'SIM swap' phone hijacking scam in Japan used to steal money in as little as 15 min.

Japan has seen a spate of "SIM swap scams," in which cell phone numbers are hijacked and misused, in recent years. Victims suddenly notice that their smartphone won't connect, and when they contact the mobile phone company, they are told that their SIM card has been reissued or that someone has switched their number to another carrier, only then to realize that scammers have siphoned large amounts of money from their bank accounts. In one case, an illicit transfer reportedly occurred only about 15 minutes after one victim's number was hijacked.

One afternoon in July 2022, Ryuji Tanigawa, 61, a port transportation business owner in Kobe, noticed that he could no longer make calls on his phone. "That's odd. Everyone else's phone is working," he thought. He went to a mobile phone shop near his work, where he learned what had happened. Someone at a sales outlet in the city of Nagaokakyo in Kyoto Prefecture, far away from where he was, had canceled his contract and switched his number to another carrier.

He had a bad feeling and checked his internet banking account. It was then that he found around 10 million yen (about $71,000) had been transferred to a person he didn't know. In police investigations, suspicions surfaced that a criminal organization had hijacked his mobile number.

But how can someone's number be hijacked when they have their phone with them? The process goes something like this: First the scammer sends a text to the person's phone, leading them to a fake phishing website that steals their personal information. That information is then used for a fake ID to claim that the person has lost their phone, allowing a new SIM card to be issued and the contract to be canceled with a switch to a new carrier.

The illicitly obtained SIM card is then inserted into a smartphone held by the criminal group. With the cell phone number taken over, the victim's mobile connection is cut off. After that, the scammer logs in to the victim's internet banking account. It is apparently possible for the person's online banking password and other information to be exposed via the phishing site.

Tanigawa, who was a victim of such tactics, reflected, "At first I wondered what merit there would be in taking my mobile number. When I was scammed, I hadn't even heard of the term 'SIM swap scam.'"

Financial institutions set "one-time passwords" for a limited time to prevent fraud. But if the one-time password is set to be delivered through a text message, it is received by the smartphone in the hands of the criminal group.

A 15-minute crime

In one case in which an unemployed woman from Tochigi Prefecture was arrested in May by the Metropolitan Police Department (MPD) on suspicion of fraud, the victim's money had been illicitly transferred in just 15 minutes after their SIM card was reissued. The woman was suspected of having taken the role of receiving the SIM card from the store and illicitly transferring the money, while conversing with another fraudster giving instructions through the communications app Telegram. The woman was apparently instructed to transfer money quickly. An investigative official explained, "This was probably so the money would be wired before the victim realized it."

There were 25 people who fell victim to illicit money transfers in which the same woman was apparently involved, spread out from Japan's northernmost prefecture of Hokkaido to the Kansai and Chugoku regions in western Japan. The woman is said to have received 1.2 million yen (about $8,500) over the space of 3 1/2 months for her part in the crimes. The MPD suspects that the woman took on the role after applying for a "yami baito," or shady part-time job.

Daiji Ushiro, a cybersecurity officer at security firm Check Point Software Technologies Ltd., based in Tokyo's Minato Ward, said there have been reports of such SIM swap scams across the world since around 2016. They have apparently been rampant in Africa and Southeast Asia, where online security is insufficient. In the United States, there were 2,026 cases in 2022 alone, with damages totaling around $72 million, and the FBI has called for caution.

In Japan, such cases appear to have risen from around 2022, apparently after "SIM locks" used by mobile phone companies to limit devices to their own networks were banned in principle in 2021, allowing SIM cards to be used in any mobile device.

How to avoid falling victim

So what can people do to protect themselves from SIM swap scams?

In July 2022, Check Point Software Technologies announced three countermeasures. The first two relate to preventing information leaks through phishing: First, when accessing an internet site, check the URL and other information and make sure it is an official one, and secondly, do not open links or attached files in suspicious emails. According to the Council of Anti-Phishing Japan, the number of phishing reports in 2022 reached 968,832 -- 17 times the number fielded in 2019. The third countermeasure is to contact police or the mobile phone company right away if one's cell suddenly stops connecting.

There are also measures to prevent illicit money transfers. Some banks offer a service whereby a one-time password is sent to a dedicated app or device rather than via a phone text message. Ushiro points out, "This is more inconvenient than a text message, but the result is higher security."

Mobile phone companies are also called on to prevent impersonation of customers at stores. Tanigawa commented, "Before a new SIM card is issued, the victim will still be able to receive calls. They should call the person's smartphone once before going ahead with the procedures and confirm that it is the person in question."

(Japanese original by Shohei Kato, Tokyo City News Department)