50 customers of French bank hit after insider helped SIM swap scammers

French police have arrested a business student interning at the bank Société Générale who is accused of helping SIM-swapping scammers to defraud 50 of its clients.

According to a report in Le Parisien, the intern is alleged to have helped fraudsters embezzle more than one million Euros from customers' accounts by providing clients' banking information to fraudsters.

The unnamed intern, who is said to be a Master’s student at a business school, was working at the bank's headquarters on Boulevard Haussmann in Paris. According to reports, he exploited his position in Société Générale to share sensitive information with a network of accomplices - including a SIM swap specialist.

In a classic demonstration of how a SIM swapping attack works, fraudsters contacted cellphone operators pretending to be Société Générale customers who had lost their phone, using personal information allegedly provided by the insider to trick the mobile company into transferring the victim's phone number to a SIM card in the criminals' possession.

Now "owning" the phone number, fraudsters were able to break into their victims' accounts using one-time security codes sent by Société Générale to the mobile phone numbers, ultimately stealing more than one million euros (approximately US $1.15 million).

As CommsRisk reports, alleged accomplices of the intern have been identified - including a couple found with an unspecified amount of cash and 15 luxury designer handbags who are suspected of laundered the proceeds of the fraud, an a 24-year-old man suspected of creating fake IDs for the gang.

Although Société Générale has been at pains to emphasise to the public that victims had been reimbursed for any money taken as a result of the scheme, questions will undeniably be asked as to what steps it took to vett the intern before putting them in a position of trust with such sensitive data.

Furthermore, the bank's clientele will be keen to hear if enough is being done to prevent unauthorised users from accessing sensitive personal information about their accounts, and whether enough is being done to harden the security in future.

As we have mentioned before, sometimes the biggest risks of all revolve around the insider threat - including staff who "go rogue". Companies would be wise to not focus all of their attention on external remote hackers, but also look at what protective measures they can put in place to properly police the behaviour of staff who have been given privileged access to information inside the organisation.

Last week it was reported that police had raided Société Générale's offices in Paris and Luxembourg, as part of a tax fraud and money laundering investigation. It is not clear if the raids are connected to the SIM-swapping investigation.