Fraud Q&A Series: Tackling SIM Swap Fraud with Prove

The latest guest in our fraud Q&A series exploring fraud trends in the financial services space is Mary Ann Miller, the Fraud & Cybercrime Executive Advisor and VP of Client Experience at Prove. Mary Ann is a well-respected expert in the fraud and identity space who has been quoted by BBC News, NPR, American Banker, USA Today, and others.

What fraud trend should we be paying more attention to and why?

SIM swapping continues to be a rapidly growing fraud vector, with the FBI reporting $68 million stolen via SIM swap fraud in 2021 alone and more than 1,611 consumer complaints. As two-factor authentication continues to be used for step-up authentication, bad actors exploit one-time passcodes to complete account takeover attacks. Furthermore, insider risk at telecommunications companies where employees working with bad actors has increased with large payouts to employees for a one-time SIM swap (some up to $3000 as noticed on Telegram chat channels).

How does SIM swapping work?

SIM swap fraud occurs when a bad actor social engineers the victim’s mobile carrier to port their phone number to the fraudster’s SIM number. Most of the time this is due to the customer service agent believing that they are speaking to a mobile customer. Once the fraudster has completed the SIM swap, they can log into a consumer’s bank account and intercept and respond to the SMS one-time password prompt. Once the bad actor has successfully conducted an account takeover, they can move money, link external accounts, order debit cards, apply for extended accounts, deposit a worthless check, and more.

How has this type of fraud evolved? What larger trends/factors make SIM swapping possible?

This fraud has evolved because of the ease of obtaining login credentials due to data breaches. Many organizations added two-factor authentication via SMS as a protection for this risk, but as we know, bad actors always look for ways around authentication due to the large paydays they can see with account takeover attacks. Another alarming trend further compounding the problem is insiders at the telecommunications companies being paid by bad actors to conduct SIM swaps. Social media posts on platforms like Telegram are used to recruit employees with large rewards promised for each SIM swap event.

How can SIM swapping be detected?

Industry best practice is to use a SIM swap detection technology like Prove in any process where a step-up authentication via SMS is required. This could be at the time of account opening, log in with a new device, password reset, adding a new payee in the banking app or payment initiation. If a suspected SIM swap is detected, the bank can decide not to complete the transaction until the customer is contacted and verified that they are not under a SIM swap attack.

What is the best safeguard against this type of fraud?

The best preventative measure organizations can take is to use real-time SIM swap detection such as a Trust Score or a trust indicator that can detect whether a SIM swap has taken place in real-time. A Trust Score analyzes behavior and phone intelligence signals to provide a measure of fraud risk and identity confidence of a potential transaction. Companies that leverage a Trust Score have insight into whether a recent SIM swap has occurred on the account and can then take prompt action off the back of the event, such as placing additional controls on the customer's account.

How can financial institutions battle fraud without sacrificing the client experience?

This is my favorite topic-- incorporating security and fraud controls as part of an overall product design is essential; that routine in engineering sprints today is not taken as seriously as it should. Too often, product capability is reduced or even turned off until fraud is addressed. On the other hand, if an organization’s fraud strategy is used as a business enabler and a customer experience enhancer, I have seen wonderful results. For example, real-time payments with higher upper limits provide a service to the customer in time of emergency or convenience to transfer funds to family or friends immediately.