SIM Card Swapping Fraud

Being a student who is currently pursuing an integrated degree in computer science and cyber law, I was very curious when I read an article in a Marathi newspaper in the last week of May. This article was printed on the first page itself, and it was in the form of an advisory issued by Pune Cyber Police who had recently registered 5 SIM card swapping/hijacking cases during the same period. The funny thing was that despite pursuing my degree in this domain, I had no idea about what SIM card swapping fraud was until I read this newspaper article and decided to dig in a little deeper.

What is a SIM card swapping/hijacking fraud?

Before reading further, I would recommend you to please go through this article first. In a vishing scam, the perpetrators call a victim and lure them into sharing their confidential information such as bank account details, debit/credit card details, OTPs, etc. We can consider SIM card swapping frauds as an advanced version of vishing scams.

In this type of cyber crime, the fraudsters may call under the pretext that they are calling from a telecom service company and inform you that there is an issue with your SIM card. Other common reasons they state include activation of SIM card and converting your SIM card from 3G to 4G or 4G to 5G. We have also seen cases where the fraudsters send a fake ID card issued by well-known telecom service providers to gain your trust. In addition to this, they make lucrative offers such as updating your SIM card gives you 20 GB free data per month and so on. If a victim believes that the fraudsters are genuine, the fraudsters have successfully broken through the first and most difficult barrier of human trust.

Now, they ask a victim to share the number given on the back of their SIM card. This number is ICC-ID (Integrated Circuit Card – ID), and telecom service providers use this number to activate, block, or perform internal operations associated with a SIM card. It is a unique 22-digit identification number for SIM cards, just like we have Aadhaar numbers. After sharing the ICC-ID, the victim now receives a one time password (OTP) to confirm if they want to proceed further. As soon as the victim shares this OTP, the attacker can clone the victim’s SIM card into his phone. From now on, the SIM card available in the victim’s mobile will not work anymore. The fraudster will be able to access all the calls and messages as he has the activated SIM card while the victim’s SIM card has been deactivated.

Why is this dangerous?

At this point, you may think that it is not that big of a risk for someone to receive all your calls and messages. For some readers, it may be true; however, most of us have registered our mobile numbers with banks and wallet service providers. So, a fraudster can quickly reset your internet banking password or create a new UPI account or a wallet account. If the fraudster is really smart, he may try to reset your email password so that you do not get email alerts from the bank. Even if you have enabled two-factor authentication (2FA), it is rendered useless as you will not be getting any codes on your deactivated SIM card.

We have received a total of 27 cases of SIM card swapping in the last three months. In the last month, the Pune Cyber Police Station received a complaint on June 05, 2020, in which the victim was duped of ₹18 lakhs because of a SIM card swapping fraud. In this case, the victim received a message from the fraudster along with a follow-up call to update his SIM card. The fraudster asked the victim to forward the text message containing OTP to another number. By doing so, the fraudster cloned the victim’s SIM card into his phone, and it was subsequently activated. The fraudster not only accessed the victim’s bank account, but a personal loan amounting to ₹16.45 lakhs was also sanctioned in the victim’s name a couple of days later.

Suggestions

• Report the incident at the nearest cyber cell or cyber police station in your district/city.
• If you are not able to report the incident in person, go to the National Cyber Crime Reporting Portal website (https://cybercrime.gov.in) and submit your complaint. A step-by-step procedure for filing a complaint on this portal is available here.
• Get in touch with your bank’s home branch and request them to debit-freeze your account.
• Visit the local service centre or store for your telecom service provider along with your police complaint to get a new SIM card issued for your mobile number.

Conclusion

Generally, we believe that enabling two-factor authentication, regularly changing our PINs, and not sharing our OTPs are sufficient security practices, and we do not need to worry about financial frauds. However, we miss the point that the fraudsters are getting smarter, and they keep on devising new methods and tactics to lure the victims into their trap. Please do remember that

If it is too good to be true, it is most probably a fraud!

Featured Image Credits: Card photo created by freepik – www.freepik.com