Phishing is a well known online banking fraud, however perpetrators also have another weapon SIM-Swap to steal your hard earned money via internet banking fraud. Let’s Find out what it is.
Phishing attacks or attempts are pretty well-known, wherein you get emails from address that are similar to your bank, and are asked to click on a link or enter certain account related information like your PIN, Password, Account number and other details. Those who fall for it can be scammed and can loose money, but banks now send out emails to their customers to counter this menace and educate people to guard against it by not divulging any personal information especially PIN and Password in any kind of communication with the bank either via email or phone or otherwise, since banks do not need these information for any of your queries. Also they have various steps for authenticating your identity from two or more passwords, to OTP or One Time Password that is sent to your registered mobile number and also random combinations from your ATM Card Grid at the back. They are making more and more effort to make transaction as secure as possible and by and large they are, as long as we also do our part and are careful while making online transactions.
However, just like there is constant innovation from banks, antivirus companies, internet service providers and browser developers to make everything on the internet safe, especially online transactions and internet banking; there is also innovation from the scammers and fraudsters to by-pass them or at least attempt to. One of the commonly used but relatively lesser known trick is SIM-SWAP to gain access to OTP and other SMS to carryon a online banking transaction in your name from your account and steal money. What is SIM-SWAP and how you can guard against it? Let’s have a look.
What is SIM-SWAP?
It is a kind of fraud/scam wherein the fraudster registers an existing customer’s number on a different or duplicate SIM card. This then helps them to receive all the communication directed at original registered mobile number to the duplicate one. This is however not possible straight away since for two SIM Cards to function at the same they need to be cloned, and cloning SIM is not an easy process. So for a SIM SWAP fraud to work, either of the handset having the SIM with the same number needs to be switched off. That is only one SIM can work at a time and for the duplicate SIM to be activated in order to receive the communication of the original SIM, the original SIM needs to be switched off.
To achieve this, the original SIM owner would receive an SMS from the fraudster posing as being from their mobile network service provider asking to switch off their mobile for an hour or more due to “Maintenance Work” being carried out. Now even this step is not required; since if the duplicate SIM is ‘verified’, the Original SIM is deactivated automatically. Once the original number is switched off or deactivated, the fraudster would have mostly done what he intended to; that is STEAL YOUR MONEY.
How does a SIM SWAP help the fraudster?
You may be thinking by now that why would a scammer go through such pains to do a SIM swap? Well your mobile number in today’s day and age is almost a virtual key to a lot of details about you as well as your money. Your Internet banking verification, OTP, any account related activity etc is all available through SMS. Now, once the person has swapped your SIM, he has access to all the alerts from your bank regarding your bank account. Even if he were to make an online transaction, the alerts would go to that number, and also OTP that one receives to complete a transaction is available to him. The SMS alert for the transaction is also received on the duplicated SIM. In short, the fraudster has access to your phone for carrying out the transactions and you will not be alerted, since your SIM would not be receiving the signal.
How does a SIM SWAP take place?
Step 1: This is an elaborate process. Firstly there is Phishing that is sending emails asking for bank information or urging something important and insisting on clicking on link to a page identical to your bank’s home page and gathering bank details by making you log in on that website. While you assume you are keying in your username and password on your banking site; it is actually recording those details for later use. This can also be done through SMishing that is via SMS or Vishing that is via a Voice Call too.
Step 2: Now this information alone is not much useful since banks are smart and they do not just rely on username and password to validate an online transaction. Usually they ask for an OTP or a PIN that is temporary numerical code which is required during each transaction to be completed. This is where SIM swap comes in the picture. To gain your OTP and other alerts while the transaction is in progress, the scammer needs your number active with him. This is where the process for SIM Swap actually starts.
To gain access to a duplicate SIM the fraudster will need your personal information. You may receive SMS asking for your Name, Address even DOB. With this information it becomes simpler for him to apply for a duplicate SIM card, and usually in such cases there is an insider in the cellular company to make this process simple for the scammer. If that is not the case they even go to the extent of forging your residence proof and ID proof documents.
Step 3: Now that the duplicate SIM is issued; you may receive an SMS or a Call to switch off your cellphone due to some maintenance work at your service providers end. By the time you switch on the cell, your cell may not have Network and the other SIM would be active. From here on it is just a piece of cake for the fraudster to gain access to your bank account and flee with the money.
They may even start a process wherein you will receive too many marketing calls or SMS all of a sudden to annoy you to either switch off or silence your cell voluntarily.
As mentioned above, now for most cases if the documentation is ‘OK’ (that is forged well) the original SIM is deactivated and the new one is Activated. So you may not even realize that you do not have network access at times, until you actually have a look at your mobile.
How to be Safe from SIM Swap or Online Banking Fraud?
- Firstly do not provide personal info to anyone over phone, SMS or email, especially Date of Birth (DoB) and PINs and Passwords as well as Usernames.
- Never respond to emails asking for banking and personal details. Banks never ask them via email and never ever ask for PIN, Passwords etc even when you call them for assistance. They don’t need that.
- Never click on a link that appears in your emails. Instead always type the Bank’s site address in the browser (even if you bookmark the page… type, always type… ) and then access your account that way. Links can lead to dummy sites or even pages laden with malware and viruses.
- Never respond to SMS or email asking for your Address, Name, DOB etc. Do I need to even mention that the ones stating you won the lottery etc are scams? They are, ofcourse.
- If you receive any phone call or SMS asking to switch off your cellphone etc, call your service provider immediately and inform them of this. If it is genuine, they will let you know, if not, they will block any attempt to activate any duplicate SIM card in the same number.
- If you have no Mobile Network for unusual time or at places where you generally get good connection, call the network provider immediately from any alternate phone and verify it.
- If you get too many phone calls for marketing or SMS all of a sudden, this could be to annoy you and get your phone on silent or switch it off, do not do so and call your service provider to verify any attempted SIM Swapping or activation of a Duplicate SIM.
- Inform the Bank about such an attempt and immediately change your Passwords and registered mobile number linked to your account.
- Always check your account statements from time to time and any suspicious activity whether deposits and of course withdrawals should be immediately brought to your bank’s notice.
- Have a separate email address for banking transactions from the one that you use otherwise for business or communication with others.
- Use your common sense and be wise to not be tempted by offers, or worried by emails stating problems in your account. Call the bank, verify yourself and do not respond to the email, phone call or SMS in any manner.