Be-aware: Sim-Swap/Phishing Money Theft from Bank accounts!

[swatkats]

How This Happened?

Bank Robbery Via 6 Missed Calls


A businessman, who identified himself as V Shah from Mahim, Mumbai, reported that he lost Rs 1.86 crore, via Missed calls scam.

In the night of December 27-28, he received thee 6 missed calls from Indian and UK (+44 code), between 11 PM and 2 AM.

When he got up in the morning, and he tried to call these numbers, he found that his SIM has been deactivated.

Sensing trouble, he checked his bank account and was horrified to know that Rs 1.86 crore has been robbed. The scamsters had siphoned-off the money via 28 transactions, across 14 bank accounts.

The police were able to recover Rs 20 lakh, but rest all has been withdrawn, and bank accounts closed. There is no trace of anyone now.


The Modus Operandi: SIM Swap

The scamsters have again used SIM Swap method to gain control over the businessman’s bank account, and then robbed him.

As per police officials from BKC Cyber Crime Police Station, fraudsters had somehow gained access to the SIM number of V Shah, which is printed on the backside of the SIM.


Using that, they duplicated the SIM card, and deactivated his original SIM.

Once this was done, stealing money was a cakewalk: They initiated the transfer of money, and for that, only OTPis required, which they had.

Why Missed Calls?

Because by giving missed calls, the robbers assured V Shah that his number is working, and nothing shady is happening.

As per the police, his telecom operator received the request to duplicate SIM at 11.30 PM, and it takes around 4 hours to duplicate the SIM, and deactivate the old SIM.

The missed calls were given to assure the victim that everything is fine.

Possible Method To Get SIM Number?

As per the initial investigation, it seems that Mr. Shah had accessed any fraud app or website of a bank, which pulled out details about his SIM card number, and bank account details.

Just by duplicating a SIM, these fraudsters couldnt have withdrawn cash from his bank account, as they needed to transfer the money to any other bank account first.

A police officer said, “Even when you happen to open a fake version of your bank website, your details are automatically compromised. Your data is accessed by scamsters every time you access unsecured Web connections, or open phishing emails. We suspect Shah may have accessed one such email or app,”

Other possibility can be that a person close to V Shah stole the number, and then collaborated with the fraudsters to scam him

https://trak.in/tags/business/2019/...entrepreneurs-bank-account-how-this-happened/

 

[Techno]

Holy shit i got exactly similar call from +44 number on 31 dec. They called me more than 15 times but i did not pick the call.

So just by giving missed call they swap the sim? Any precaution we can take?

 

[technofast]

Holy shit i got exactly similar call from +44 number on 31 dec. They called me more than 15 times but i did not pick the call.

So just by giving missed call they swap the sim? Any precaution we can take?

That is scary...Hope your bank account is safe. I too get too many calls at-least one per week asking for the debit card number/account number/ATM pin.

 

[Flash!]

Holy shit i got exactly similar call from +44 number on 31 dec. They called me more than 15 times but i did not pick the call.

So just by giving missed call they swap the sim? Any precaution we can take?

Call C.Care and check with them, if they got any new SIM activation request.

 

[nimod]

Holy shit i got exactly similar call from +44 number on 31 dec. They called me more than 15 times but i did not pick the call.

So just by giving missed call they swap the sim? Any precaution we can take?

That is scary...Hope your bank account is safe. I too get too many calls at-least one per week asking for the debit card number/account number/ATM pin.

Who is your service provider?
A/VoId/Jio/BSNL/MTNL ?[DOUBLEPOST=1546426059][/DOUBLEPOST]I know it doesn't connect directly, but trying correlate.

 

[goDofWar_skr]

Once this was done, stealing money was a cakewalk: They initiated the transfer of money, and for that, only OTPis required, which they had.

How is it possible to initiate a money transfer without knowing the account details like user id & passwd?
Also for SIM change, I though you get an OTP to verify the SIM change? Is it not the case any more?[DOUBLEPOST=1546426261][/DOUBLEPOST]

The police were able to recover Rs 20 lakh, but rest all has been withdrawn, and bank accounts closed. There is no trace of anyone now.

And how come the police can't find out the owner of the account to which these transactions were made? I mean the bank should have the details right?

 

[Flash!]

How is it possible to initiate a money transfer without knowing the account details like user id & passwd?

UPI?

 

[goDofWar_skr]

UPI?

AFAIK, for UPI based transaction, you still need to punch in your BHIM UPI PIN for any transaction..

 

[Flash!]

