Police in Europe have arrested 26 people in an effort against two gangs of scammers who would take over victims’ phones, then steal financial and personal data from the devices.
Law enforcement in Spain and Romania, in coordination with Europol, arrested 12 and 14 people, respectively, in actions against two distinct groups of SIM swappers, Europol announced Friday.
SIM swapping occurs when thieves convince phone companies to give them access to an individual’s phone number, often by impersonating the victim during a call with a customer service representative. This grants attackers access to incoming phone calls, text messages and credentials like one-time codes that various sites send via text as part of the two-factor authentication process.
The group in Spain stole more than €3 million ($3.34 million) in a series of 100 attacks, Europol said.
In each instance, the group walked off with between €6,000 ($6,700) and €137,000 ($153,000) from hacked bank accounts. By initially using malicious software to steal victims’ banking credentials, they then would use fraudulent documents to apply for duplicate SIM cards in victims’ names, accessing the phone number. Then, upon logging into a victims’ bank account online, the scammers also would have possession of the one-time code sent to the phone.
Typically, scammers would go through the entire process within an hour or two, all before a victim was able to defend themselves.
Meanwhile, police in Romania and Austria apprehended 14 people who used similar techniques to take over phones belonging to dozens of victims in Austria in the spring of 2019. Attackers would again use the one-time passwords sent to an individuals’ phone, steer their money into a separate account and send a money mule to physically withdraw the cash, sometimes from apps that are directly connected to ATMs.
The effort yielded roughly €500,000 ($5,600,000) for scammers last year.
The techniques are anything but unique. Instead, they reflect the ways that thieves are exploiting users’ reliance on emerging technologies to manage their finances.
The 26 people arrested throughout Europe only are the latest suspects accused of using SIM swapping to steal from specific targets. In November, the U.S. Department of Justice announced it had charged two Massachusetts in connection with a scheme to steal more than $550,000 in cryptocurrency by convincing phone carriers to give them control of victims’ phone numbers. Before that, U.S. prosecutors charged nine men, including three former employees at phone companies, with a similar conspiracy.