Criminals using SIM card swaps to steal your money

By Kim Komando

May 3, 2017

You are probably familiar with the SIM card — that little chip that’s inserted in your cellphone to identify you within the cell network and assign you your phone number.

If your phone is lost or stolen, your cellphone provider will issue you a new SIM card to activate and use on your new phone; however, some devious criminals out there have found a way to rip you off using your own SIM card against you. Yikes!

Can SIM swapping be flipped and used by criminals for nefarious ends? According to the UK’s National Fraud Intelligence Bureau, SIM swapping scams are on the rise again.

The SIM swap scam

It’s an elaborate scam but it’s more common than you think. This is how it works:

1st step: Through social engineering and phishing scams, criminals gather as much information from a potential victim as they can. They browse through social media posts, use search engines or engage victims in online chats in hopes of acquiring details that can be used for security questions (i.e. mother’s maiden name, name of first pet, etc.).

Criminals can also use keylogging, or spying malware, or buy personal information databases from the Dark Web.

Note: Click here to read how the simplest Facebook surveys can be security threats.

2nd step: With the personal information gathered, the fraudster will contact the victim’s cellphone carrier and claim that their phone has been lost, damaged or stolen and they need to activate a new phone with a fresh SIM card.

If they successfully pass the carrier’s identity checks by answering the security questions, the old SIM card is deactivated and the SIM card in the criminal’s hands is activated. All of the victim’s calls and texts are now received on the criminal’s phone.

Once the victim’s SIM card is deactivated, their phone will stop working, usually with a “No Service” warning. This is the first red flag you’ll have to watch out for.

3rd step: The criminals then attempt to claim the victim’s online banking account, again by using the personal information gathered, but this time they’ll also use the victim’s phone number for two-factor authentication codes. With this crucial window of opportunity, they start changing profile settings then add and set up withdrawal accounts.

4th step: With these additional accounts set up, the criminals start draining the victim’s bank account. The banks will ask for confirmation via two-factor authentications via text messages to your phone number, which unfortunately, is still under the criminal’s control. At this point, it’s game over.

Adding insult to injury is this: once you wise up and discover what’s going on, it’s still all up to you to prove to the phone carrier and your bank that you are the victim and you’re actually who you say you are. You’ll probably go through even more stringent security checks than what the criminal had to go through!

Protect yourself

• Look out for phishing scams on emails or websites. SIM card scammers will try and get your username and password first so this is your first line of defense.
• Never open attachments from unknown sources. Another way for the criminals to gather data about you is via spying malware and keyloggers. Be mindful of what you download and install on your computer and gadget.
• Have security and anti-virus software installed on your machine. This will alert you if known malicious software is trying to infect your machine. It’s also vital to keep your software and system up-to-date.
• Never over-share on social media, especially publicly. Don’t post sensitive information like birthdays, pet names, relatives, family information. Remember these types of info can be used as answers to your security questions.
• Beware of social engineering. Don’t reveal any personal information to strangers especially on online chats, no matter how casual and friendly the conversation may be. Also, crooks are starting to pose as people you may know with fake Facebook accounts, so be vigilant (even with your friends).
• Create strong and unique passwords. Many people use weak passwords and even worse, use the same username and password on multiple sites. This is a terrible practice and you should never do it. If you’re using the same credentials on multiple sites, change them to make them unique. Here are the worst passwords you could use that will likely get you hacked.
• Contact your carrier immediately if your phone suddenly gets deactivated. If you’re in a known area and you suddenly lose your network connection, contact your carrier immediately. Use another phone, if needed. Criminals are counting on this window of opportunity to perform their nasty deeds so you have to act quickly.

Tags: Facebook, malware, network, security