Sim card scam: With terrifying ease, fraudsters could empty your bank account – just by fooling your mobile phone provider
- Fraudsters trick providers into transferring phone numbers onto other Sims
- They do this to steal six-digit verification codes sent by text from your bank
- They will already have stolen information such as your username and password
Fraudsters are trick mobile phone providers into transferring phone numbers onto other Sim cards
When Ryan Finnegan received a text message out of the blue from Tesco Mobile thanking him for calling its customer service department, he phoned back his provider immediately.
The 37-year-old was told he could be the victim of a fraud, but was assured nothing had changed with his account.
At 6.30pm that evening, he was sent an email from TSB confirming his registration to its internet banking service.
Ryan knew something was wrong, because he had opted not to bank online years before. Shortly afterwards, his mobile phone network signal disappeared.
His wife, Anne Margaret, checked their joint account balance and discovered it had been emptied of £2,500. ‘This was everything we had. I had no idea how we were going to feed our two children and pay the bills,’ he says.
Ryan, a civil servant from Dundee, was the victim of a so-called Sim swap scam.
This is where fraudsters trick your network provider into transferring your mobile phone number on to another Sim card.
They do this to steal six-digit verification codes sent by text from your bank when you try to set up new payees and transfer money online.
These one-time passcodes are supposed to provide a second layer of security, known as two-factor authentication — but they can be intercepted.
Fraudsters will already have stolen enough information to access your bank account, such as your username and password.
They then find out who the victim’s network provider is — which they can do easily online — and pose as them over the phone or in store.
Fraudsters are trying to steal steal six-digit verification codes sent by text from banks having already stolen information such as the account holder’s username and password
When you request to move your phone number to a different Sim card, providers typically ask for your name, address, date of birth and one or two security questions, according to Chris Underhill from Equiniti Cyber Security.
‘Personal information, such as names, addresses and dates of birth, can be found easily on social media and online directories,’ says Mr Underhill.
‘Fraudsters can also obtain these details by tricking people over text, email or phone. Security questions can also be easy to find out.’
When Ryan reported the scam to Tesco Mobile last May, he discovered fraudsters had called the provider five times on one day trying to guess the answer to his security question — his favourite colour. ‘Why weren’t these calls flagged as suspicious?’ he says.
Ryan got his money back and, after Money Mail intervened, a £450 goodwill payment from TSB.
Some 549 cases of Sim swap scams were reported to Action Fraud, the cybercrime reporting service, in the three years to August 2018. The average loss was around £4,000.
Experts say network providers must do more to verify the identity of their customers. Money Mail asked the biggest providers what information they require to swap a Sim.
Vodafone says it asks a range of security questions and sends a one-time access code to your mobile phone for verification. Customers can also use Vodafone’s Voice ID feature, which uses voice recognition software.
O2 says it sends a code to your mobile phone before a new Sim can be activated. Photo ID is needed in store. EE asks customers a number of questions to prove their identity. If the customer fails these checks by phone, they must present a photo ID in store.
Tesco Mobile says it does not publicly share its security processes. A spokesman says the company has investigated Ryan’s case and is satisfied that it followed procedures.