Skip to main content
A A A

Article

Welcome back to our “Scam Likely” series. Today, we turn to a devious heist that turns your customer’s cellphone into a weapon against them. This is the “SIM card swap.”

The Set Up

It is a normal and uneventful day. Your customer is going about their business when – POOF – their cellphone suddenly loses service. “Hmm… must have bad cell service in here.” No bars, no 5G, nothing – strange. The customer tries restarting their phone, but that does not fix the problem either. Although strange, no big alarms are ringing yet and the customer thinks “oh well, probably just a temporary service outage or something.” A couple hours later, they finally manage to log on to their home computer and they see an email from your bank: “Your password has been changed.”

At that point, the damage is done. Their bank account is completely empty.

The Actors

The scammer is a devious and convincing imposter. In particular, the scammer has tricked the customer’s cellphone provider by gathering some key pieces of personal information about them, typically from social media, data breaches, phishing, etc. (e.g., name, address, cellphone number, and SSN). The fraudster then calls the customer’s cellphone provider and convinces its hotline representative that they are your customer. Impersonating your customer, the fraudster claims that they have lost their phone (or upgraded to a new one), and that they simply need to port the phone number to a new SIM card. Once the cellphone provider flips the switch, your customer’s phone number is now controlled by the scammer, and the customer’s real phone is cut off from service.

The Grift

Once the scammer has your customer’s phone number, text messages and calls will go directly to the scammer’s phone. As you know, most banking platforms send security codes via SMS – and, these texts are commonly sent as a seemingly secure method to confirm the identity of the customer as part of routine “lost password” requests. Once the scammer has hijacked your customer’s telephone number, they simply initiate a “lost password” request through your banking app. The app then sends the security code to the scammer, and the scammer resets the password. Now that they have access to your customer’s bank account, they move at the speed of light and completely drain the account – and, all of this happens while your customer innocently thinks they simply have “bad cell service.”

The Pain

This scam quickly turns catastrophic. Your customer’s bank account has been drained. And your bank faces both financial and reputational damage. But, who is responsible? On the one hand, the transactions were “authorized” because they were initiated via the correct login credentials, passwords, and multi-factor authentication security codes. On the other hand, it could be argued that, because the loss was caused by a security failure or fraud, the transfers were not “authorized” in the eyes of the law. Often, this turns into a dispute over whether the bank’s security procedures were reasonable, whether the customer notified the bank in a timely fashion, and who should be on the hook. Unfortunately, there is no single rule that dictates whether the bank or customer is responsible. In many cases, this uncertainty leads to a settlement between the parties.

The Reality

This could happen to anyone at any time. So, how do we prevent it? The reality is that banks and customers would benefit from moving away from relying solely on SMS-based multi-factor authentication. This scam makes it crystal clear that this MFA security method is not foolproof.

Here are some ideas to fight back:

  • Authenticator Apps. Consider moving away from SMS security codes to app-based authenticators, which are not tied to a SIM card. This can help ensure that a security code is generated locally on the customer’s cellphone, rather than over the cellular network.
  • Hard Security Keys. What is old is new again! Many believe that hard security keys (e.g., hard tokens) provide the highest level of security, since they require physical possession of the key and cannot be intercepted remotely.
  • PIN/Passcode to Mobile Accounts. Many platforms allow their customers to set a secondary PIN specifically for any account changes. If a scammer tries to swap the SIM or make other account changes, they will need to overcome that additional layer of security.
  • Contextual Analysis. Certain systems can analyze “geo-velocity” (e.g., impossible travel between logins), new device signatures, or suspicious IP ranges to flag suspicious activity.
  • Step-Up Authentication. If a transaction or request is deemed high-risk (e.g., a large wire transfer, password reset, or admin-level change), the bank can trigger a mandatory, stronger verification method, such as a biometric scan, rather than relying on a standard SMS code.
  • Multi-Channel Notifications. Banks can send alerts through multiple independent channels simultaneously. For instance, a bank could notify its customer via both email and a push notification in the bank’s mobile banking app whenever account changes are requested.
  • Device Binding. Banks can “bind” a customer’s account to a specific, trusted hardware device. Once bound, the account cannot be accessed from a new phone without additional, out-of-band verification.
  • Employee Training. At the risk of stating the obvious, your bank staff should be adequately trained to recognize the “social engineering” tactics commonly used by scammers who attempt to impersonate customers.
  • Protecting Personal Information. And of course, protect your personal information. Data breaches happen every day, and scammers can easily purchase an individual’s personal information online (including their name, address, cellphone number, and SSN). The less personal information floating around online, the harder it is to impersonate a customer.

The fraud battleground continues to shapeshift, but your bank has options to make this scam more difficult for the bad guys. Banks can help both themselves and their customers by implementing these additional security measures to stay one step ahead of the fraud game. Stay sharp, and do not be fooled if your phone suddenly turns into a brick.

Previous: Scam Likely: Check Yourself Before You (Financially) Wreck Yourself

This article is provided for informational purposes only—it does not constitute legal advice and does not create an attorney-client relationship between the firm and the reader. Readers should consult legal counsel before taking action relating to the subject matter of this article.

  Edit this post