Sim Swapping: Full-Handed Swindle

Sim Swapping: Full-Handed Swindle

Have you ever been impersonated to make online purchases? The answer is most probably yes, and if it has not happened to you yet, you should take into account what we tell you here.

Our personal data can be stolen if we have not been careful where we have provided our data, and the subsequent use that has been made of them.

What is SIM Swapping?

It is the action carried out by cybercriminals who request a duplicate SIM card of your cell phone, in order to impersonate your identity in a multitude of operations, such as online banking, social networks, shopping in online stores.

They will authenticate with your username and password, which they will have previously taken from you, including having access to the two-factor authentications received by SMS each time a payment or banking transaction is made (see real case: PS/00001/2021).

How can I become a victim of SIM Swapping?

Cybercriminals are becoming increasingly sophisticated in how they carry out their scams, so their fraudulent techniques are modernizing with the times and with technological advances.

SIM Swapping can be carried out from your own cell phone, when you receive text messages (SMS) posing as banking entities, which are false, and where our data is requested.

Another way to become a victim of this scam is through customer services, where we receive a call offering us any type of product and requesting personal data for registration in a promotion, for example, or the cybercriminal calls your telephone operator and pretends to be you, changing the terms of the contract, passwords or anything else.

Recommendations to avoid becoming a victim of SIM Swapping

The Office of Internet Security(OSI) has been very emphatic in the measures to be taken to avoid becoming a victim of this fraud, which is so widespread nowadays. Here are some of them:

  1. Lack of coverage in your cell phone without apparent cause: you should contact your operator and check if there is any incidence in the service.
  2. Strengthen your passwords for the use of applications or accounts: double authentication is highly recommended as it makes it difficult for someone to impersonate you.
  3. Always have the recovery procedures for your accounts at hand, in case there are suspicions that they may have been hacked.
  4. Configure the privacy section of your social networks appropriately, as you may show more information than you would like and to people you don’t even know.
  5. Always confirm the e-mail addresses of the received e-mails, as well as the attached files and electronic links, since they can be infected by some virus, being preferable that these files or links are not opened until verifying their veracity.
  6. Do not provide personal information to anyone we do not know or who we cannot verify that the person is who he/she claims to be.
  7. Set up strong passwords and update them whenever the software requires it.
  8. Avoid using public internet networks for banking or sharing sensitive information.
  9. Download only applications from official stores (Google Play or Apple Store) and always be cautious with the access to our information, being important the restrictive configuration in the privacy section.

What to do if I am a victim of SIM Swapping?

As in any circumstance involving a criminal act, the first thing to do is to report it to the Police and State Security Forces; in addition, it is very important to collect all possible evidence to support the fraud, notifying whoever is responsible for the identity theft suffered (banks, stores, operators, etc.).

AEPD Sanctions for SIM Swapping

One of the primary obligations of the data controller is the implementation of all the necessary technical and organizational security measures appropriate to the processing being carried out, so as to ensure a level of security for the data subjects (customers, employees, suppliers, etc.).

In the case of the SIM Swapping scam, the telephone operators are responsible for the processing and, therefore, for the security measures for the protection of personal data.

The AEPD has issued several resolutions in this regard, where, in general, it recognizes that operators do not have the appropriate security measures to detect whether the person who is performing the procedure is the owner of the line or not, so that the protection of personal data cannot be guaranteed, in violation of articles 5.1.f) and 5.2 of the RGPD, typified in article 83.5.a) of the RGPD and in article 72.1.a) of the LOPDGDDD.

Some well-known cases are that of Vodafone(PS/00001/2021) where a fine of 3,940,000 euros was imposed, due to the assessment of the aggravating factors of the case, such as the very high number of people affected by this fraud in the hands of the data controller, the delay in taking action against the fraud by Vodafone and the category of data affected.

Another case was Telefónica(PS/00021/2021) with a penalty of 900,000 euros, another was Orange(PS/00022/2021), with a penalty of 770,000 euros and Yoigo(PS/00027/2021) with a penalty of 200,000 euros.

Business Adapter® at your service

If you are a client and are concerned about these cases, contact your consultant for recommendations.

If you are not yet a client and you want us to advise you and help you to comply with the European and Spanish data protection regulations(RGPD + LOPD) to which any company or professional is obliged, contact us by email: info@businessadapter.es, you can also call 96 131 88 04, or leave your message in this form:

[su_button url=”https://businessadapter.es/contacto” target=”blank” background=”#f6f903″ color=”#181818″ size=”7″ center=”yes” icon_color=”#000000″]Contact us, we will be pleased to help you.[/su_button]

Contact us, we will be pleased to help you.
error: Content is protected !!