Information and awareness on “SIM Swapping” fraud typology
The use of a mobile phone number as one of the main and basic elements for strong and reliable identification of its owner/subscriber, is an international practice used by organizations, companies and public sector for the services they offer.
Banks are no exception to this practice, since they send through their customers' mobile phone number one time passwords (OTP) which enhance security of electronic transactions (money transfers, purchases via cards etc.), security alerts for executed transactions and remote signing up for new services.
What is SIM Swapping fraud?
In principle, change/replacing of SIM card is a completely legitimate service offered by mobile operators to their subscribers, so that the latter retain their phone number in case of loss or theft of their device or in case of need to use a different size SIM card. With the activation of the new SIM card, the old one is automatically disabled and mobile telephony services (calls, SMS, internet access) are now made from the new card that operates with the same number.
In cases of SIM Swapping fraud, perpetrators take advantage of the possibility of changing a SIM card and pretend to be either the SIM card holder or someone authorized by the legitimate subscriber, in an attempt to deceive mobile operators and obtain a new card which replaces the card of the legal holder.
Once the new card is activated, the old one, in the possession of the legitimate subscriber, is disabled, transferring all services (calls, SMS, internet access) on the device possessed by the perpetrators, enabling them to carry out illegal activities without the legitimate subscribers’ knowledge (e.g. receiving calls and messages intended for them, intercepting one time passwords or security verification messages etc.).
But how can perpetrators, by replacing/exchanging the SIM card, access my e-Banking?
Unauthorized replacement/exchange of SIM card is usually the second part of the above mentioned fraud. In the first part, perpetrators have managed to intercept e-Banking codes, usually through a “phishing” email or through trojan/malware they have installed on the victim's device.
Useful tips / What can I do?
- In case your mobile phone stops working for unusual reasons, contact your mobile operator immediately. Sometimes you may lose signal due to wider problems affecting your mobile service. However, if you lose signal in a location which, usually, has good coverage, it is safer to contact your network provider and confirm that your SIM card has not been deactivated
- Do not reveal your mobile phone number on social media
- Subscribe to the services of organizations that provide SMS and email notifications when your transactions are executed
- Never reply to unknown messages or calls asking for your account details and your registered mobile phone number
- Do not follow webpage links or open attachments that you have received from unknown e-mail senders. Check carefully the sender’s details since perpetrators often pretend to be legitimate businesses and organizations
- Do not share with anyone or enter your e-Banking credentials (username and password) or card numbers on unknown websites. Always confirm that you are visiting your bank's official website and remember that banks will never, and for no reason/in no way, ask for your credentials
- Make sure that your PC and devices (tablets, smartphones) are always protected with the latest operating and application updates. Install and always have a trusted malware protection program up to date
- Check frequently your account statements
- In case you have been a victim of SIM Swapping fraud or have found out transactions that do not have your approval, please inform your bank immediately
Measures taken by banks
Banks are not able to know whether a subscriber has been a victim of SIM swapping, phishing or if his/her computer has been infected with malware and his/her credentials have been intercepted.
Banks always aim in safeguarding electronic transactions, in line with current technical and technological developments, global best practices in information security and applicable laws and regulations. Additionally, strong emphasis is given on user’s experience as well as on prompt/rapid services provided to their customers.
Online frauds consist a wider problem which requires the cooperation of many stakeholders in order to deter or prevent them. Especially nowadays, when the use of electronic services has increased significantly worldwide due to Covid-19, perpetrators are trying to take advantage of these particular circumstances by increasing attempts to intercept data. HBA has set up a special committee for the Prevention and Treatment of Fraud in Payment Systems, with the purpose of monitoring, processing and guiding in this area. The committee coordinates the cooperation between the Hellenic Police's Cyber Crime Division, the Bank of Greece and regularly cooperates with competent bodies in Greece and abroad.
For further advice on cyber security and protection measures for bank transactions, you may visit banks’ official websites, Europol’s website and Hellenic Bank Association website