Subscriber Identity Module (SIM) swapping also referred to as, SIM jacking/SIM hijacking is a type of fraud in which criminals obtain a replacement SIM for a mobile number that does not belong to them, giving them access to the legitimate user’s information and accounts. Given that a SIM card holds sensitive information, when accessed by the wrong person, the result can be detrimental.

How is SIM swapping done?

SIM swapping is majorly carried out in three main phases; social engineering, SIM swap and fraud. First, the criminal manipulates a person into handing over sensitive information, such as passwords, PIN numbers and other personal data by masquerading as real agents of telecom companies or bank employees.

Once they have enough personal information, the attackers can call your mobile provider by pretending to be you and request a new SIM card in your name.

In cases where your phone is used for two-factor authentication and one-time password for your accounts, fraudsters can carry out identity theft, blackmail the victim,  damage the victim’s reputation or compromise the victim’s online or digital banking accounts such as M-Pesa, Equitel, KCB M-Pesa among others.

How do you protect your PINs, passwords, accounts, and personally identifiable information from fraudsters?

  • Never reply to calls, emails, or text messages that ask for your personal information. These are mostly attempts by fraudsters looking to get your personal information to access your mobile phone, bank account, social media, or other accounts. If in any case you get such a request, contact your mobile provider using their official phone number, email or website.
  • Limit personal information shared online and where you need to, enable proper privacy settings to limit access to those who view our information. Avoid disclosing personal details such as your date of birth, your first car, mother’s maiden name or phone number on public websites. This makes it easier for an attacker to find information that can be used to answer the security questions required to authenticate your identity, and log in to your personal accounts.
  • Never use the same passwords, PINs or usernames for multiple accounts to avoid easy tracking by fraudsters. Instead, create a strong, unique password for your sensitive personal/financial accounts.
  • Use authentication apps such as Google Authenticator to receive your two-factor authentication rather than using SMS which is not a secure channel. The authenticator app is tied to your physical device rather than your phone number making it hard for an attacker to intercept your security tokens/One Time Passwords (OTP).
  • Two-factor authentication can boost the security of your accounts. But it needs to be implemented using a secure channel such as an authenticator app. If you enable 2FA and configure it to use an authenticator app rather than receiving security tokens via SMS, it makes it hard for the attacker to intercept them.

How to report Fraud cases

Safaricom users can report an M-pesa fraud case to Safaricom through SMS using the number 333.

Procedure;

  • Go to draft a new SMS on your phone
  • Write a message including the telephone number( i.e. 0782810111 as shown in the image below) which initiated the fraudulent request and ask Safaricom to investigate it
  • Send that message to the number 333

Example of an M-pesa fraud message

Remember to be alert and;

  • Always verify that M-Pesa messages are from M-Pesa rather than from a personal number. Safaricom never uses a personal number to notify you of an MPesa transaction.
  • Always check your M-Pesa balance before sending it to someone claiming to have sent you Money on M-Pesa.
  • Do not dial codes or perform any command on your phone that you did not request for assistance from Safaricom Customer Care. Fraudsters use this technique to gather your personal information.