Sim-swap fraud: how criminals hijack your number to get into your bank accounts

Reports to Action Fraud of a scam known as Sim-swap fraud - where a criminal tricks your mobile network into transferring your phone number to a Sim card in their possession - have rocketed by 400% since 2015.

Gaining control of your mobile number means a fraudster will receive all calls and texts intended for you - including the one-time security passcodes required to access personal accounts.

Our investigation suggests that mobile network providers have stepped up security to make the scam harder to pull off, but criminals are still finding a way in.

We've spoken to dozens of victims who have had thousands of pounds taken from their accounts in the past year, and many feel the networks should be doing more to help.

Here, we reveal the tactics Sim-swap fraudsters used and explain how to protect yourself.

How your number can be hijacked

Fraudsters start by gathering data about you via social engineering (sending fake emails, texts, phone calls to trick you into divulging personal information) or by paying for stolen data on underground online forums.

Social media accounts can also prove fruitful for learning answers to common security questions, such as birthdays, names of pets and favourite sports teams.

Armed with enough information to pose as you, the scammer will contact the customer services department of your network provider - over the phone, via webchat or even in store - and ask for your number to be switched to a Sim card in their possession.

The fraudster's aim is to take control of your number, by convincing your network to either:

• swap your number to a new Sim card on the same network, perhaps by claiming that 'their' phone is lost, or,
• move your number to another network by requesting the Porting Authorisation Code (PAC).

While Sim-swap fraud is not new, Action Fraud reports suggest that attacks are ramping up:

Are mobile networks doing enough to stop Sim-swap fraud?

If you go into a phone store and ask for a replacement Sim card, staff should ask for your passport or driving licence, although a 2018 BBC Watchdog investigation found that employees don't always follow official procedures.

A more obvious route for fraudsters is to call your network's customer services helpline, where they can't be asked for photo ID.

When we asked volunteers to make two phone calls from a landline to their networks (BT, EE, O2, Sky, Tesco, Three and Vodafone) and request the PAC, we found security was generally robust.

Call handlers typically asked us to quote a code that was sent to us via text, or said they would send the PAC via text to the original Sim card. Both measures would stump the average malicious caller. Even when we pretended our phone was broken or unable to receive texts, call handlers suggested we put the Sim card in a borrowed phone or visit a store with photo ID.

However, one call was troubling - because we were given the PAC over the phone despite deliberately getting the account password wrong (the call handler even hinted this was the name of our first pet).

We were able to pass security by providing only the model of the phone and the last four digits of the account number. Although this was an isolated case, it shows persistence can pay off for a fraudster.

• Find out more:how to get your money back after a scam

'This cost me a lot of sleepless nights'

Last December, Sharron Fowler from South Bucks received a text from EE stating that her Sim activation request had been processed and her new Sim would be active within 24 hours.

She immediately called her provider and discovered someone had passed security and requested her PAC.

EE said it was too late to stop the Sim-swap.By the next morning, she was locked out of her email accounts and the scammers targeted her premium bonds account with National Savings and Investments (NS&I), attempting to steal nearly £9,000.

Sharron had to change all her passwords and was advised to add a note on her credit file with each of the three credit reference agencies so that a password is required for all future credit applications in her name.

'I consider myself very, very lucky, but I felt quite violated. This cost me a lot of sleepless nights in the run up to Christmas.'

An EE spokesperson said: 'In this instance, the criminal successfully accessed Ms Fowler's account by answering security questions correctly. We spotted further suspicious attempts to access Ms Fowler's account and added an additional layer of security by requesting a utility bill as further proof of ID.'

'We advised Ms Fowler to contact her bank immediately and this helped prevent unauthorised access to her bank account. We recognise in trying to protect Ms Fowler's account this made it difficult for her to access it when visiting our store and we apologise for any worry caused.'

'The fraudster spent £13,000 in 48 hours'

Garth Pollard, from London, received a surprise text from Three providing a PAC last April.

Within 15 minutes he contacted the network to explain he had not requested this code and was assured it would not be activated.

'24 hours later, my phone was cut off. I called Three and was assured the number would be returned. I didn't think there had been a fraud but some administrative error,' says Garth.

'But then I received an email from my credit card provider advising that I was at 90% of my credit card limit.'

Having persuaded Three's call centre to supply the PAC over the phone, the fraudster spent a total of about £13,000 over a 48-hour period, although, eventually, all these transactions were removed.

'I made a data-access request to Three. It was very slow in dealing with it and then refused to provide any data connected to the fraudster on the grounds that it could only be released if a police request was made.

'While I suffered no loss, it seems to me that the present system is open to misuse by criminals. I don't know what data the fraudster had about me and couldn't take any action to secure other accounts.'

A Three UK spokesperson said: 'Generally, by the time criminals are attempting to obtain someone else's phone number, they have substantial amounts of personal and financial information to impersonate them.

'This is why we've recently introduced a number of enhanced checks for anyone attempting to obtain someone else's phone number and are working in close collaboration with the rest of the telecoms industry to monitor, identify threats and take action.'

Getting hold of your network

With so much at stake, networks must respond quickly when they discover a customer has fallen victim to a Sim-swap attack.

No network offers a 24/7 customer services telephone helpline, although EE, Plusnet, Tesco Mobile and Vodafone told us that an out-of-hours support team can still place restrictions on your account to block unauthorised access.

If you're with Virgin Media, it has an online form used to report lost or stolen devices, which will temporarily block your Sim. Three offers 24/7 webchat.

O2 said that any customer who suspects they're a victim of fraud should immediately contact their bank and O2 as soon as possible from another phone.

Sky Mobile told us it wasn't able to respond to our questions.

A simple but effective solution?

With smartphones providing a gateway to our financial data, the banking and telecoms industries should consider how to take a more collaborative approach to tackling Sim-swap fraud.

Cybersecurity firm Kaspersky pointed us to Mozambique, where mobile networks now flag to banks mobile phone numbers associated with recent Sim ports.

Banks can block transactions if the number has been ported within the previous 48 to 72 hours - enough time for the original owner to contact their network provider if they discover they have fallen victim to an unauthorised Sim swap.

While this may frustrate customers who have legitimately ported their Sim card and don't want payment delays, banks can potentially find other ways to verify the request is genuine. In any case, customers should be able to decide whether this is a compromise they are willing to make.

How to protect yourself from Sim-swap fraud

The full version of this investigation originally appeared in the April edition of Which? Money Magazine.

Try Which? Money for just £1 to get the next edition delivered to your door.