Police across Europe have been ramping up operations against two new SIM swapping operations, resulting in the arrest of 26 individuals accused of stealing more than $3 million from unsuspecting victims.
In January, investigators from the Spanish National Police, together with the Civil Guard and Europol, began targeting suspects believed to be part of a hacking ring that stole over €3 million in a series of SIM swapping attacks.
The gang, with members from Italy, Romania, Colombia and Spain, aged 22-52 years of age, allegedly made numerous strikes, stealing up to €137,000 from victims’ bank accounts. The smallest amount stolen, as per the Europol press release, was €6,000.
In a typical SIM hijacking scheme, criminals used social engineering and malware to obtain online banking credentials from victims at different banks.
“Once they had these credentials, the suspects would apply for a duplicate of the SIM cards of the victims, providing fake documents to the mobile service providers,” Europol explains. “With these duplicates in their possession, they would receive directly to their phones the second factor authentication codes the banks would send to confirm transfers.”
With everything they needed to make fraudulent payments, the criminals proceeded to empty the victims’ accounts. They then used ‘money mules’ to hide the trail of the stolen money. Every strike took between one and two hours, “which is the time it would take for the victim to realise that his/her phone number was no longer working,” investigators said.
A second operation came to fruition after an eight-month investigation by the Romanian National Police and the Austrian Criminal intelligence Service with the support of Europol. Authorities arrested 14 members of a gang accused of emptying bank accounts in Austria through a similar method – by gaining control of their victims’ phone numbers. This time, however, the suspects used the hijacked SIM cards to withdraw cash at cardless ATMs. Europol explains:
“Once having gained control over a victim’s phone number, this particular gang would then use stolen banking credentials to log onto a mobile banking application to generate a withdraw transaction which they then validated with a one-time password sent by the bank via SMS allowing them to withdraw money at cardless ATMs.”
The gang allegedly stole an estimated half a million euros this way.
Europol offers tips on how to keep fraudsters from hijacking your SIM card, including keeping SMS out of your two-factor authentication across different online services. Europol also recommends to avoid associating your phone number with sensitive online accounts, where possible.