An elaborate phishing scam came to light in Hyderabad on Saturday, showcasing how easy it is to forge someone’s identity and swap SIM cards in order to steal their money. Seven people, including two Nigerians, were part of the scam. Six have been arrested so far by the Cyber Crime Police, Cyberabad, and the kingpin is absconding.
The phishing scam came to light after one Pantham Venkata Krishna, first lost network connection to his mobile number, and two days later, found Rs 5 lakh and Rs 4 lakh being transferred from two bank accounts of companies he was associated with to bank accounts in Kolkata -- transactions he had not made. The victim then approached a mobile telecom store, and learned that a new SIM card had been taken on his name. After this he filed a complaint, an elaborate ploy unravelled.
Ebigbo Innocent alias James, the mastermind, sent phishing emails in order to collect banking credentials and registered mobile numbers. In case of a scam such as this, Trojan or other malware is sent to the unknowing victims, which helps scammers collect bank account details and your registered mobile number. Trojan is disguised as legitimate software, which is why victims fall prey to the same.
Ebigbo collected banking details and the registered mobile number this way, which he then passed on to Odafe Henry, the second accused (who is also a Nigerian national), fifth accused Rajat Kundu and one other person.
Rajat would then collect details of the phone number through his sources at mobile telecom stores and prepare fake documents. This was then used to procure a SIM card through the service provider of the victim. Usually, SIM swaps are requested by the customers themselves (for example -- if customers wish to upgrade the SIM, or if they have lost their phone and wish to block the old SIM and get a new one). But in this case, it is facilitated by the scammer and the fake documents are provided. The scammer then receives the new functional SIM, and renders the SIM held by the victim useless.
Once they obtained the SIM card, Ebigbo would carry out the transactions from the accounts he hacked. Rajat, who had the new SIM card, would receive the One-Time password to carry out the transaction. Once they received the money, it was transferred to a different account, and then withdrawn from multiple locations. Sometimes gold ornaments were purchased, and then converted to cash. This cash was then given to Henry, who would purchase items in Kolkata, and then ship them to Ebigbo in Nigeria.
Apart from Ebigbo and Henry, the other five accused are natives of Kolkata. The seven have allegedly cheated 13 companies in Hyderabad, Chennai, Kolkata, Ahmedabad and New Delhi of over Rs 70 lakh.
This SIM swap scam is becoming a common method of fraudulently obtaining financial details. Normally, when people request a new SIM card for any requirement, the old SIM card is deactivated, and all alerts go to the new SIM. But when details are fraudulently obtained with the help of phishing emails, the owner of the SIM card is left helpless, and scammers bypass the two-step verification process for financial transactions as they now have the SIM of the registered mobile number.
In a similar incident, a businessman from Mumbai lost Rs 1.86 crore. The man received six missed calls on his phone at 2 am, but by morning, his SIM did not work. When he approached the service provider, they informed him that a SIM replacement request had been placed. When he checked his bank account, all his money had vanished.
“Even when you happen to open a fake version of your bank website, your details are automatically compromised. Your data is accessed by scamsters every time you access unsecured Web connections, or open phishing emails,” a cybercrime official told Mumbai Mirror.