In South Africa it is common for consumers to have mobile numbers linked to their bank accounts. What started out as a seemingly safe security measure, could potentially allow scammers access to your personal information and the very bank account this safety precaution is there to protect.
How it works is scammers gather enough information through social media platforms, phishing emails, public websites or data dumps about a targeted consumer to enable them to gain access to their internet banking profiles and perform a sim swap.
The scammers then contact the target consumer’s cell phone service provider, claiming to be the consumer, and request a sim swap, due to their device purportedly being lost or stolen. They will have gathered enough information to answer the provider’s security questions without raising any suspicion.
Once the sim swap is performed, scammers will have access to any messages sent to the consumer via their bank, such as one-time pins, which will enable them to make payments and add beneficiaries to the consumer’s bank account.
The consumer could be largely unaware of this activity or that their SIM has been swapped. The first sign is usually that their phone loses signal and they are unable to make calls. By the time they have discovered that their sim has been swapped it is usually too late, and their bank accounts have been drained.
Mechanisms service providers have put in place
Service providers have responded to SIM-swap fraud by implementing protective measures. Some of these include sending the consumer an SMS to confirm they have requested a SIM swap, allowing banks to check when last a SIM swap was requested on a customer’s mobile number before sending them a one-time-pin and introducing a time delay before implementing a SIM swap.
How to protect yourself from falling victim to SIM-swap fraud
In order to safeguard against becoming a victim of SIM-swap fraud, it is suggested that consumers must never give over their internet banking usernames and passwords to anyone. Consumers should be vigilant in safeguarding usernames, passwords and pin codes and never save them to their devices. Phishing emails are one of the main ways in which scammers access this information, therefore consumers should never reply to any emails claiming to be from their banks requesting usernames, passwords or pin codes.
Should a consumer receive an SMS from their service provider alerting them of a SIM swap request made for their number, they should contact their service provider immediately and have the SIM card deactivated. These messages should never be ignored, even if told to do so by your service provider.
Where the fault lies
So far banks and mobile service providers have blamed negligence on the part of the consumer and have disclaimed all liability for their losses. In a 2010 case a court held that due to the fact that the SIM swap alone does not enable the scammer to commit fraud on the consumer’s bank account, they would also need access to the consumer’s internet banking username and password, the service provider’s negligent omission is too remote from the consumers loss and therefore it cannot be liable.
The only recourse a consumer would have is against the actual perpetrator who committed the fraud. This would mean tracking them down and then attempting to get money from them which is likely to have already been spent.