to a new device.
- Authenticate calls from third-party authorized retailers requesting customer information.
Other common questions about SIM swapping
Conclusion: increasing mobile security is key to minimizing the risk of SIM-swapping scams
SIM swapping fraud is a serious threat that can lead to significant financial loss and reputational damage. However, by taking proactive measures, both individual mobile users and businesses can significantly reduce the risk and consequences of it.
A fundamental way of preventing SIM swap fraud is for MNOs to perform SIM swap checks. At Infobip, we provide a GDPR-compliant solution that can help identify and prevent scams by checking when the combination of a mobile user’s MSISDN and IMSI numbers last changed.
Learn more about our solution for preventing SIM swapping fraud
Explore Mobile IdentityYou may be interested in:
Get the latest insights and tips to elevate your business
By subscribing, you consent to receive email marketing communications from INFOBIP. You have the right to withdraw your consent at any time using the unsubscribe link provided in all INFOBIP’s email communications. For more information please read our Privacy Notice
