SIM-swap: How fraudsters do it, causing you loss of hundreds of thousands of shillings

Communications Authority of Kenya urges citizens to reject strangers’ requests for PIN and password details. [Courtesy]

Sim-swap, a modern form of fraud, has resulted in several Kenyans losing money to the tune of hundreds of thousands of shillings per victim.

The Sim-swap scam is not only a concern to Kenya, but other countries across the continent and globe.

In 2019, South Africa reported that in a span of one year, SIM-swap incidents had doubled.

Fabio Assolini, a senior security researcher of Kaspersky Lab, said in a report in 2019 that the scams have become common in the United Arab Emirates, Turkey and Africa, especially South Africa.

Assolini said that the total amount of money lost in the frauds varies by country, though there are extreme cases.

For instance, a victim from the United Arab Emirates in 2019 lost $1 million (Sh102 million), while another from South Africa lost $20,000 (Sh2 million) to SIM-swap fraudsters.

A Kenyan national, Stanley Wanjiku, in July 2018 revealed that he had lost $18,000 (Sh1.8 million) to the fraudsters, the BBC reported.

“On average, fraudsters can steal $2,500 (Sh255,000) to $3,000 (Sh305,000) per victim, while the cost to perform the SIM-swap starts with $10 (Sh1,000) to $40 (Sh4,000),” said Assolini.

SIM-swap fraud happens when someone convinces your mobile operator to switch your phone number over to a SIM card that a criminal possesses.

In some cases, there are telecommunications companies’ employees working together with criminals.

Kenya’s leading telco, Safaricom, says SIM-swap occurs when “fraudsters replace and take over the customer line”.

“Fraudsters go to the extent of registering an existing number on a new SIM card in order to intercept notifications, one-time passwords, online banking profile and transactions as well as changing the account security settings,” says Safaricom on its website.

Hannington Oduor, a security system analyst at Kenya Power, disclosed to The Standard the tricks used by fraudsters to successfully conduct SIM swaps.

“SIM-swap basically is a form of identity theft. In other circles, it’s called impersonation. The fraudster would call you, and play mind games on you. For instance, after you’ve received the call, he or she will refer to you by your full name, saying they’re calling you from your network service provider,” said Oduor.

“They’ll thereafter read out your full ID number, and go ahead to ask you to confirm if the digits are correct. They do this to win your confidence. That’s what they want at Stage One, before continuing with the fraud.

“Stage Two of their deceit, is issuing out instructions. They’d be calm and patient, and you wouldn’t know that the commands that they’re making lead to them either getting more information about your mobile money, or allows them to activate the SIM-swap prompts,” added the cyber security expert.

“Most victims that I have interacted with said they remember being asked to dial the USSD code 33*0000*, while others said they were instructed to dial #253257# or ##72786#. These codes basically send a command that you’ve lost your SIM card, and are, therefore, initiating a swap process.

“Once you initiate the swap process, the network on your gadget disappears. While offline, and maybe attempting to visit your network provider’s shop, the fraudster, armed with your details, would have already called your service provider, claiming that he or she has lost his SIM, and wants to renew it. He or she will, thereafter, provide your details to the mobile service agent, who, unbeknown to him or her – or out of naivety – will help in activating the line.

“The fraudsters, thereafter, access your mobile money, mobile banking, credit facilities, among others, to wipe out funds from the accounts,” said Oduor.

A resident of South C in Nairobi narrated to The Standard her recent ordeal, in which she lost Sh63,400 to the SIM-swap fraudsters.

On Monday, January 10, Rahma Mahmud, a boutique owner in South C, noticed that her mobile network was unstable and calls kept dropping.

She thought it was a general network problem, only to receive a message a few minutes later stating that her SIM-swap application was successful. She couldn’t access the logs, text, mobile money toolkit or internet. In short, the SIM card she had was useless.

Upon checking her mobile money balance after reporting the incident to customer care agents, the 38-year-old discovered that the Sh63,400 in her mobile wallet was missing. How that happened, she doesn’t know to date.

Another victim of SIM-swap fraud is a senior police officer in Nairobi who lost Sh600,000 to the scammers.

The matter is in court, and the suspect behind the theft of his funds was arrested in Bomet.

The court was told that the suspect pretended to be a mobile money agent, who wanted to sort out an issue with the victim’s phone. It was then that he allegedly swapped the SIM card and withdrew Sh600,000 from the senior cop’s bank account.

In December last year, Safaricom said it had fired 28 employees in the year ended March 2021 for fraud-related offences. The year before, the telco announced the sacking of 16 people for the same crimes.

Safaricom said it had conducted 36 investigations into alleged fraud, dismissed the 28 and warned 19 employees.

The majority of the cases, 22, were related to data privacy, with eight involving breach of policy and four SIM-swap cases. Two cases involved asset misappropriation.

For M-Pesa fraud, Safaricom says fraudsters trick M-Pesa customers to follow instructions for “Send Money” via USSD (*334#) to a fraudster number.

“Do not follow instructions to send money from unknown people who could be fraudsters. Instead hang up and, or ignore caller,” the firm warns.

On ATM fraud, Safaricom says “this is where a customer is tricked by a fraudster into disclosing the code used to withdrawn funds from a customer’s M-Pesa wallet account via ATM. It is important to follow the ATM withdrawal instructions and never disclose the code used to complete the transaction with anyone.”

Data protection has become a key area of focus since the Kenyan Government set up rules to restrict the State and companies handling of information to prevent misuse, imposing a fine of up to Sh5 million or one per cent of annual turnover for corporations.

A review by business advisory firm Ernst & Young shows that 41 per cent of firms transfer their clients’ personal data to third party service providers.

The Communications Authority of Kenya (CA) urges Kenyans not to: give out personal information, PIN Number, financial information or passwords to strangers. CA also warns Kenyans to be suspicious of unsolicited messages.

By Willis Oketch 43 mins ago
KRA, KPA to auction overstayed imported goods at Mombasa port
Worker position in the Kenya-US trade agreement needs a rethink
Lukewarm start to coffee reforms drive puts farmers on edge
KPA denies ports privatisation claims as CFSs lay their demands