Spanish Authorities Arrest SIM Swappers for Plundering Victims’ Bank Accounts

Last week, the Policía Nacional, Spain’s National Police Agency, said it took down a cybercrime gang and arrested eight people in connection with a SIM swapping scam that impacted the bank accounts of several victims. The first occurrence of the scam reportedly took place in March 2021.

The suspects pretended to be representatives from a bank and other trusted entities and mainly relied on phishing and smishing techniques to harvest victims’ personal data and banking information.

One suspect was arrested in Seville, while the other seven were arrested in Barcelona. Subsequently, authorities froze 12 bank accounts connected to the illicit operation.

"They usurped the identity of their victims through the falsification of official documents and tricked employees of telephone stores into getting the duplicate of SIM cards,” according to a Policía Nacional press release. Attackers use the cards to receive “security confirmation messages from banks that allowed them to empty their victims' accounts."

SIM swapping, also referred to as SIM hijacking, is a form of identity theft where threat actors leverage mobile carriers’ security flaws to compromise victims’ personal data, bank accounts and cryptocurrency accounts.

The scam often involves attackers impersonating victims while also relying on phishing, social engineering, or insider threats to deceive mobile carriers into swapping the victim’s mobile number to a SIM card they own. In other cases, perpetrators take a more direct route and bribe a mobile carrier employee to gain unauthorized access to the carrier’s networks and perform the swaps on their own.

After porting the victim’s phone number to the fake SIM card, threat actors proceed to reset accounts, change passwords, disable SMS-based 2-Factor Authentication (2FA), and gain access to the victims’ online accounts.

Recently the FBI warned of an increase in SIM swapping schemes that counted $68 million in losses in 2021 and issued a list of recommendations to keep these scammers at bay.