Cybercrime , Endpoint Security , Fraud Management & Cybercrime

Spanish Police Arrest 8 Over SIM Swapping Fraud

Suspects Used Phishing to Lure Victims, Spanish National Police Says
Spanish Police Arrest 8 Over SIM Swapping Fraud
Phishing leads to SIM swapping. (Source: Tim Reckmann, Hamm, Deutschland, via Wikipedia)

Spain's National Police Department, the Policía Nacional, says it has arrested eight members of an unnamed cybercriminal gang over SIM swapping fraud.

See Also: Webinar | 2023 OT Cybersecurity Year in Review: Lessons Learned from the Frontlines

The suspects posed as trustworthy representatives of banks and other organizations and used traditional phishing and smishing techniques to obtain personal information and bank details of victims before siphoning off money from their bank accounts, the police say.

One of the detainees is from Seville and the rest are from Barcelona, the police say, adding that they have been operating from these cities since March, targeting bank customers across the country. The timeline of their activities is based on two complaints of fraud the police received.

Modus Operandi

The suspects used "traditional" phishing methods, the Spanish police say. They contacted potential victims via email, SMS and instant messages, pretended to be trustworthy executives from banks or other unspecified organizations to obtain confidential personally identifiable information, such as bank passwords, credit card numbers and copies of victims’ Spanish national identity card, Documento nacional de identidad or DNI.

With this information, the suspects created fake DNI cards, used disguises to match the physical appearance of the legitimate DNI card owner and deceived telephone store employees to obtain duplicate SIM cards of the victims' phone numbers. Activating the duplicate SIM card would deactivate the original SIM - and the alleged threat actors used this to redirect security confirmation messages required to complete banking transactions to the duplicate SIM, the police say.

The detainees then laundered money using several bank transfers and digital instant payment platforms, the police say. "They used online banks from various European countries, and even on behalf of victims, to make it difficult to trace and locate the money," the police say.

The Spanish National Police Department has blocked 12 bank accounts used by the suspects to launder money, the statement says.

Spike in SIM Swapping Fraud

In the U.S., the Federal Bureau of Investigation on Feb. 8 issued an alert on the spike in SIM swapping attacks targeted at stealing both fiat and virtual money, including cryptocurrency.

Between January 2018 and December 2020, the FBI's Internet Crime Complaint Center, or IC3, received 320 complaints related to SIM swapping incidents, the report says. The adjusted losses accounted for about $12 million in that period.

The IC3 says the 1,611 SIM swapping complaints that it received in 2021 is nearly five times the number of SIM complaints received in 2019 and 2020, with the adjusted losses accounting for more than $68 million.

The FBI recommendations for mobile carriers include:

  • Educate company employees by conducting training sessions on SIM swapping.
  • Monitor incoming email addresses containing official correspondence to spot slight changes that help identify fraudulent addresses from legitimate ones.
  • Set up stringent security policies and protocols that enable employees to verify customer credentials before accepting their SIM change or number change request to a new device.
  • Verify and authenticate calls received from third-party authorized retailers requesting customer information.

Required Change in MFA Practices

SIM swapping attacks aren't new. Roger Grimes, a data-driven defense evangelist at cybersecurity firm KnowBe4, says these types of incidents have been around for over a decade and have "clearly resulted in billions being stolen in cryptocurrency and other financial crimes."

The U.S. government has been recommending against using SMS and phone number-based multifactor authentication since 2017, Grimes says, citing NIST Special Publication 800-63, the Digital Identity Guidelines.

But service providers and vendors continue to use these MFA methods even five years later, he tells Information Security Media Group.

U.S. "President [Joe] Biden's 2021 Zero Trust executive order also told defenders not to use it, along with other easily phishable MFA, like one-time codes and push-based MFA," he says. "Unfortunately, that describes 90% of MFA used by people today. SMS-based MFA has to be the most popular MFA option used on the internet and most of the time, people do not have a choice of whether to use it or not. Their bank, vendor or service says they have to use it."

About the Author

Mihir Bagwe

Mihir Bagwe

Principal Correspondent, Global News Desk, ISMG

Bagwe previously worked at CISO magazine, reporting the latest cybersecurity news and trends and interviewing cybersecurity subject matter experts.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.