South African mobile users must remain wary of fraudulent SIM swaps, which could expose their personal and banking information to criminals.
According to SABRIC’s Annual Crime Stats for 2019, fraudulent SIM swaps were involved in around 13,300 reported digital banking fraud incidents across online and mobile banking, and banking apps.
This is an increase of over 2,000 – or 16% – compared with 2018.
Perpetrators of fraudulent SIM swaps exploit the legitimate mechanism of Mobile Number Portability (MNP) – the ability to move to another mobile network while retaining your mobile number (or MSISDN).
By using phished details, criminals are able to take control of a victim’s mobile number so that they receive SMSs sent by the bank to the client.
South African Banking Risk Information Centre (SABRIC) CEO Nischal Mewalall explained how this provided extensive access to a user’s banking profile.
“By using Transaction Verification Codes (TVC), Random Verification Number (RVN), PINs or One Time Passwords (OTPs), together with compromised login credentials, criminals can change, add beneficiaries and transfer money out of the victim’s account,” Mewalall noted.
The amount of information which can be exposed stretches beyond banking details, however.
For example, if a SIM swap victim uses their phone number as an authentication method or backup communication channel for recovering login credentials on online platforms or email services, the perpetrators could use the number to change passwords and gain access to such accounts.
What mobile operators say
Even if a SIM swap fraudster has all the necessary information to initiate the process, mobile operators have systems in place which require clearing the port from the currently-active SIM.
After the necessary details are provided, an operator typically sends an OTP, opt-in or opt-out SMS to the active SIM, which requires action from the receiver’s side.
One way in which fraudsters overcome this mechanism is to impersonate call centre agents and call their targeted phone numbers.
They then request the required information needed to complete the SIM swap under the pretence that they were blocking the processing of a fraudulent SIM swap.
Despite SABRIC seeing an increase in the prevalence of fraudulent SIM swaps in the last year, Vodacom, MTN and Telkom told MyBroadband that incidents of scams such as the above were on the decline.
“While we occasionally deal with fraudulent SIM swaps, Vodacom has seen a reduction as a result of various measures implemented to curb such incidents. Currently, SIM swaps cases amount to less than 15% of fraud cases per month,” Vodacom said.
MTN said these scams normally occur during the festive season. It uses fingerprint readers in its stores to verify customers during SIM swaps.
Telkom said it no longer offers SIM swaps via phone calls, and its in-store SIM swaps also use biometrics to authenticate legitimate customers.
Cell C, however, stated that the issue occurs on a “regular basis” in the industry.
Avoid becoming a victim
To avoid falling victim to a fraudulent SIM swap or banking fraud, Mewalall said that consumers must first be vigilant in protecting their personal information.
He recommended sharing of identity documents, driver’s licenses, passports, addresses and contact details must be done selectively and on a “need to know” basis only.
Furthermore, customers must be aware that their bank will never send an email or SMS asking for confidential information such as usernames, passwords or PIN numbers.
Clicking on links or downloading attachments from these emails could deploy harmful viruses, spyware & trojans on your PC or mobile device, Mewalall warned.
“SABRIC cannot emphasise strongly enough to bank clients to not click on links in unsolicited emails,” Mewalall stated.
In addition, you must regularly verify whether the details received from cell phone notifications are correct and correspond to recent activity on your account.
“Should any detail appear suspicious, contact your bank immediately and report all log-on notifications that are unknown to you,” he said.
Naturally, if you should change your phone number yourself, inform your bank so that your cell phone notification contact number is updated on their system.
What to do
The clearest indicator that a fraudulent SIM swap was performed on your number is an unexplained loss of network reception, the operators told MyBroadband.
“If you can’t make or receive calls, you should not assume there is a problem with the network or handset,” a Vodacom spokesperson warned.
If confirmed, it is important that you notify your bank and contact your mobile operator immediately to port the number back to your SIM.
It is also advisable to remove or change the backup authentication number on any online accounts you may have.
Mewalall advised customers to act pre-emptively when they suspect they responded to a phishing mail, SMS or voice call, change their Internet banking credentials immediately and notify their bank.