Have you heard of “sim-swap?”

When the Twitter account of its own chief executive, Jack Dorsey, was taken over by hackers last year, a stream of tweets with racial slurs, profanity and praise for Adolf Hitler were posted for 30 minutes. Weeks later, the food writer and campaigner Jack Monroe lost £5,000 from bank and payment accounts accessed from a hijacked phone. Both were victims of “sim-swap” fraud, a scam that has mushroomed in the last few years and has led to victims losing thousands, often before they even know anything is amiss. Fraudsters take control of a mobile phone account through a mixture of confidence tricks and online stalking, and then use those details to get access to the owner’s bank accounts. Figures from Action Fraud, the national fraud reporting centre, show the number of people falling victim to this type of scam has increased substantially since 2015 and that it has resulted in losses of more than £10m to UK consumers. So how can you ensure that your phone, and therefore your bank details, are safe?

The scam

Variously called sim splitting, simjacking, sim hijacking and port-out scamming, the fraud focuses on moving control of someone’s phone account from their sim card to one controlled by the criminal. Although mobile phones and security measures have changed over the five years since the scam has come to prominence, the way the fraud works has remained consistent.

“The tactic hasn’t changed significantly over the years,” says David Emm of cybersecurity firm Kaspersky. “The criminals obtain a victim’s personal information – bank details, address, etc – by trawling through social networks or by mining data stolen during the breach of an online company’s systems. They then contact the victim’s mobile phone provider, pretend to be the victim, request a sim swap and change personal settings.”

Emm says that in some cases fraudsters work with an insider to assign the victim’s number to another sim. “One, more recent, tactic is to request a porting authorisation code [PAC] to port the victim’s number to a different network,” he says. “Once they ‘own’ the victim’s number, they are able to intercept bank authorisations sent via SMS – or other … codes that the mobile number is used for.”

Often the fraudster will use information that has been put up on social networks, such as a mother’s maiden name, a birthday or the name of a pet, to help build up an information base on the victim. Last week we featured an Observer reader whose number was stolen by a criminal who used the reader’s identity to request a PAC to transfer it to the criminal’s phone. Payments of more than £1,000 were then made from the victim’s bank account to an online money transfer service.

Since the scam emerged, the number of cases has risen rapidly. Action Fraud found 483 reports to June this year, almost twice the number for the same period last year. In 2015, there were just 144 cases. Last year the FBI warned of the risks of sim-swapping, saying it was a common tactic to get around security measures such as two-factor authentication, where users have to give two pieces of information, such as a password and a code sent to their phone. This warning prompted the UK’s National Fraud Intelligence Bureau to also raise concerns. The FBI wants more complex forms of authentication to be introduced.

By Shane Hickey, The Guardian, 13 September 2020