The Spanish National Police have arrested eight suspected members of a criminal organisation who used SIM swapping assaults to steal money from the victims' bank accounts.
SIM switching assaults are used by criminals to get control of victims' phone numbers by duping mobile operator workers into transferring their numbers to SIMs controlled by the fraudsters. The attackers can steal money, cryptocurrency, and personal information, including contacts linked with online accounts, once a SIM has been stolen. Criminals could take over social media accounts and utilise SMS to circumvent 2FA services utilized by online services, including financial services.
In the incident under investigation by Spanish police, the cybercriminal gained the victims' personal information and bank details via fraudulent emails in which they pretended to be their bank.
The fraudsters were able to falsify the victims' official documents and use them to dupe phone store staff into issuing them with replica SIM cards. They were able to overcome SMS-based 2FA needed to access bank accounts and take the money once they had the SIM cards.
The press release published by the Spanish National Police stated, “Agents of the National Police have dismantled a criminal organization dedicated, presumably, to bank fraud through the duplication of SIM cards. There are eight detainees based in Catalonia and acting throughout Spain who, through malicious messages and posing as a bank, obtained personal information and bank details to access the accounts of the victims whose identity they usurped through the falsification of official documents. With this, they deceived the employees of phone stores to obtain duplicate SIM cards and, in this way, have access to the bank’s security confirmation messages. In this way they could operate in online banking and access bank accounts to empty them after receiving security confirmation messages from the banks.”
The first SIM swapping attack linked to this group occurred in March 2021, when Spanish authorities received two reports about fraudulent transactions in different parts of the country.
Crooks used bank transfers and digital quick payment services based in the region of Barcelona to launder the stolen funds.
Seven people were arrested in Barcelona and one in Seville as a byproduct of the operation. The suspects' bank accounts were also banned by the authorities.
The FBI announced this week that SIM swap attacks have increased, with the objective of stealing millions of dollars from victims by hijacking their mobile phone numbers.
According to the FBI, US individuals have lost more than $68 million as a result of SIM switching assaults in 2021, with the number of complaints and damages nearly doubling since 2018.
The FBI's Internet Crime Complaint Center (IC3) received 1,611 SIM switching assault reports in 2018, compared to 320 complaints between 2018 and 2002, resulting in a total loss of $12 million.
Individuals should take the following steps, as per the FBI:
• Do not post details regarding financial assets, such as bitcoin ownership or investment, on social networking platforms or forums.
• Do not disclose the mobile number account details to representatives who ask for the account password or pin over the phone. Verify the call by calling the mobile carrier's customer support number.
• Posting personal information online, such as your phone number, address, or other identifying information, is not a good idea.
• To access online accounts, use a variety of unique passwords.
• Any changes in SMS-based connectivity should be noted.
• To gain access to online accounts, use strong multi-factor authentication solutions such as biometrics, physical security tokens, or standalone authentication software.
• For easy login on mobile device applications, do not save passwords, usernames, or other information.
On the other hand, mobile providers should take the following safety measures, according to the FBI:
• Employees should be instructed and training sessions on SIM swapping should be held.
• Examine incoming email addresses containing formal correspondence for minor differences that could make fraudulent addresses appear real and match the names of actual clients.
• Establish stringent security standards that allow workers to effectively check customer credentials before transferring their phone numbers to a new device.