SIM Swap – A Warning Following the M&S and Co-op Attacks
SIM swap frauds are very topical at the moment. As reported in the Times this week, they may have formed part of the attacks against M&S and Co-op.
However, this is not a new technique. It is familiar to us and has been used by bad actors for years – both in the UK and internationally. There has though been a big increase over the last year. Almost 3,000 cases of unauthorised SIM swap were reported in the UK to the National Fraud Database in 2024.
What are SIM swap frauds?
SIM swaps involve an unauthorised porting of a mobile number to a different SIM without the victim’s consent. Once in control of a number, criminals intercept calls and messages, including two-factor authentication codes. They can also impersonate staff and trick IT support into resetting credentials.
The introduction of eSIMs in recent years makes this easier.
In the context of social engineering fraud, bad actors can use SIM swap to bypass multi factor authentication and compromise business email accounts.
Historically, we have come across SIM swap in frauds involving banks. In those cases, bad actors might obtain account information and access to internet banking through customer mobile numbers. Once fraudsters have this access, they can approve transactions and swiftly empty accounts.
What are the implications for insurers?
Clearly, cyber insurers will be concerned about the rise in incidents of SIM swap. Many companies rely on mobile numbers and multi factor authentication to help protect their systems.
An increase in SIM swap is also likely to have a significant impact on other policies that insure entities against financial crime.
When investigating these claims, Insurers will need to consider whether any responsibility attaches to the network provider and recoveries can be sought from them.
Prevention
PINs and passwords can be set up with phone providers. Providers then require this before making changes to the account.
Similarly, companies can use passwords and passcodes internally to enable employees to confirm the identity of the individuals they are speaking with.
On a positive note, we have seen UK and international banks put in place more robust controls. We have not seen an increase in claims involving banks in line with the reported increase in SIM swaps.
We are always interested to hear about cyber and crime trends affecting the market. If you would like to discuss, do get in contact.
Further reading:
The rising menace of mobile phone fraud — how hackers took control of M&S
