The Art of Mobile SIM-Swapping: A Rising Scam Technique

This publication is authored by and reflected the views and opinion of PT Integrity Indonesia. More information about PT Integrity Indonesia is available on www.integrity-indonesia.com

 

Approximately 68.4 million Americans — in other words, almost one in every three — have lost money as a result of mobile phone scams. The total cost approximates to at least $40 billion. One notable scam technique that has recently come into the limelight is Subscriber Identity Module (SIM)-swapping.

Since mobile phones have evolved into extensions of our identities, used for everything from online banking and storing private information to conducting business and using services, it is paramount that we recognize the top three common strategies scammers employ to swindle mobile users to potentially safeguard our lives and livelihood.

 

Mobile scam techniques: Calls, texts messages, and more

 

1. Vishing

Vishing, also known as voice phishing, is a variation of phishing in which con artists call unwitting victims while posing as known companies or even close relatives. Attackers may employ a combination of fear-mongering and emotional blackmail to win the victim over and trick them into performing an activity.

Additionally, robocalls — scam calls that use recordings rather than real people — are a typical vishing technique. In 2021, Americans received 50.5 billion robocalls, the most often reported complaint to the Federal Communications Commission (FCC).

 

2. SMS Phishing

The trick most frequently used in mobile phone scams is SMS phishing. In SMS phishing, text messages typically begin with a link (using an abbreviated URL) to a survey, prize notice, sweepstake, or lottery, or even an “urgent message” regarding your bank account, credit card, or tax refund.

On a page that is under the control of attackers, victims are usually required to visit a website, download an application, input login information, or complete a form. Attackers seize the victim's credentials, bank account, or other sensitive information when the victim takes the intended action, or they infect the device with malware to carry out their plan.

 

3. SIM Swapping

SIM swapping is a fraudulent practice in which a mobile SIM card is transferred to the possession of a con artist, who then uses it to steal the victim's banking information or digital identity.

 

More about SIM-swapping

In this era of prevailing digital transactions, mobile phones are often used for authentication purposes by banks. If scammers can somehow gain access to a phone’s SIM card, they can possibly take control of text messages, emails, and other sensitive information.

The scam typically begins with the attacker obtaining personal information about the victim, such as their name, address, and phone number, through various means of open-source intelligence (OSINT), phishing attack, and/or data breaches. This way, the scammer can gather all the fundamental information necessary to SIM-swap your phone number. Armed with this information, the scammer then 

contacts the victim's mobile service provider, posing as the victim, and requests the transfer of the phone number to a new sim card under their control. This process is often facilitated through the clever use of social engineering tactics.

Scammers employ various techniques to convince phone carriers to swap phone numbers, effectively bypassing supposedly extensive security measures. By manipulating call center representatives with false stories or urgent requests, scammers exploit human vulnerabilities to gain control over the victim's phone number.

Once the SIM swap is successful, the fraudster gains access to the victim's phone calls and text messages, and more importantly, the criminal can now receive text messages on behalf of the victim and take advantage of two-factor authentication (2FA) systems linked to the victim's online accounts. In early 2022, the FBI issued a warning, detailing $68 million in damages linked to SIM-swapping.

 

OSINT: A danger and a savior

Due to the digital nature of the crime and the need for coordination between various entities, including law enforcement agencies, mobile service providers, and cybersecurity specialists, investigating SIM-swapping cases can be challenging. The investigation begins with the gathering of evidence, which may include analyzing phone records, obtaining SIM card information, and tracking financial transactions associated with the scam.

It has recently become the norm for large institutions to record phone calls between their customers and customer service department. This was initially intended for auditing purposes but is now also done for security reasons and used as proof for victims of such scam cases.

Law enforcement agencies and private investigators play a vital role in conducting thorough investigations, often requiring expertise in digital forensics and collaboration with international counterparts in cases involving cross-border criminal activities. The use of OSINT is invaluable during these investigations, as it allows investigators to gather publicly available information about the scammer, such as social media profiles or accounts/comments on online forums where they may discuss their activities.

OSINT also enables investigators to monitor these public platforms for discussions related to SIM-swapping techniques, potential targets, or even the sale of personal information. By identifying these discussions, investigators can proactively intervene, gather intelligence, and potentially prevent future attacks on unaware victims.

 

Preventing and protecting against SIM-swapping scams

Preventing SIM-swapping scams requires a combination of individual vigilance and industry-wide efforts. As individuals, we can take several proactive measures to protect ourselves.

First and foremost, it is crucial to safeguard personal information by practicing good cybersecurity hygiene. This includes using strong, unique passwords for all online accounts, enabling multi-factor authentication whenever possible, and being cautious of suspicious emails, calls, or text messages requesting personal information. It is important to note that if you are unsure of a call or message you are receiving, it is recommended to hang up right away and directly contact the concerned institution through their official phone number to see whether the received call or SMS is real and authorized.

Mobile service providers also have a responsibility to implement robust security measures to mitigate the risk of SIM swapping. This involves verifying the identity of customers more rigorously before approving any SIM card transfers and implementing additional security layers to protect customer accounts from unauthorized access.

 

This publication is authored by and reflected the views and opinion of PT Integrity Indonesia. More information about PT Integrity Indonesia is available on www.integrity-indonesia.com