Criminals are hijacking people’s mobile phones to divert calls and texts from their bank to a different handset.
The scam known as ‘SIM-splitting’ allows fraudsters to use information gathered from the text messages and calls to help them steal large sums from bank accounts.
You may not even realise you’ve been robbed until you discover your bank account is empty.
In the US financial regulators have issued a warning that text messages shouldn’t be used by banks as part of their security process as they simply aren’t secure enough. But, in the UK several banks, including Santander, Halifax, Lloyds, TSB and Tesco Bank still use them.
How it starts
SIM-splitting starts with criminals gathering as much information about you as possible.
This might be by intercepting your post, hacking your emails or buying data about you that is being sold on the black market.
They then combine this illegally obtained information with things they can easily find out via your social media accounts such as your first school, pet’s name and the names of your relatives.
This means they have information that is likely to be the answers to your security questions, and could help them guess your passwords.
The next step may be to call you posing as a worker at your bank, or utility company, in order to get even more personal information from you.
How they hijack your mobile
Once they have gathered all this information they call your mobile phone company and pretend to be you.
They are easily able to pass the security process using what they’ve learnt about you. They may change your passwords and address before informing the company that your mobile phone has been lost or stolen.
At this point they use one of two options. They either ask for all your phones and texts to be diverted to another number that they have or they ask for a replacement SIM to be sent out, which they then put into a handset in their possession so that they can receive all the texts and phone calls that are meant for you.
How money is stolen
While they are hijacking your mobile phone account, they will also be setting up a fraudulent bank account in your name. This usually means they open a business account with your current account provider.
“Opening a business account is subject to less stringent security checks once an individual has a current account with a bank and helps make any transfers of money in the future less suspicious,” says Action Fraud, the Met Police’s specialist fraud unit.
Once they have control of your mobile account and the business account is set up they start transferring money out of your other bank accounts into the business account.
Then from there they can transfer the money wherever they like, and if text messages are sent to confirm the transfers, or the bank decides to call you, they’ll get through to the criminal who poses as you.
After the fraudsters have stolen all your money, they simply destroy the SIM card so it can’t be traced and disappear.
How to protect yourself
If your bank sends you text messages to verify banking transactions you need to be on your guard against this latest scam.
Watch out for loss of signal on your handset and get in touch with your network if it goes on too long.
Keep your anti-virus software up-to-date and your firewall switched on. That stops fraudsters being able to remotely access your computer or install a virus that gives them access.
Be careful what you download onto your computer. You could accidently install trojan horse software that allows a hacker to access your computer and steal sensitive information.
If you do discover a virus on your computer, “disconnect from the internet immediately and ask a specialist for advice,” says Action Fraud.
Use complicated passwords that use upper and lower case, numbers and symbols. Also, avoid passwords that contain personal information.
Set up a variety of passwords across your accounts, so if one is breached the criminals won’t get access to your other accounts.
Be careful what you post on social media. Try to avoid putting up information that you are also likely to use as answers to your security questions. This could be your first pet’s name, date of birth, or first school. If fraudsters get hold of this info, they can use it to reset your passwords.