Sim cards
SIM swap fraud scams are becoming more and more prevalent and costing UK banks tens of millions of pounds Reuters

If you're an online banking customer, you'll be familiar with the multiple layers of security in the form of text messages containing unique codes, and calls from banks themselves, to provide assurance your cash is safe. It has now been revealed that hackers can easily gain access to your funds simply by using social media and a blank SIM card, which is costing banks millions of pounds.

A growing concern among UK banks, SIM swap fraud enables hackers to hijack the SIM card in your phone, tricking both your bank and mobile phone provider into assuming that the hacker is legitimate.

How SIM swap fraud works

NatWest Bank
In March, NatWest admitted its online banking system needs overhauling after a series of cases where money was stolen from customers' accounts due to SIM swap fraud. Reuters

According to the National Fraud Intelligence Bureau, part of the City of London Police, SIM swap fraud (also known as 'SIM splitting') is possible if criminals are first able to access a victim's bank statement, or any personal information from social media.

The criminal then obtains a blank SIM card and calls the mobile operator – using the details gleaned about the victim to pass security checks, they pretend to have had their phone stolen.

The mobile operator immediately cancels the SIM card on the 'stolen' phone and instead activates the 'new' SIM card. With texts and calls now routed to the new SIM card, the criminal is able to access the unique code sent by the bank. This is then used to log into the victim's online bank account to transfer funds into another account.

A worryingly simple process, and in March, Natwest admitted that its systems were affected by the flaw.

SIM swap is costing UK banks millions of pounds

online shopping / online banking fraud
SIM-swap fraud is emerging as a new way cybercriminals can get their hands on victims' bank accounts and drain them iStock

Fico, a global analytics software firm known in the US for its Fico Score consumer credit risk score calculator, was approached by a well-known UK high street bank in 2011 to create solutions that enables banks to identify customers who have recently switched SIM cards – before they issue unique SMS identification codes.

"Prior to implementing the solution, banks were struggling with multi-million pound losses in less than a month," Gabriel Hopkins, Fico's senior director of Product Management told IBTimes UK.

"We go out into the SS7 mobile network and we'll get an IMSI value (unique SIM card identifier) back from the network. Your telephone number and the IMSI value are the two values we trust. If we see the IMSI value has changed, it looks as if the SIM card has changed. Of course it might not be fraud, people might have a good reason to change their SIM card, for example if they were to change their phone.

"We also look at people who change SIM cards within their own network, e.g. Vodafone to Vodafone. That's predominantly where the fraud happens. If we detect this, we contact the customer from the bank's call centre. They have agents who are specially trained to deal with customers who have had their phones compromised."

UK crime gangs are likely behind the fraud

Fico, which cannot reveal specific details about its clients due to the gravity of the issue, is currently working with two UK major high-street banks to deal with SIM fraud. The firm is also in the process of implementing solutions with other banks, and its clients say that SIM-swap fraud is definitely not being perpetrated by individuals.

"This is organised crime. The fraud is incredibly sophisticated. We think there are some cases where this crime is perpetrated from abroad, but most of the time it's perpetrated by some people who are in the UK, and some of them are geographically close to some of the targeted victims," Hopkins stressed.

It would be useful to us if the telcos could protect their own customers from bank fraud. In some ways they are aiding bank fraud as they want to make it a really simple experience in-store.
- Gabriel Hopkins, senior director of product management, Fico

"We've heard from clients that fraudsters log onto the victim's online banking account from a coffee shop close to their actual home, in order to seem much more likely to be the real user.

"Banks often know who the people are, but whether they can work with the police to catch the people varies greatly. In some cases banks are very confident they know who it is and where they are, but there's a lack of evidence or police manpower."

From looking at social media activities, banks told Fico that it is clear that cybercriminals are targeting specific individuals simply because they know they have large sums of money in their accounts.

Mobile operators need to step up and work with the banks

Dodgy man looking at a smartphone
In some cases, the banks apparently know who is behind the crime but they don't have enough evidence to prove it iStock

Hopkins says it's not fair to blame it all on online banking security. Some SIM-swap fraud is perpetrated by criminals who trick mobile operators into sending SIM cards that belong to registered customers to themselves instead.

"It's in the shared interest of the banks and the telcos to work on this together. We've seen the telcos unintentionally change something in their network, which then blocks access so we can't access the IMSI value," said Hopkins.

"In some ways they (telcos) are aiding bank fraud as they want to make it a really simple experience in-store. It would be good if there were more rigorous checks at the point that SIM cards are issued, and people need to be careful of their online credentials and who has access to their phone."

According to Financial Fraud Action UK's 2015 end of year report, fraud losses totalled £755m in 2015, an increase of 26% compared to 2014. The UK's leading finance scam prevention service, Cifas, reports that its members prevented over £1bn of fraud in 2015 by using Cifas, which refers confirmed fraud cases to the police.