The growing use of mobile banking has exposed users to different kinds of frauds. A couple of months back, there were reports of many people in Bengaluru losing money to SIM swap. Experts caution that this new-age con job is on the rise. Says Siddharth Vishwanath, Partner - FS (Advisory & Cyber Security), PwC India, “SIM swap has, in recent times, gained notoriety. While there is no authoritative statistic on how big the problem is in India, it is definitely on the rise. With more banking transactions moving to mobile, this is among the leading modus operandi of fraudsters.”

Two-step fraud

SIM swap is what its name suggests. The conman swaps your registered mobile’s SIM card with his, gets confidential messages and passwords meant for you, and puts through financial transactions to enrich himself. It’s a two-step fraud — extraction of personal information followed by impersonation. In the first step, the fraudster gets your personal information through a variety of modes such as phishing (fraudulent mails), vishing (fraudulent phone calls), SMiShing (fraudulent phone messages), social engineering (gathering information surreptitiously from you or your circle of contacts), malware (fraudulent software), hacking into electronic devices and websites, and shoulder-surfing when you enter data in electronic devices.

In the next step, the fraudster uses this personal information to create your fake ID, impersonates you, cancels your genuine SIM card and gets a duplicate SIM card from the mobile operator — this is done on various pretexts, including losing the mobile phone, getting a new phone or the old SIM card getting damaged. Now, all calls and messages, meant for you, including transaction authorisations and confirmations, go to the conman.

This lets the conman beat the ‘two-factor authentication’ security architecture mandated by the RBI for most electronic transactions. First, your personal information, say, credit card or debit card details, including the three-digit CVV or bank account details, including PIN/passwords or answers to security questions, has been extracted. Next, the conman also has access to the second-level security check, say, the one-time password (OTP) that is now delivered to the mobile having the duplicate SIM card. This allows him to put through a range of fraudulent transactions such as unauthorised fund transfers and online purchases.

Precautions and prevention

There are a few dos and don’ts you can take to protect yourself from SIM swap frauds and to contain damage. One, never disclose your confidential information such as internet banking user id, PIN, passwords and card CVV numbers. Be careful what personal details you share on social media; refrain from putting up your phone number on such platforms. Use only genuine software on your computers and mobile phones; do not tamper with security settings of your mobile phones, and update anti-virus protection regularly to prevent malware attacks.

Do not respond to unknown mails or calls, especially those that seek your account or card details or phone number. Responses to seemingly innocuous mails or calls could be used by fraudsters to anticipate likely answers to security questions, says Siddharth Vishwanath of PwC India.

Be alert about your mobile phone connection. If your mobile phone service stops for unknown reasons, check with your mobile operator immediately and notify your bank as well. Register for both SMS and e-mail alerts for details about every financial transaction. This two-channel check to keep you up to date with transactions can alert you to hanky-panky over e-mail even if your SIM card has been compromised.

A trick employed by fraudsters is to flood you with nuisance calls in the hope that you switch off the phone or put it on silent mode to prevent you from noticing the lost connectivity when the SIM is swapped. In case you get such calls, don’t switch off the phone; rather, don’t answer such calls. Check with your mobile operator if it sends you an SMS to alert you in case of a SIM card change request; this can help you stop the fraud in quick time.

Siddharth Vishwanath of PwC India says that while telecom companies and banks have started educating customers about these kinds of fraud, there is a need to spread such awareness across channels and languages to cater to the diverse customer base. Another key area, he says, is to revisit the controls implemented by telecom companies for issuance or replacement of SIM cards.