SIM Swap is one of the leading causes of identity theft in Nigeria. It has largely contributed to people losing control or ownership of their phone numbers.
To a large extent, identity theft accounts for 63% of all digital financial crime in Africa, costing an estimated $4 billion annually. However, Africa’s weak cybersecurity system makes it easier for fraudsters to take over people’s phone numbers, access their financial accounts, and steal their identities.
In fact, SIM swapping accounts for nearly 43% of all mobile money fraud in Africa, making financial loss the most concerning aspect of technology advancement in the digital and smartphone world.
Nearly 100% of the time, the end goal of a fraudster is to wire money from someone’s account. For a brief walk-through, a fraudster easily obtains someone’s personal information, then walks into a mobile network operator’s store with a fake ID or even pays an employee to help. They claim you lost your SIM card and need a replacement.
The phone number is then transferred to a new SIM card, resulting in identity transfer. The fraudster gains the person’s financial identity, gets password reset links, and two-factor authentication codes.
Also Read: Your new SIM could be someone else’s old number: Inside Nigeria’s risky SIM recycling system.
SIM Swap: A practical guide on fraudsters’ move
Providing a step-by-step practical move of a fraudster, Jude Ozinegbe, a Cybersecurity Expert and Founder of Cyberchain, noted that funnels used by Fraudsters in their activities are through fake social empowerment, suspicious links or misleading messages.
First Step: Fraudsters try to make people click on suspicious links. And the moment a telecom subscriber clicks on it, the window is open for fraudsters to access vital information.
“Once they have control of the device, it’s difficult to gain access to that device immediately because the moment they can swap the number from your SIM card to another SIM card that they have access to and control over, they launch their attack,” he said.
Second Step: The moment they are able to gain access to the SIM card, the next step is to gain access to the financial accounts. This is where OTP (one-time password/passcode) comes in. With the ability to get access to a mobile number, fraudsters pretend to be the owner of that account and make a move to get an OTP.
Being that the financial institution is only seeing an account and not a person, it sends the one-time password or passcode to that number. At this point, fraudsters gain full control.
Third Step: The moment they possess the OTP, they log into the account and make transactions with someone else’s account. Another is the microloans. When they get access, they use the phone number and apply for a flash loan. And within five minutes, the fraudster can take a loan of N20,000 or N80,000 or more.
After a while, the SIM owner starts to get calls from loan operators for a loan they never applied for. But when the number is checked, it’s indeed their phone number.
In other cases, there have been claims that bank staff are in collaboration with fraudsters and are aware of the defrauding processes. However, there is not enough evidence to support most of these claims.
“We need the financial institutions or the banks to put out these reports. But it is not something we can ignore, because in some cases there have been reports to us that the moment people receive money, some amount that is huge in their accounts, they get some calls,” he added.
Recovering after a breach
While the damage might have been done, there is still room to secure one’s account and gain control from fraudsters.
Although Jude noted that it’s usually not so easy to recover it immediately, the first step after noticing a glitch is to lodge complaints to mobile operators through another phone number. The recovery might take days, as the case might be, or require a physical presence for recapturing.
The same applies to financial institutions.
“The moment you realise that your number has been compromised, you should contact your financial institutions immediately. The first thing to do is to change passwords, because it is the financial accounts that are the ultimate target, not just the phone number,” Jude explains.
Using two-factor authentication is a stronger security mode aside from changing passwords. This makes it difficult for fraudsters to access such an account.
And because these guys have limited time to operate, the moment they see that an account is difficult to get into, they abandon it and go for the next.
Also Read: The digital heist: Inside Africa’s $4B SIM swap and identity theft fraud crisis.
Protective measures
Africa’s cybersecurity has proven to be generally weak, as revealed through multiple cases of data breaches and thefts.
Jude Ozinegbe explained that operators need to move beyond just passwords or passkeys. He proposed biometric verification, such as an eye scan and a fingerprint, for transaction approval.
Another loophole why SIM Swap works is that the holder of the SIM information automatically assumes the owner of the SIM (at the virtual end). Which shouldn’t be.
On innovations to bridge this, Jude explained that mobile operators can deploy a combination of AI and Web 3 to integrate smart identification into a SIM card while enforcing geospatial fencing.
“AI can analyse behavioural patterns and determine suspicious activities,” he added.
The bulk of protection against SIM Swap or Identity Theft still lies with the owner. This starts by safeguarding passwords and passkeys, being careful of clicking links, especially once that has an iota of Ponzi. Also, filling in information such as BVN and NIN on websites puts people at risk of losing their data.
Technext Newsletter
Get the best of Africa’s daily tech to your inbox – first thing every morning.
Join the community now!