AFAIK, for UPI based transaction, you still need to punch in your BHIM UPI PIN for any transaction..

https://www.firstpost.com/tech/news...-despite-never-using-the-upi-app-5714221.html

^ This was done, when the victim didn't even have a smartphone.

 

[smnrock]

Isn't SMS's are blocked for 24 hours or so after SIM changed? Also to set UPI PIN, we need the debit/ATM card details as well. Then how come this can happen? Internal bank employees or known ones to the victim could be the reason. OR is there some loophole/security issue with UPI technology which we don't know or NPCI itself does not aware

 

[vivek.krishnan]

Isn't SMS's are blocked for 24 hours or so after SIM changed? Also to set UPI PIN, we need the debit/ATM card details as well. Then how come this can happen? Internal bank employees or known ones to the victim could be the reason. OR is there some loophole/security issue with UPI technology which we don't know or NPCI itself does not aware

Outgoing yes, but I believe incoming is allowed.

UPI needs outgoing SMS.

 

[dpandey]

Because by giving missed calls, the robbers assured V Shah that his number is working, and nothing shady is happening.

This sentence sounds odd. Why would anyone suspect anything if there is no activity on the mobile?

 

[dpandey]

As per the police, his telecom operator received the request to duplicate SIM at 11.30 PM, and it takes around 4 hours to duplicate the SIM, and deactivate the old SIM.

I need some education here

What does "request to duplicate" mean? Whenever I have lost my phone, I had to get a new SIM (with a new SIM number) issued. The older sim (and hence the older SIM number) becomes (I am assuming) unusable.

So if they duplicated the old sim and also deactivated it, how were they able to use it.[DOUBLEPOST=1546432439][/DOUBLEPOST]Also, I don't know what kind of "transfer" rich people use, but whenever I add a new payee, the bank limits the amount I can transfer to them for some time.

 

[Flash!]

I need some education here
What does "request to duplicate" mean? Whenever I have lost my phone, I had to get a new SIM (with a new SIM number) issued. The older sim (and hence the older SIM number) becomes (I am assuming) unusable.

Read this - https://www.87android.com/what-is-sim-card-cloning/

 

[goDofWar_skr]

https://www.firstpost.com/tech/news...-despite-never-using-the-upi-app-5714221.html

^ This was done, when the victim didn't even have a smartphone.

That could be the case where the thief would have registered for UPI the first time.. So he only would have generated the PIN using OTP..

I don't know what kind of "transfer" rich people use, but whenever I add a new payee, the bank limits the amount I can transfer to them for some time.

Exactly.. this too
So how come such a large amount is being reported as stolen

 

[gopal_agrawal]

I am not sure how this happened. I replaced my Voda sim and both incoming and outgoing SMS were blocked for 24 hours.

 

[dpandey]

Read this - https://www.87android.com/what-is-sim-card-cloning/

Not sure how this is relevant. See the line below.

As per the police, his telecom operator received the request to duplicate SIM at 11.30 PM, and it takes around 4 hours to duplicate the SIM, and deactivate the old SIM.

If the SIM is cloned, there will be two devices on the network with identical SIMs. If one of them is deactivated, the other one should also get deactivated.

 

[paarkhi]

https://www.firstpost.com/tech/news...-despite-never-using-the-upi-app-5714221.html

^ This was done, when the victim didn't even have a smartphone.

I don't understand why would someone keep 6.8 lakhs in a saving account when it's his life savings, rich people I can understand but normal people go for FD's or some other deposit scheme and don't keep that kind of amount in a saving account.

A mere SIM swap recently caused a man to lose most his savings. 30-year-old Mohan Lal, from Sector 12, Noida, Uttar Pradesh has reported that he was cheated of Rs 6.80 lakh via a UPI app, and that's when he did not even own a smartphone.
According to a report in the Times of India, the said amount was transferred from his SBI saving account using a UPI app

 

[Rockfella]

There is something more to this than what it looks like.

 

[NotMyRealName]

There is something more to this than what it looks like.

Yup, that article definitely doesn't have all the facts.

I'm not sure if i've posted this before but my bro once almost got scammed by HDFC iirc. He got a call in the night asking for an otp to link aadhaar ! he refused. Later found it was a payment otp for about 20k for a laptop or sth on FK. They didn't clone his sim but tried to directly phish info from him. But the best part is how did they know exactly how much he had in his account? (slightly over 20k). Also, the call ID showed the call came from HDFC bank itself. So prima facie it seemed to be an inside job. He later did the simple and easy thing of getting his card changed. It was ancient anyway (few years old), but never used online or any POSs. Only atm withdrawals.