SIM Swap – How banks can identify fraud risk and protect customers
With fraudsters continuing to exploit weaknesses, and despite advances in software technology, SIM swap fraud is still quite difficult to detect. So what effective ways can banks find to identify when a customer’s mobile number has been fraudulently swapped and ported onto a new device.
SIM swap fraud is not a new topic; however, the number of SIM swap fraud cases have rocketed since 2016 by 60% (BBC). In today’s smart phone-centric world, using mobile phones for Internet Banking is standard practice for most people, but SIM swap fraud, where scammers cancel and re-activate new SIM cards to hack into bank accounts, has been on the rise for a while and the industry has struggled to get to grips with it.
What exactly is SIM swap?
SIM swap is a type of phishing fraud that poses a serious threat to customer and bank security. The fraudster obtains an individual’s banking details through phishing techniques or by purchasing these from organised crime networks. They then use this information, including personal details sourced via social media, to pose as the victim to the mobile network operator and fool them into cancelling and reactivating the victim’s mobile number to a SIM in their possession. As a result, all calls and texts to the victim’s number are routed to the fraudster’s phone, including one-time passwords for banking transactions. After receiving a one-time pin or password from a bank, the fraudster can then potentially access the customer’s bank account and transfer funds.
Why is it on the rise?
Despite advances in software technology, human intervention is still required to prevent SIM swap fraud which is quite difficult to detect. Also, controls and processes by network operators have to a degree failed and led to instances of human error in retail branches in distributing SIM cards. Banks are still trying to find effective ways of identifying when a customer’s mobile number has been fraudulently swapped and ported onto a new device. With fraudsters continuing to exploit this weakness, putting better authentication processes in place is vital. The Financial Ombudsmen Service (FOS) has also looked to put more responsibility on banks to compensate customers, taking into account the evolution and sophistication of fraud.
What are the risks to customers?
Anyone who uses banking services or notifications with a one-time Pin (OTP) is potentially at risk. Customers make themselves particularly vulnerable by answering fraudulent calls or illegitimate emails which ask for personal details. It’s about being vigilant and responsible for protecting your personal data. Given that fraudsters are using personal details sourced from social media, customers need to be applying the necessary privacy settings on their profiles to stop criminals from snooping.
How should companies tackle SIM swap fraud?
Customer service and fraud operations teams in banks and Mobile Network Operators arguably need tighter processes and guidelines on how to detect potentially fraudulent activity. Banks should be implementing SIM Swap checks on all services that generate a OTP to authorise transactions.
On inbound automated IVR systems, positive SIM swap checks should raise and notify the threat level, with more ID&V controls implemented, or handover instigated to well-trained contact centre agents. Mobile Network Operators and banks can look at specific training to help agents and high street shop staff to recognise when someone might be impersonating a customer and stop them in their tracks.
Banks need to be making better use of the data they have available to them, including SIM card information, device type and location data, and consumer behaviour. Risk can be significantly reduced by tracking these patterns better. Of-course consumers have a responsibility to be vigilant and take their own precautions as well.
In addition to costing companies money, SIM swap fraud poses a significant risk to a company’s reputation and customer base. If the necessary prevention measures are put in place from the beginning, banks and phone providers could prevent real reputational damage and the loss of crucial resources, time, and money.
How can banks get access to customers’ mobile data without putting those customers at risk?
While the customer’s mobile data is owned by the mobile operators, it can still be made available to banks. Mobile operators need to work closely with banks and the banks can work with customer engagement specialists like IMImobile to build better practices and implement better solutions to combat SIM swap fraud. This has in the past involved making historical customer data available for lookup by a bank’s fraud prevention solution that can then analyse the data to assess the risk of fraud. However Real-time checks are now becoming available across all networks which reduces the need for historical data.
How can banks spot the vulnerabilities?
Banks can use fraud prevention software to analyse customers’ historical mobile network data and help them to verify the authenticity of transactions and communications. These technology solutions automatically check for any data mismatches for certain actions, such as an account password request, to help the bank assess the risk of SIM swap fraud.
How can banks block the fraudsters and notify their customers of an attack?
If the bank identifies a data mismatch, fraud prevention solutions produce a risk score, determining the level of threat and what actions need to be taken. For example, if mismatches in SIM swap data highlight a low or moderate threat of SIM swap fraud, the bank can determine through workflows what actions will be taken in the situation, whether the one-time password is delivered or denied, or further verification is required. If mismatches indicate that a SIM swap fraud has occurred, the prevention technology alerts the bank immediately and access is denied to the fraudster. Trigger based communications as part of the banks communications platform workflow are also sent to the fraudster and victim notifying them that the scam has been detected.
How can banks and mobile operators adapt their authentication processes?
Banks and mobile operators can do several things to improve their authentication processes and prevent more of these incidents occurring. Given that criminals on occasion have been able to bypass these companies’ security measures, banks and phone providers should be, and in some cases are, investing in security technology. They should also be putting in place extra security questions that cannot be answered by simply knowing a few personal details sourced from social media.
In addition, contact centres and customer service teams have a responsibility to put adequate training and system alerts in place to help agents better identify potentially fraudulent activity. Fraud cases can also be reduced by driving awareness of this growing threat and creating guidelines to help customers protect themselves. The challenge though is that fraudsters will always innovate so the prevention measures need to be in place from the onset. Ultimately, banks need to utilise the customer data generated by mobile networks and devices to identify risk before a customer loses their money.