What is SIM Swap fraud in online banking and how to prevent it

Picture this: you grab your phone to call someone, and you realize it isn’t working.

You try to browse a web page, chat on Whatsapp, or send a text message… nothing works. 

What happened? 

Bad news: you have been scammed. And this might not even be the worst news, as you might find an unpleasant surprise in your bank account.

In this article, we’ll share in detail what is a SIM Swap scam, how cybercriminals leverage it to perpetrate online banking fraud, and what you can do to prevent your customers from being scammed. 

A SIM Swap scam happens when criminals take control of a victim’s mobile phone number by transferring it to a new SIM card they possess. 

The scam starts with cybercriminals stealing personal information on the targeted victim through phishing emails, social engineering activities, malware installed on the device, or social media profiles research.

Next, thanks to the information collected, they conducted a social engineering attack on the mobile carrier’s operator, by impersonating the victim and requesting to transfer the number from the original SIM card to a new one. The operator might ask questions to verify the legitimacy of the requester…or not. 

Today the reason why SIM Swap fraud is completed is the lack of accurate controls from mobile carrier operators. Most of the time, they assume that the caller or the customer in front of them is the actual owner of the phone number and proceed to the SIM Swap operation without questioning the reasons for the request. 

Moreover, today in Europe, there is a lack of strict regulations around SIM replacement processes, which makes it easier for criminals to act undisturbed. In an interesting study conducted by the European Union Agency for Cybersecurity, several stakeholders in the industry highlighted the need for stricter control by the authorities and telecom companies. 

So, you might now ask… is fooling the mobile carrier operator all it takes for cybercriminals to perpetrate fraud? 

Well, mostly. 

From that moment on, criminals can potentially bypass multi-factor authentication mechanisms to access the victim’s accounts: this is possible because those mechanisms always include a fall-back option to receive an OTP via text message or a call to the registered mobile number. 

To finalize the scam and complete the fraud, however, criminals must possess personal credentials to access banking accounts, like passwords or PIN codes. 

In the context of online banking, a SIM Swap fraud is a particular type of Account Takeover (ATO) attack, as cybercriminals are now able to take over the victim’s online account to steal information or, more commonly, money.

This type of fraud has grown consistently in the past few years and has proven effective and challenging to detect. In the UK, reports to Action Fraud went up 400% between 2015 and 2020, and they are expected to grow even more in the future. 

This underlines the compelling need for banks and financial institutions to strengthen their customers’ protection by taking action to prevent fraud. 

As in the case of a phishing attack, SIM Swap is only a step for cybercriminals on their way to take over the victim’s account and eventually perpetrate fraud. 

And as for phishing, the bank cannot do much to prevent SIM Swap scams, but they can avoid the Account Takeover that will be attempted. 

And how to do that? 

By making customers more aware of how they act online and by integrating the right fraud management system in your security processes.

Raise awareness to avoid getting scammed

Education is crucial to avoid getting scammed. Most of the time, cyber-attack can get through because people do not pay enough attention to how they act online. 

Here are a few tips you can frequently share with your customers to help them keep their eyes open and make, then, for criminals, hard to attack. 

Integrate the right fraud management system into your security processes

Once the SIM Swap scam is completed, cybercriminals have all the means to access the victim’s accounts and steal money. 

And this is where technology comes in.

The right fraud management system can help you monitor what’s happening across all digital channels throughout the user’s journey, even before the authentication phase occurs. 

To block ATO, it is essential to perfectly recognize the users and how they behave and act on the banking channels to detect any anomalies. Integrating behavioral analysis, behavioral biometrics, and transactional analysis is the key.

At Cleafy, we developed a new generation all-in-one platform, which features all the key capabilities needed to detect any type of ATO attempt. To learn more about how we can help you prevent SIM Swap fraud, download our Use Case “Stop SIM Swap fraud with Cleafy.”