SIM-Swap fraud, also known as SIM Jacking or SIM Swapping, is an invasive and insidious form of fraud attack that involves a fraudster porting a mobile phone number to a different device that they control. The method is on the rise across the globe – the UK has reported a 400% increase in this fraud Year-on-Year since 2015 while the FBI highlighted SIM-Swap fraud as one of the most devastating cybercrimes last year.
A SIM-Swap occurs when a fraudster sets out to get some private information on their victim through various phishing attacks often referred to social engineering. Once the information is obtained, the attacker fraudulently convinces the victim’s mobile phone carrier to change the mobile number to a different SIM card under the pretence as having lost their phone. The fraudster answers the security questions asked by the carrier’s agent using phished information – the carrier transfers the number to the requested SIM card allowing the fraudster to have complete control over their victim’s number – hence the “swap”.
Once the victim’s number is operational on the fraudster’s SIM, they can begin resetting passwords and gaining access to online accounts that receive SMS messages or automated voice calls for authentication purposes. This then opens the possibility for fraudsters to gain access to bank accounts, messaging history and social media accounts. A victim may only realise something is wrong when they notice they have lost mobile network service on their handset. By the time they contact the mobile operator, the fraudster has had plenty of time to drain bank accounts, hack social media platforms or collect the information they need to blackmail the victim.
One of the most notable SIM-Swap cases was the $224 million lawsuit filed against AT&T by Michael Terpin who lost close to $24 million in cryptocurrency through a SIM Swap fraud attack. Twitter’s CEO, Jack Dorsey, also fell victim to the attack. Jack Monroe, British food writer, lost £5,000 to the fraud. Fraudsters are not only targeting millionaires, executives and celebrities. One man lost his life savings to the attack when fraudsters SIM-Swapped phone and drained his retirement account, two tourists were left stuck with no access to funds while travelling South America after having their bank accounts drained.
The advent of 5G will place SIM cards even more so at the heart of our personal and professional lives. Industry 4.0, the fourth industrial revolution, will see manufacturing plants controlled by mobile devices through IoT (Internet of Things). Supply chains and corporate IPs will be ever more exposed to threats. Our fridges, doorbells and home devices will have a common point: our phones. The SIM attacks will continue to innovate and have a graver impact as the fraud evolves along with technology.
Every SIM card has a unique number, known as an International Mobile Subscriber Identity (IMSI). Just like car registration plates identify vehicles on the road, IMSI’s help mobile carriers identify a SIM on their network. When a fraudster ports their victim’s mobile number onto a device in their possession, the serial number, the IMSI, also changes.
Phonovation’s innovative FinTech solution complies with PSD2 to protect businesses and users against SIM-Swap fraud by providing real-time data on the status of a mobile SIM via a secure connection into the mobile network. Our patented Mobile ID service, introduced in 2014, was the first to be offered globally and has successfully eliminated SIM-Swap fraud in the Irish banking sector.