SIM swap scams: what you need to know

In today’s mobile-centric world, using mobile phones for Internet banking is standard practice for most people, but do customers know they could be at risk of a new type of scam? SIM swap fraud, where scammers cancel and re-activate new SIM cards to hack into bank accounts, is reportedly on the rise.

What exactly is SIM swap?

SIM swap is a type of phishing fraud that poses a serious threat to customer and bank security. The fraudster obtains an individual’s banking details through phishing techniques or by purchasing these from organised crime networks. They then use this information, including personal details sourced via social media, to pose as the victim to the mobile network operator and fool them into cancelling and reactivating the victim's mobile number to a SIM in their possession. As a result, all calls and texts to the victim’s number are routed to the fraudster’s phone, including one-time passwords for banking transactions. After receiving a one-time pin or password from a bank, the fraudster can then potentially access the customer’s bank account and transfer funds.

Why is it on the rise?

Currently SIM swap fraud is quite difficult to detect. Since it is a fairly new type of scam, banks are still trying to find effective ways of identifying when a customer’s mobile number has been fraudulently swapped and ported onto a new device. With fraudsters continuing to exploit this weakness, putting better authentication processes in place is vital.

What are the risks to customers?

Anyone who uses mobile banking services or notifications is potentially at risk. Customers make themselves particularly vulnerable by answering fraudulent calls or illegitimate emails which ask for personal details. It’s about being vigilant and responsible for protecting your personal data. Given that fraudsters are using personal details sourced from social media, customers need to be applying the necessary privacy settings on their profiles to stop criminals from snooping.

How should companies tackle SIM swap fraud?

Customer service teams arguably need tighter processes and guidelines on how to detect potentially fraudulent activity. Companies can look at specific training to help agents recognise when someone might be impersonating a customer and stop them in their tracks. In addition, these companies need to be making better use of the data they have available to them, including SIM card information, device type and location data, and consumer behaviour. Risk can be significantly reduced by tracking these patterns better. Of course consumers have a responsibility to be vigilant and take their own precautions as well.

In addition to costing companies money, SIM swap fraud poses a significant risk to a company’s reputation and customer base. If the necessary prevention measures are put in place from the beginning, banks and phone providers could prevent real reputational damage and the loss of crucial resources, time, and money.

How can banks get access to customers' mobile data without putting those customers at risk?

While the customer’s mobile data is owned by the mobile operators, it can still be made available to banks. Mobile operators need to work closely with banks to build better practices in combating SIM swap fraud. This involves making historical customer data available for lookup by a bank’s fraud prevention solution that can then analyse the data to assess the risk of fraud.

How can banks spot the vulnerabilities?

Banks can use fraud prevention software to analyse customers’ historical mobile network data and help them to verify the authenticity of transactions and communications. These technology solutions automatically check for any data mismatches for certain actions, such as an account password request, in order to help the bank assess the risk of SIM swap fraud.

How can banks block the fraudsters and notify their customers of an attack?

If the bank identifies a data mismatch, fraud prevention solutions produce a risk score, determining the level of threat and what actions need to be taken. For example, if mismatches in historical data highlight a low or moderate threat of SIM swap fraud, the bank is able to determine through workflows what actions will be taken in the situation, whether the one-time password is delivered or denied, or further verification is required. If mismatches indicate that a SIM swap fraud has occurred, the prevention technology alerts the bank immediately and access is denied to the fraudster. Trigger based communications are also sent to the fraudster and victim notifying them that the scam has been detected.

How can banks and mobile operators adapt their authentication processes?

Banks and mobile operators can do a number of things to improve their authentication processes and prevent more of these incidents occurring. Given that criminals on occasion have been able to bypass these companies’ security measures, banks and phone providers should be, and in some cases are, investing in security technology. They should also be putting in place extra security questions that cannot be answered by simply knowing a few personal details sourced from social media.

In addition, contact centres and customer service teams have a responsibility to put adequate training and system alerts in place to help agents better identify potentially fraudulent activity. Fraud cases can also be reduced by driving awareness of this growing threat and creating guidelines to help customers protect themselves. The challenge though is that fraudsters will always innovate so the prevention measures need to be in place from the onset. Ultimately, banks need to utilise the customer data generated by mobile networks and devices in order to identify risk before a customer loses their money.

Alex Cambell, VP of Enterprise Sales, IMImobile