SIM swap fraud is on the rise in Spain, experts warn

When Mario Fernández’s cellphone signal failed, he came out with the familiar “Damn technology!” He switched it off, then back on again, but to no avail. When he got home, he called his operator from a different phone to explain the situation.

“They told me that I had asked for a duplicate of my SIM card in another city,” says Fernández, who asked EL PAÍS to use an assumed name. “And I told them that wasn’t the case.” Suddenly alarm bells went off in his head and he checked his bank account, only to find it was blocked. He got in touch with his bank, which confirmed his account had been frozen after unusual activity had been detected: several thousand euros were missing and a loan for another €50,000 had been applied for. Somebody had accessed his personal data and embarked on the process of taking everything they could.

When I saw my bank account, I had to go to the ER to get something to calm me down

Mario Fernández, fraud victim

“It could have been a case of SIM-swap fraud,” says Carlos Vico, a lieutenant at the Civil Guard’s department of cybercrime, who says that this type of offense is on the rise. “We don’t have a precise number of reports, but each year, there is a significant increase in cases.” Mario Fernández’s case is still under investigation.

Vico explains that first the criminal typically gets hold of the victim’s bank account details. A copy of the SIM is then needed to break the two-factor authentication used by many lenders, who send an SMS to the client’s phone with a code before authorizing a transaction. “The first cases surfaced in the US but it has been gaining ground here since 2015,” says Vico.

“The phone is almost always the second factor in the two-step verification process,” says Carles Garrigues, a professor of computer science at the Universitat Oberta de Catalunya. “And password theft can be done by what is known as ‘phishing’ – the king of scams.”

Explaining the phishing phenomenon in further detail, Vico says: “You think you are connecting to [Google’s email service] Gmail, but it is really a different page. The situation gets serious when the criminals manage to get the password to their victim’s email, which is often linked to a number of services.”

The phone is almost always the second factor in the two-step verification process

Carles Garrigues, Universitat Oberta de Catalunya

Garrigues explains that cybercriminals can also access their victim’s data through the use of fraudulent apps that surreptitiously extract information from smartphones. This can also be done through the use of false Wi-Fi signals.

Meanwhile, Vico recommends being careful about what we download onto our devices, looking carefully at the conditions and licenses. He also advises caution with open internet connections and our choice of passwords, though he does admit that there is no such thing as cast-iron security.

Fernández, 37, who lives in Almería, still does not fully understand how the scammers got hold of a duplicate SIM card for his phone. Going back over the incident, he says he had no inkling of anything unusual until he lost the phone signal. “When I saw my bank account, I had to go to the ER to get something to calm me down,” he says. “The financial issue is now resolved,” he adds. “But I still don’t understand how it could have happened.”

The copy of Fernández’s SIM was handed over to the scammers in a Vodafone store in Tarragona, 700 kilometers from his place of residence. Fernández has filed a complaint with consumer authorities against the company.

The criminals range from computer-science students to organized gangs

Vodafone claims that they follow a strict protocol when it comes to handing over copies of SIM cards, and that this can only be done by showing the four-digit user access code to the phone, or the user’s ID card, billing address and the last four numbers of the user’s bank account. “We won’t issue a duplicate without ID,” says a Vodafone spokesman, who adds that the company has no record of similar incidents.

Vico explains that the criminals, who range from computer-science students to organized gangs, use social-engineering techniques to access the victim’s personal details as well as cyber attacks or purchases made on the dark web. But when it comes to tricking the staff in the phone shops to issue a copy of the user’s SIM, it is often a case of simply persuading them that the original has been lost. This is why Vico believes that confirmation of ID should involve something foolproof such as fingerprints. He also recommends keeping passwords on a device that is not connected to internet.

Meanwhile, Fernández has just bought himself a new cellphone and has been busy changing all his passwords. He has also taken the precaution of eliminating all the personal data he stored in the cloud. “Names, telephone numbers, account numbers… I was surprised at how much information we keep there,” he says.

English version by Heather Galloway.