Staff in mobile phone shops have become key to the execution of “Sim swap” scams, Watchdog Live has discovered. Undercover filming revealed that O2 and Vodafone employees are bypassing basic ID checks and handing over replacement Sim cards to potential criminals.
Once fraudsters gain control of a mobile number, they can intercept SMS text messages from banks containing security codes. Scammers have drained thousands of pounds from victims’ bank accounts.
O2 told the BBC it currently only asks for photo ID when replacing Sims on a monthly contract, and that customers on Pay As You Go contracts would always receive an authorisation code alerting them that someone is trying to access their number.
However, that did not happen with any of the numbers being used by the Watchdog Live team, who were able to walk out with a replacement Sim in almost every case.
O2 says it did send out authorisation codes, but they were not received by the victims’ smartphones.
Vodafone said that it takes Sim swap fraud “extremely seriously” and that it is disappointed that two of its employees did not follow established security check procedures, despite being given mandatory training, reinforced by regular reminders to the contrary.
‘A state of shock’
Previously, in some countries, Sim swap scams were used by scammers to ring and text premium numbers to run up large mobile phone bills.
But now that more online services use two-factor authentication, which requires text messages to be sent to mobile phones, there is more at risk.
Olga from Buckinghamshire had £2,000 taken from her bank account, after a fraudster managed to successfully request a replacement Sim for her mobile number without her knowing anything about it.
“It was like a state of shock and my first thought was that there must be some sort of error,” Olga told Watchdog. “I was just sobbing down the phone saying all my money’s been stolen.”
Initially, Olga’s bank refused to refund her the money, blaming her for not keeping her details safe.
But it eventually became clear that the fraudster had found a way in to her account after being given a replacement Sim card by EE.
Watchdog’s undercover visits found that staff in EE and Three stores always stuck to their security policies by demanding photo ID.
How the scam works
Sim swap scams occur when a criminal is able to convince a mobile operator to issue them with a replacement Sim card, by claiming a false identity and pretending that their mobile phone has been either lost or stolen.
Criminals are able to do this using people’s personal details that have been stolen using malware or cyber-attacks. Many of these details are then sold on the dark web.
The victim’s Sim card stops working and the criminal can then access any online service that requires security codes to be sent to a user’s mobile phone.
Security researchers have long believed that UK crime gangs are behind these scams, as the fraudsters manage to trick banks by logging onto mobile banking systems from locations close to the victim’s home address.
In the past, this scam has been perpetrated by fraudsters calling the customer service call centres of mobile operators, as well as by hackers using fake mobile base station equipment bought from the black market.
While the scam has been in existence for at least three years – BBC Radio 4’s You and Yours programme demonstrated that they could attack bank accounts in 2016 – the number of cases of Sim swap fraud have rocketed by 60% since 2016.