Earlier this month, a North Delhi-based advocate became the latest victim of the ‘SIM swap scam’ in the national capital after she received three missed calls from unknown numbers and lost money from her bank account. The incident took place after in February, a private school teacher lost Rs 1.5 lakh through eight transactions in less than three hours after scamsters got hold of his two bank accounts. The teacher alleged he had not received any calls, texts or shared bank OTPs with anyone. He too received missed calls and later lost most of his savings. Similarly, last year, a South Delhi-based businessman lost more than Rs 50 lakhs to unknown scamsters. He received at least seven missed calls before the amount was deducted from his bank account. The above cases suggest that most victims lose their money only after receiving multiple missed calls from the fraudsters, according to the Delhi Police. But why do victims receive missed calls? How does it lead to SIM swapping? And how should one protect themselves from this fraud? We take a look. What is the SIM swap scam? With the advancement in banking services, easy payment applications and seamless transactions on smartphones, cybercriminals are misusing the link between physical SIM cards and banking applications. All banking applications are linked to phone numbers which help in generating OTPs (to authenticate transactions) or receiving important bank-related messages. In the SIM swap scam, fraudsters first take personal details such as phone numbers, bank account details, and addresses with the help of phishing or vishing. Phishing is a technique in which scamsters send malware links to victims through mail or messages. Once the link is opened, the malware steals all of the victim’s personal information. After receiving the personal information, fraudsters visit the mobile operator’s retail outlet, posing as the victim with a forged ID proof and report a fake theft of the victim’s SIM card and/or mobile phone, according to an advisory by the HDFC bank. By doing this, they attain a duplicate SIM. Notably, scamsters can get a duplicate SIM even when the original is working as they reported a theft of the original SIM card. All the activation messages and details go to the scamster and not the victim. A police official told The Indian Express: “They (fraudsters) usually have an associate working with the telecom company. So, they easily duplicate the SIM with the personal details they have procured after the malware or phishing attack. Once they have the duplicate SIM, they can easily receive any banking authorization messages or OTPs”. Why do victims receive multiple missed calls? Unlike other scams, where scamsters trick people into giving OTPs and private information on a phone call, SIM swap scam doesn’t require direct communication with the victims. However, fraudsters do give missed calls to their victims so that the latter leave their phones and ignore the lost network connectivity. Intelligence Fusion and Strategic Operations officers explained that the accused swapped SIMs with the help of officials working at telecom companies. “Since SIM activation takes time, the accused give calls to the (victim’s) mobile number to check where the call goes. Hence, the missed calls are received. They also give multiple missed calls (and don’t take calls back from the victim) so that the victim would get irritated by seeing them and leave their phone. When the SIM is swapped, the accused gains control of the entire SIM. All calls and messages go through their SIM only. They then initiate transactions and aren’t caught immediately because the victims usually ignore their phones after the missed calls” According to the police, the South Delhi-based businessman, who lost Rs 50 lakhs, was defrauded by the accused in less than two days. “He wasn’t checking his phone and didn’t notice when his SIM was swapped. Most people also don’t check banking alerts on mail. So, he didn’t report it immediately when they took money from his account” added the officer. How do fraudsters withdraw money from victims’ bank accounts? After receiving the victim’s personal details such as banking account numbers and passwords through phishing attacks, scamsters use the information to log into bank portals and generate OTPs to withdraw money. As they have the victim’s SIM card access, all OTPs go to scamsters which they use to authenticate the transactions and steal the money. How do fraudsters find victims? Police said the accused either buy data from hackers involved in data breaches or buy data from online portals. In most of the data breaches, private companies, who have lakhs of customers, lose all the data to hackers. In April, Rentomojo, an electronics and furniture rental company, reported a data breach. In a statement, the company said, “It appears that the attackers were able to get unauthorised access to our customer data, including in some cases personally identifiable information by exploiting the cloud misconfiguration through extremely sophisticated attacks, thus breaching one of our databases.” Has there been any arrest in the cases? So far no one has been arrested pertaining to the scam, according to the Delhi Police. The accused have managed to evade arrest as they discard the duplicate SIMs immediately and don’t operate from a single location, which can be traced. The stolen money is also routed through different channels — money is converted to cryptocurrency. Police can’t track Bitcoin or other cryptocurrency transactions since they are encrypted. How can one protect themselves from fraud? One can avoid getting scammed by following certain steps: They should be vigilant of vishing or phishing attacks. They must not neglect messages or switch off their phones after receiving multiple missed calls. They should enquire with the mobile operator immediately if such an activity takes place on the phone. One should change bank account passwords regularly. They should register for regular SMS as well as e-mail alerts for their banking transactions. In case of fraud, one must immediately get in touch with bank authorities to have their account blocked and avoid further fraud.
What is the ‘SIM swap scam’ — and how can one protect themselves from it?
