SIM-swap: how fraudsters do it, causing you to lose hundreds of thousands of shillings

The Communications Authority of Kenya is urging citizens to reject requests from strangers for PIN and password details. [Courtesy]

Sim-swap, a modern form of fraud, has cost many Kenyans hundreds of thousands of shillings per victim.

The Sim-swap scam is not just a concern for Kenya, but other countries across the continent and the world.

In 2019, South Africa reported that within a year, SIM card swapping incidents had doubled.

Fabio Assolini, senior security researcher at Kaspersky Lab, said in a 2019 report that scams have become common in the United Arab Emirates, Turkey and Africa, particularly South Africa.

Assolini said the total amount of money lost in fraud varies by country, although there are extreme cases.

For example, a victim from the United Arab Emirates in 2019 lost $1 million (102 million shillings), while another from South Africa lost $20,000 (2 million shillings) to fraudsters by exchange of SIM cards.

A Kenyan national, Stanley Wanjiku, revealed in July 2018 that he had lost $18,000 (1.8 million shillings) to fraudsters, the BBC reported.

“On average, fraudsters can steal between $2,500 (Sh255,000) and $3,000 (Sh305,000) per victim, while the cost to perform the SIM card swap starts with $10 (Sh1,000) at $40 (Sh4,000),” Assolini said.

SIM card swapping fraud occurs when someone convinces your mobile carrier to transfer your phone number to a SIM card held by a criminal.

In some cases, employees of telecommunications companies collaborate with criminals.

Kenya’s main telecommunications operator, Safaricom, claims that SIM swapping occurs when “fraudsters replace and take control of the customer line”.

“Fraudsters go so far as to save an existing number to a new SIM card in order to intercept notifications, one-time passwords, online banking profile and transactions, as well as change account security settings “, explains Safaricom on its website.

Hannington Oduor, security systems analyst at Kenya Power, revealed to The standard the tricks used by fraudsters to successfully exchange SIM cards.

“SIM-swap is basically a form of identity theft. In other circles, it’s called identity theft. The fraudster would call you and play mind games on you. For example, after receiving the call, he or she will refer to you by your full name, saying that he is calling you from your network service provider,” Oduor said.

“They will then read your full ID number and ask you to confirm if the numbers are correct. They do this to gain your trust. This is what they want in the first step, before continuing the fraud.

“The second stage of their deception is giving instructions. They would be calm and patient, and you wouldn’t know that the commands they’re doing lead them to get more information about your mobile money or enable them to activate SIM card swap prompts,” Cybersecurity added. . expert.

“Most of the victims I interacted with said they remember being asked to dial the USSD code 33*0000*, while others said they were asked to dial #253257# or the ##72786# These codes basically send a command that you have lost your SIM card and therefore initiate a redemption process.

“Once you initiate the redemption process, your gadget’s network disappears. While offline and perhaps trying to visit your network provider’s store, the scammer, armed with your details, would have already called your service provider, claiming that he or she has lost their SIM card and wishes to renew it, they will then pass your details to the mobile service agent who, without their knowledge – or naivety – will participate in line activation.

“Fraudsters then access your mobile money, mobile banking, credit facilities, among others, to erase funds from accounts,” Oduor said.

A resident of South C in Nairobi told The standard her recent ordeal, in which she lost 63,400 shillings to SIM card swapping fraudsters.

On Monday, January 10, South C shop owner Rahma Mahmud noticed that her mobile network was unstable and calls kept dropping.

She thought it was a general network issue, only to receive a message a few minutes later that her SIM swap app had been successful. She could not access logs, text messages, the mobile money toolkit or the internet. In short, the SIM card she had was useless.

After checking her mobile money balance after reporting the incident to customer service agents, the 38-year-old discovered that the 63,400 shillings in her mobile wallet was missing. How it happened, she does not know to this day.

Another victim of SIM card swapping fraud is a senior Nairobi police officer who lost 600,000 shillings to scammers.

The case is in court and the suspect behind the theft of his funds has been arrested in Bomet.

The court was told that the suspect claimed to be a mobile money agent, who wanted to fix a problem with the victim’s phone. It was then that he allegedly swapped the SIM card and withdrew 600,000 shillings from the senior policeman’s bank account.

In December last year, Safaricom said it had laid off 28 employees in the year ending March 2021 for fraud-related offences. The previous year, the telecommunications company had announced the dismissal of 16 people for the same crimes.

Safaricom said it conducted 36 investigations into allegations of fraud, fired all 28 and warned 19 employees.

The majority of the cases, 22, were related to data privacy, with eight involving a breach of policy and four SIM card swapping cases. Two cases concerned misappropriation of assets.

For M-Pesa fraud, Safaricom claims that fraudsters trick M-Pesa customers into following instructions to “Send Money” via USSD (*334#) to a fraudster’s number.

“Do not follow instructions for sending money to strangers who may be fraudsters. Instead, hang up and, or ignore the caller,” the firm warns.

Regarding ATM fraud, Safaricom states “this is where a customer is tricked by a fraudster into disclosing the code used to withdraw funds from a customer’s M-Pesa wallet account through a ATM. It is important to follow ATM withdrawal instructions and never disclose the code used to complete the transaction to anyone.

Data protection has become a key area of ​​focus since the Kenyan government put in place rules to restrict state and business processing of information to prevent abuse, imposing a fine of up to to 5 million shillings or 1% of the companies annual turnover.

A study by business consultancy Ernst & Young shows that 41% of companies transfer their customers’ personal data to third-party service providers.

The Communications Authority of Kenya (CA) urges Kenyans not to: give personal information, PIN, financial information or passwords to strangers. CA also warns Kenyans to beware of unsolicited messages.

Comments are closed.