31 OCT, (VNI) In recent weeks, a legal practitioner based in North Delhi fell prey to the 'SIM swap scam' in the nation's capital. This transpired after she noticed three unidentified missed calls, which ultimately led to an unauthorized withdrawal from her bank account.
This incident echoes a case from February, where a private school educator suffered a loss of Rs 1.5 lakhs through eight transactions within a mere three hours. Despite maintaining that he never disclosed any bank OTPs or engaged in suspicious communication, he, too, experienced missed calls before losing a substantial portion of his savings.
Similarly, in the prior year, a businessman hailing from South Delhi found himself on the losing end of over Rs 50 lakhs to unidentified scam artists. Prior to the deduction from his bank account, he received at least seven missed calls.
These instances highlight a recurring pattern: victims tend to incur losses after receiving a series of missed calls from the perpetrators, as per insights from the cyber experts. This prompts the question: why do victims receive missed calls, and how does this lead to SIM swapping? What measures can individuals take to shield themselves from falling victim to this deception? We delve into these inquiries.
The SIM Swap Scheme: Unraveled
In an era marked by advanced banking services, effortless payment apps, and seamless mobile transactions, cybercriminals exploit the connection between physical SIM cards and banking apps. These apps are tied to phone numbers, crucial for generating OTPs (used to validate transactions) and receiving pivotal bank-related notifications.
Within the SIM swap scheme, fraudsters first acquire personal details—such as phone numbers, bank account information, and addresses—through tactics like phishing or vishing. Phishing involves sending malware-infused links via email or messages. Once clicked, the malware pilfers all of the victim's personal data.
Upon obtaining this information, fraudsters visit a mobile operator's retail outlet, posing as the victim and utilizing a counterfeit ID to report a fictitious theft of the victim's SIM card and/or mobile device. This maneuver secures them a duplicate SIM. Significantly, even if the original SIM is operational, fraudsters can still acquire a duplicate by falsely reporting the theft. Consequently, all activation messages and particulars are directed to the scammer, not the victim.
According to a reputed bank advisory, the fraudsters typically collaborate with an insider at the telecom company, simplifying the duplication of the SIM with the obtained personal details. Once in possession of the duplicate SIM, they can effortlessly receive any banking authorization messages or OTPs.
Understanding the Missed Calls
Diverging from other scams that hinge on coaxing victims into divulging OTPs and sensitive information over a phone call, the SIM swap scam doesn't necessitate direct interaction with the victim. However, fraudsters deploy missed calls strategically to prompt the victim to abandon their phone, leading to network connectivity being overlooked.
According to media reports, culprits orchestrate SIM swaps with the cooperation of telecom company personnel. "Since SIM activation is a time-consuming process, the culprits make test calls to ascertain the call destination. This accounts for the received missed calls. They also intentionally ignore returning calls to further frustrate the victim, encouraging them to neglect their phone. Once the SIM is swapped, the culprits gain full control. All calls and messages are funneled through their SIM. They then initiate transactions, often escaping immediate detection because victims typically neglect their phones following missed calls."
Withdrawal of Funds from Victims' Accounts
After obtaining the victim's personal information, including account numbers and passwords through phishing, fraudsters exploit this data to access bank portals and generate OTPs for fund withdrawal. With control over the victim's SIM card, all OTPs are directed to the scammers, facilitating transaction authentication and fund pilfering.
Identifying Victims
Police reveal that the culprits either purchase data from hackers involved in data breaches or procure it from online platforms. In numerous data breaches, private companies with extensive customer bases fall prey to hacking incidents. In April, a reputed electronics and furniture rental company reported such a breach.
According to the company's statement, "It appears that the attackers were able to gain unauthorized access to our customer data, including personally identifiable information, by exploiting cloud misconfigurations through highly sophisticated attacks, thereby breaching one of our databases."
Arrests and Evading Capture
As of now, no arrests have been made in connection with the scam, according to the Police source. The culprits have successfully evaded apprehension by promptly disposing of the duplicate SIMs and avoiding a fixed location of operation. Additionally, stolen funds are channeled through various means, including conversion to cryptocurrency. Police face challenges in tracking Bitcoin and other cryptocurrency transactions due to their encrypted nature.
Safeguarding Against SIM Swap Fraud
Individuals can shield themselves from falling prey to SIM swap fraud by adhering to the following precautions:
Exercise vigilance against vishing or phishing attempts.
Refrain from ignoring messages or powering down phones after multiple missed calls. In such instances, promptly contact the mobile operator for investigation.
Routinely update bank account passwords.
Enroll for regular SMS and email alerts concerning banking transactions.
In the event of fraud, promptly reach out to bank authorities to have the account suspended, thwarting further illicit activity.