Reports to Action Fraud A scam known as Sim swap fraud, where a criminal tricks your mobile network into transferring your phone number to a SIM card in their possession, has skyrocketed by 400% since 2015.
Gaining control of your mobile phone number means a scammer will receive all calls and text messages intended for you, including one-time security access codes needed to access personal accounts.
Our research suggests that mobile network providers have increased security to make the scam more difficult to pull off, but criminals still find a way in.
We’ve spoken to dozens of victims who had thousands of pounds taken from their accounts in the past year, and many feel the networks should do more to help.
Here, we reveal the tactics Sim-swap scammers used and explain how to protect yourself.
How your number can be hijacked
Scammers start by collecting data about you through social engineering (sending fake emails, texts, and phone calls to trick you into divulging personal information) or by paying for stolen data on underground online forums.
Social media accounts can also be fruitful for learning answers to common security questions, such as birthdays, pet names, and favorite sports teams.
Armed with enough information to impersonate you, the scammer will contact your network provider’s customer service department, by phone, via web chat, or even in-store, and ask you to change your number to a SIM card in your possession.
The scammer’s goal is to take control of your number by convincing their network to:
- change your number to a new Sim card on the same network, perhaps claiming that “your” phone has been lost, or,
- move your number to another network requesting the Port Authorization Code (PAC).
While Sim Swap fraud is not new, reports from Action Fraud suggest that attacks are on the rise:
Are Mobile Networks Doing Enough to Stop Sim Swap Fraud?
If you go to a phone shop and ask for a replacement SIM card, the staff must ask for your passport or driver’s license, although a 2018 BBC Watchdog investigation found that employees don’t always follow official procedures.
A more obvious route for scammers is to call your network’s customer service helpline, where they may not be asked for photo ID.
When we asked volunteers to make two phone calls from a landline to their networks (BT, EE, O2, Sky, Tesco, Three and Vodafone) and apply for the PAC, we found that security was generally strong.
The call handlers would usually ask us to quote a code that was texted to us, or said they would text the PAC to the original Sim card. Both of these measures would confound the average malicious caller. Even when we pretended our phone was broken or couldn’t receive texts, the call handlers suggested we put the SIM card in a borrowed phone or visit a store with a photo ID.
However, one call was problematic, because we were given the PAC over the phone even though the account password was deliberately incorrect (the call manager even hinted that this was the name of our first pet).
We were able to get through security by providing only the phone model and the last four digits of the account number. Although this was an isolated case, it shows that persistence can pay off for a scammer.
‘This cost me many sleepless nights’
Last December, Sharron Fowler of South Bucks received a text message from EE stating that her Sim activation request had been processed and her new Sim would be active within 24 hours.
She immediately called her provider and found that someone had gotten past security and requested her PAC.
EE said it was too late to stop the Sim Swap. The next morning, he was unable to access his email accounts and scammers targeted his premium bond account with National Savings and Investments (NS&I), attempting to steal nearly £9,000.
Sharron had to change all of her passwords and was advised to place a note on her credit file with each of the three credit reference agencies that a password is required for all future credit applications in her name.
“I consider myself very, very lucky, but I felt quite violated. This cost me many sleepless nights before Christmas.
An EE spokesperson said: ‘In this case, the offender successfully accessed Ms Fowler’s account by answering security questions correctly. We detected more suspicious attempts to access Ms. Fowler’s account and added an extra layer of security by requesting a utility bill as additional proof of identification.
‘We advised Ms Fowler to contact her bank immediately and this helped prevent unauthorized access to her bank account. We recognize that in trying to protect Ms. Fowler’s account, it was difficult for her to access it when she visited our store and we apologize for any concern caused.
‘Scammer spent £13,000 in 48 hours’
Garth Pollard, from London, received a surprise text from Three providing a PAC last April.
Within 15 minutes he contacted the network to explain that he had not requested this code and that they assured him it would not be activated.
24 hours later, my phone was cut off. I called Three and they assured me that they would return the number. I didn’t think there was fraud, but a clerical error,” says Garth.
“But then I got an email from my credit card provider letting me know I was at 90% of my credit card limit.”
Having persuaded Three’s call center to provide the PAC over the phone, the scammer spent a total of around £13,000 over a 48-hour period, although all these transactions were eventually deleted.
I made a data access request to Tres. He was very slow in dealing with him and then refused to provide any data related to the scammer on the grounds that it could only be disclosed if a police request was made.
‘While I did not suffer any loss, it seems to me that the current system is open to misuse by criminals. I don’t know what data the scammer had about me and I couldn’t take any action to protect other accounts.
A spokesperson for Three UK said: “Usually when criminals try to get someone else’s phone number, they have substantial amounts of personal and financial information to impersonate them.”
“That’s why we recently introduced a series of enhanced controls for anyone trying to get someone else’s phone number and we’re working closely with the rest of the telecommunications industry to monitor, identify threats and take action.”
get your network
With so much at stake, networks must respond quickly when they discover that a customer has fallen victim to a Sim-swapping attack.
Neither network offers a 24/7 customer service helpline, although EE, Plusnet, Tesco Mobile and Vodafone told us that an after-hours support team can still impose restrictions in your account to block unauthorized access.
If you’re with Virgin Media, they have an online form used to report lost or stolen devices, which will temporarily lock your Sim. Three 24/7 web chat offers.
O2 said any customer who suspects they are the victim of fraud should immediately contact their bank and O2 as soon as possible from another phone.
Sky Mobile told us that they could not answer our questions.
A simple but effective solution?
Since smartphones provide a gateway to our financial data, the banking and telecommunications industries should consider how to take a more collaborative approach to tackling Sim swap fraud.
Cybersecurity firm Kaspersky pointed us to Mozambique, where mobile networks now point mobile numbers associated with recent Sim ports to banks.
Banks can block transactions if the number has been ported within the previous 48-72 hours, enough time for the original owner to contact their network provider if they discover they have been the victim of an unauthorized Sim swap.
While this may frustrate customers who have legitimately transferred their SIM card and don’t want payment delays, banks may find other ways to verify that the request is genuine. In any case, clients should be able to decide if this is a compromise they are willing to accept.
How to protect yourself from sim trading fraud
The full version of this investigation originally appeared in the April issue of Which? Money Magazine.