Fraudsters are Phoning it in with SIM Swap Fraud
Phone numbers have become a common way to verify your identity online. We’re in an era where many of us view our smartphones as practically extensions of ourselves, so it stands to reason that sending a text message to a personal phone number is a good way to perform two-factor authentication or validate a login from an unfamiliar device.
This method is secure and effective—unless a fraudster manages to hijack your phone number with a SIM card swap. It’s not the easiest scam to pull off, but when it succeeds, what can victims do to mitigate the damage and protect their online accounts?
Many of the apps and sites that store our most valuable personal data—like our social media, email, and online banking—use our phone numbers to make sure we are who we say we are when we’re trying to access or make changes to our accounts. After all, most of us always have our phones nearby, and replace them immediately when they’re lost or broken.
Subscriber identity modules, more commonly known as SIM cards, are plastic-mounted chips that store phone numbers and other information that identifies phones to their carriers. Changing phones can be as simple as moving a SIM card from one device to another—and carriers can change SIM card data remotely as well. After all, when your phone goes missing your number doesn’t disappear along with it; the carrier just transfers it to a new device.
How Does SIM Swap Fraud Work?
The idea of fraudsters hacking into the SIM card that’s nestled away inside your phone and stealing your phone number may sound impossibly high tech, but in truth, the way they go about it is almost always through old-fashioned social engineering. No special programs or hardware is required—just the ability to persuade a customer service rep that they’re a legitimate customer in need of a SIM transfer. Of course, it helps a lot if they have access to their victim’s personal information, especially the answers to the security questions that are intended to protect their accounts from unauthorized access.
In a typical scenario, a fraudster might use phishing emails to get a victim to divulge some of the information that might help them gain access to a target account. For instance, they might send them an email with a link to a fake website that asks them to enter some of their security question answers. Or, they might trawl the victim’s social media for the names of relatives, birthplaces, schools, and other facts that frequently show up as security questions.
Once they have what they need to gain access, they contact the phone carrier, pretending to be the victim, and ask for a SIM card transfer to a new device. If they succeed, the victim’s phone number and any other data stored on the SIM card is instantly transferred to a new card in the fraudster’s possession. Now, if anyone calls or texts the victim’s phone number, the fraudster’s phone will receive it—which means they can easily get around authentication methods that rely on phone contact.
It’s a sure bet that before long, the fraudster will try to empty out the victim’s bank accounts, scour their email and social media for private information, and help themselves to anything else of value that the victim’s phone number can unlock.
What’s the Best Way to Protect Yourself from SIM Swap Fraud?
One of the most important defenses against SIM swapping is the ability to recognize it when it happens, which isn’t always easy. The earliest clue is often that your phone suddenly stops working, unable to send or receive any data. A carrier message might pop up alerting you to the fact that the SIM has been transferred, but if you don’t get this message, you might just think the problem is with the carrier or the phone’s hardware.
An immediate call to your carrier’s customer service line can help you figure out what the problem is, and it is very important to act quickly if you think you’ve become the victim of SIM swap fraud—it doesn’t take long for fraudsters to wreak significant havoc with a stolen phone number.
As far as prevention goes, many carriers allow you to secure your account with a PIN or other safeguards that make it harder for fraudsters to sweet-talk their way into accessing your account. It’s also wise to choose security questions or answers that can’t be found out by researching you online—how hard do you really think it is for somebody to find out your mother’s maiden name, for example?
Can SIM Swap Fraud Lead to Payment Disputes?
For fraudsters, SIM swap fraud is a more lucrative venture than credit card fraud. With a hijacked phone number, they can drain funds directly out of a victim’s bank account, with no need to make fraudulent purchases that they then have to figure out how to liquidate for cash.
However, it is certainly possible for fraudsters to use SIM swap fraud to facilitate account takeover and other schemes that can victimize merchants, many of which will later result in transaction disputes. These will usually come in the form of true fraud chargebacks that cannot be contested, so merchants should employ best practices for securing logins and storing payment credentials in order to minimize the fallout from account takeover attacks.
SIM swapping doesn’t always result in payment fraud, but merchants should always be aware of the ways in which their customers’ identities and online accounts may be compromised. We all have a role to play in keeping ecommerce safe and secure for consumers, and being vigilant about authentication protocols and doing our best to use the safest methods for protecting user accounts can go a long way toward making it harder for fraudsters to profit from phishing attacks, social engineering, and the various forms of cybercrime that these scams engender.
Fairly or not, merchants always take some of the blame when breaches occur, so making the extra effort can help you retain customers and protect your revenue in the long run.