Police efforts ‘gearing up’ against SIM hijackers

Europol has issued a warning over SIM-swap attacks, a growing mobile threat that results in a victim’s identity being stolen.

In a press release issued Friday (March 13), the European law enforcement agency said police across EU member states were “gearing up” against SIM hijackers, highlighting two recent operations against criminal gangs on the continent.

SIM-swapping is when an attacker takes over a victim’s mobile phone account. The attacker impersonates the victim in order to get their mobile provider to switch their number onto a SIM card owned by the attacker.

“The fraudster can then perform transactions, using credentials gathered by other techniques such as malware, and when the bank sends a one-time-password via SMS, the fraudster receives it and completes the authorisation of the transaction,” Europol said.


Read more of the latest mobile security news and breaches


Perpetrators of SIM-swap fraud can make illegal earnings in the millions, leaving dozens of victims in their wake.

A joint police investigation in January – a collaboration between Europol and Spanish law enforcement – saw the arrest of 12 suspects in Spain, believed to have operated a cybercrime ring that stole more than €3 million ($3 million) through SIM hijacking.

“The modus operandi was simple, yet effective,” Europol said.

“Once they had these credentials, the suspects would apply for a duplicate of the SIM cards of the victims, providing fake documents to the mobile service providers.”

A second investigation, spanning eight months and supported by Europol in partnership with the Romanian and Austrian security services, led to the February arrests of 14 SIM hijackers who were accused of multiple cases of identity fraud in Austria.

“Once having gained control over a victim’s phone number, this particular gang would then use stolen banking credentials to log onto a mobile banking application to generate a withdraw transaction which they then validated with a one-time password sent by the bank via SMS allowing them to withdraw money at cardless ATMs,” Europol said.

The cybercrime gang is estimated to have stolen more than €500,000 ($560,000).

How to prevent against SIM-swap attacks

Europol has provided some helpful tips in keeping your identity secure:

  1. Make sure your device software is updated

  2. Be mindful of clicking on links and downloading attachments from unknown sources or emails

  3. Apply two-factor authentication (2FA) to online accounts and services

  4. Try not to link your mobile number to online accounts

  5. Limit the amount of personal information you share online

  6. Use a PIN to restrict access to your SIM card

Fernando Ruiz, acting head of Europol’s European Cybercrime Centre (EC3), said: “Although seemingly innocuous, SIM swapping robs victims of more than just their phones: SIM hijackers can empty your bank account in a matter of hours.

“Law enforcement is gearing up against this threat, with coordinated actions happening across Europe.”

The Europol website offers more advice on how to protect against online scams.


RELATED How safe is your phone number? Study highlights mobile carriers' failure to prevent SIM-swap attacks