Spanish police claim to have dismantled a prolific SIM swapping gang that used the technique to access and empty victims’ bank accounts across the country.
In a notice yesterday, the Policía Nacional revealed that eight cybercrime gang members based in Catalonia and Seville had been arrested and 12 bank accounts blocked.
The investigation began back in March 2021 when police received complaints from two members of the public that they had spotted suspicious activity on their accounts.
According to the police, the gang members would pose as bank employees, using phishing emails and messages to trick their victims into sharing personal and financial details with them. These included banking passwords, credit card numbers and even national ID numbers.
This was enough to convince mobile operator employees that they were legitimate customers. As per tried-and-tested SIM swapping techniques, they then requested the victim’s number be ported to a new SIM under their control.
They would log in to the victim’s bank account, receiving a two-factor authentication SMS enabling them to gain access and drain it of funds.
SIM swapping is a growing problem around the world. This week, the FBI issued an alert warning that over five times more cases were reported in 2021 versus the previous three years combined.
While criminals are alleged to have used MFA codes to unlock victims’ bank accounts in this Spanish case, they’re also often used to access and drain cryptocurrency accounts.
The FBI recommends individuals use standalone MFA applications or biometric-based authentication and urges carriers to bolster authentication checks with better staff training and improved phishing detection
Last year in the US, there were over 1600 cases reported to the FBI, linked to adjusted losses of $68m.