What is SIM-swap fraud?
SIM-swap scams are a form of social engineering attack, where perpetrators trick mobile carriers into transferring a victim's phone number to a new SIM card controlled by the attacker. This enables the attacker to gain access to SMS-based authentication, and potentially to a victim’s bank account.
How does SIM-swapping work?
SIM-swapping, also known as SIM jacking, occurs when a fraudster takes control of their victim’s mobile phone number. They achieve this by contacting the individual’s mobile carrier, pretending to be that person, and claiming their SIM card was damaged or lost. The fraudster then asks the operator to port that number to a new SIM card, one in the criminal’s possession.
After that, the criminal receives all SMSs and phone calls that should be going to the victim. When the bank sends an OTP, the fraudster receives it and can access the customer’s accounts.
For SIM-swap scams to be successful, the fraudster will typically have already gathered personal information about the customer through phishing and other social engineering tactics. For example, sending an email that purports to be from the bank, but is fake. The customer clicks on a fake link in the email and is routed to a site that gathers their personal data, like their banking credentials.
How can banks protect customers from SIM-swap fraud?
Ongoing fraud prevention education is essential for customers and employees to ensure they’re able to spot a fake email or social media scam. Financial institutions also need stronger and more modern methods to verify their customers. Today, the use of one-time pin codes (OTPS) in authentication puts customers at a greater risk of fraud. Password-only authentication or two-factor authentication that uses a password and OTP are equally susceptible to SIM-swap fraud.
FIs that use multi-factor authentication (MFA) offer better protection against SIM-swap fraud. When the MFA includes strong security measures, like biometric authentication, it becomes increasingly more difficult for fraudsters to commit these scams.
Additional resources:
Keywords:
Sim-swap fraud | Fraudster | One-time password (OTP)
SIM-swap scams are a form of social engineering attack, where perpetrators trick mobile carriers into transferring a victim's phone number to a new SIM card controlled by the attacker. This enables the attacker to gain access to SMS-based authentication, and potentially to a victim’s bank account.
How does SIM-swapping work?
SIM-swapping, also known as SIM jacking, occurs when a fraudster takes control of their victim’s mobile phone number. They achieve this by contacting the individual’s mobile carrier, pretending to be that person, and claiming their SIM card was damaged or lost. The fraudster then asks the operator to port that number to a new SIM card, one in the criminal’s possession.
After that, the criminal receives all SMSs and phone calls that should be going to the victim. When the bank sends an OTP, the fraudster receives it and can access the customer’s accounts.
For SIM-swap scams to be successful, the fraudster will typically have already gathered personal information about the customer through phishing and other social engineering tactics. For example, sending an email that purports to be from the bank, but is fake. The customer clicks on a fake link in the email and is routed to a site that gathers their personal data, like their banking credentials.
How can banks protect customers from SIM-swap fraud?
Ongoing fraud prevention education is essential for customers and employees to ensure they’re able to spot a fake email or social media scam. Financial institutions also need stronger and more modern methods to verify their customers. Today, the use of one-time pin codes (OTPS) in authentication puts customers at a greater risk of fraud. Password-only authentication or two-factor authentication that uses a password and OTP are equally susceptible to SIM-swap fraud.
FIs that use multi-factor authentication (MFA) offer better protection against SIM-swap fraud. When the MFA includes strong security measures, like biometric authentication, it becomes increasingly more difficult for fraudsters to commit these scams.
Additional resources:
- Blog: OTPs for customer authentication: Past their expiry date and holding banks back
- Blog: Four best practice guidelines to securing your mobile banking channel
- Norton article: SIM-swap fraud explained
Keywords:
Sim-swap fraud | Fraudster | One-time password (OTP)
