SIM-SWAP Fraud is Real! But the viral message exaggerates the threat with Misleading details...

As mobile phones and smart devices have become indispensable over the last decade, many now resort to the ease of online banking and other financial transactions. In such a background, we came across viral social media posts about a new type of fraud, SIM SWAP Fraud, which purportedly would steal your bank account data from the mobile phone and steal the money from the bank account within a few minutes.

Social Media Posts

A viral message shared among social media users in Sri Lanka and other parts of the world described the threat posed by a new type of scam called "SWIM-SWAP FRAUD."

These posts claimed that your mobile connection signals get compromised for a while in the first step. Then the fraudster would call you, claiming to be from your mobile phone operating company, and instruct you to press "1" & in case if you proceed, the network would appear suddenly and go blank again, which would mean that your phone is hacked. Moments later, the bank account would get emptied.

The full message is seen below.

Facebook | Archived

Fact Check

First, we checked for any recent reports of SIM-SWAP scams happening in Sri Lanka these days, yet we did not come across any specific reports. However, there were multiple reports on SIM-SWAP scams and precautionary measures to avoid such scams as well.

Even though the threat of this type of scam was very real, especially in countries like the US, we noticed the steps mentioned in the viral posts to be misleading the users and creating unnecessary panic. Before looking at the SIM-SWAP scam and how the fraudsters operate, one must first understand the functionality of a SIM card.

What is there a SIM Card?

A SIM card, or a Subscriber Identity Module, is a small removable smart card for mobile devices that stores network-specific information used to authenticate and identify subscribers to a specific network, which helps the user make calls and send text messages and many other tasks. SIM cards have integrated secure storage and cryptographic functions and have shrunk in size over the years from standard to mini, micro, and nano sims and have lately evolved into e-SIMs, meaning the SIM is embedded into your device.

How the SIM SWAP scam works

First, fraudsters call your mobile phone provider, pretending to be you, and claim that your SIM card is lost or damaged. They then ask the customer service representative to activate a new SIM card in their possession. Once the customer representative verifies the information provided by the showing you can number gets active in the criminal's device, which means that all phone calls and text messages intended for you will go to the device held by the scammer.

Fraudsters performing these organized scams often monitor the victim for months and collect personal details like usernames and passwords, and with access to the SIM card, bypassing 2 Factor Authentication (2FA) and gaining access to your social media accounts and many other platforms also becomes possible, if proper security measures are not taken.

How SIM Swapping is carried out is actually different from what is detailed in social media posts!

Social media posts imply that SIM swapping is a relatively new threat, yet it has been happening for years, especially in the US, making millions of losses.

This scam does not always require answering any such action on your part. Most victims from countries such as the United States know they have been scammed using a SIM-SWAP only when they cannot make phone calls or send text messages through the SIM card in their phone, as seen here.

Furthermore, this scam does not involve hacking your phone or getting all of its information but instead is carried out by taking control of the mobile number to which the SIM card belongs.

The SIM SWAP scam does not empty your bank account overnight. What can happen is that when the fraudster takes over control of the SIM card, he will receive the OTP sent from the bank. Yet to receive the OTP, the fraudsters first have to log in to your personal banking systems using usernames, passwords, etc., which get targeted by the scammers through Phishing Attacks, carried out months before the SIM SWAP scam. So all these steps must be performed to steal money from your bank account. Hence SIM SWAP fraud alone cannot hack your phone and get bank account details. In fact, being weary of such phishing attacks and following secure login methods, especially to banking systems, can save you even during a SIM SWAP scam. More details are here. Archived

Also, since it is quite challenging to fraudulently log in to banking systems and steam money from a victim's bank account, in some cases, tricksters use different variations of SIM-SWAP scam. One such method is taking control of your social handles and requesting financial assistance from your friends and loved ones.

Does this scam also happen in Sri Lanka?

Asela Vaidyalankara, an expert in Cyber Security, explains that SIM SWAP fraud is difficult to be performed in Sri Lanka due to the security measures implemented by the mobile operators based on the recommendations of the Telecommunications Regulatory Commission (TRCSL).

He explains that in Sri Lanka, in the case of a lost or damaged SIM card, one has to meet a representative from the mobile phone operator and present a document that can confirm the identity of the person, such as the National Identity Card. Hence it becomes quite difficult to perform this fraud in Sri Lanka.

Why does e-SIM make Sim-Swap fraud so tricky?

An e-SIM is a chip embedded into a smartphone and does not need to be physically inserted into your mobile phone as a separate SIM card. To activate any mobile phone network via eSIM, you must register with Personal Identifiable Information (PII), which confirms your identity. Since there is no physical SIM card when using eSIM, there is no opportunity to fraudulently use the SIM-SWAP method by claiming that the SIM card is lost or damaged.

Some good practices to follow to protect yourself from SIM-SWAP scams!

• Minimize sharing of personal information with online services and do not provide information that could be guessed easily.
• Don't fall for Phishing Scams. More information on such scams gove here.
• Reduce the use of SMS as a 2 Factor Authentication mechanism.
• Act immediately if there is any suspicious activity on your social media accounts or banking activities.

The South African Police have provided some of the safety practices that can be followed to avoid such SIM-SWAP scams, as seen below.

More details on how a SIM-SWAP work and how to avoid falling prey to such a fraud can be found in this video as well.

Follow us and stay up to date with our latest fact checks.

Facebook | Twitter |Instagram | Google News | TikTok

Conclusion

During our investigation, it was confirmed that while the SIM-SWAP scam is a very real threat, and has caused losses of millions of dollars over the years, the way its performed is misleading to the way its presented in the viral messages. Furtheremore, SIM SWAP is not a common fraud in Sri Lanka. The reason for that is the strict rules imposed by the Telecommunication Regulatory Commission in SIM card registration.