07 Dec

A recent investigation by BBC TV’s Watchdog Live revealed evidence that some mobile phone shop staff are not conducting proper ID checks for replacement SIM requests, thereby enabling some customers to become victims of SIM swap scams.

What is a SIM Swap Scam?

SIM swap scams are believed to have been in existence for the last four years in one form or another.  In its current form, the SIM swap scan happens when a fraudster goes into a mobile operator’s shop and claims a false identity i.e. the identity of one of that operator’s customers.  The fraudster knows that the person they are claiming to be is a customer of that operator because of personal details that have been stolen in previous malware or cyber-attacks, and those details have been posted or sold on the dark web.

In the shop, while pretending to be that customer, the fraudster claims that their phone has been lost or stolen and asks to be issued with a replacement SIM. Once the fraudster has the replacement SIM, the victim’s SIM no longer works, and the fraudster can then access any online service that requires security codes to be sent to the phone, as well as being able to access any other of the victim’s personal details that are stored on the SIM.

In the past (London 2016), a similar version of the scam worked when fraudsters used an intercepted bank statement from the victim (or information found on social media) to call the person’s mobile operator, pass security checks, and get a blank SIM card.  The fraudsters were then able to access the unique codes sent by the victim’s bank to log into their account and transfer funds.

What Should Happen When Someone Requests a Replacement SIM?

At the moment, mobile operators should conduct i.d. checks for replacement SIMs, but it is not compulsory.  Also, the Watchdog Live investigation revealed that checks for contract customers and Pay As You Go customers may differ.  For example, O2 said that it only asks for photo ID when replacing SIMs on monthly contracts, and that Pay As You Go customers will be sent an authorisation code if someone is trying to access the number.

What Happened in Reality?

In the investigation, which involved the secret filming of Watchdog Live’s own ‘King Con’ former fraudster in multiple EE, O2, Three and Vodafone stores, EE and Three staff conducted all the necessary checks, but Vodafone blamed rogue employees for not doing so.  Also, replacement SIMs were obtained from O2 stores and the authorisation codes that the company says it sends out were not received.

What Does This Mean For Your Business?

It appears that this relatively old fraud is still very much alive and is a reminder of how valuable our personal details can be to criminals. Bearing in mind how serious this fraud can be to the victims, it is shocking that photo ID checks for replacement SIMs are not made to be compulsory for all operators in all situations.  Mobile operators could help themselves and customers by introducing compulsory measures and by making sure through training and in-built systems that all staff conduct satisfactory checks.

It is also worrying that the investigation appears to have revealed a two-tiered security system, with Pay As You Go customers afforded less protection.

In the meantime, one way that we can help ourselves is to regularly check both our phone and bank statements, and if you have a contract with e.g. O2, contact them to confirm that no replacement SIMs have been issued in your name.