An earlier announcement could have prevented the chain of events that led to the 37,000 euro scam.
75-year-old pensioner Peka’s (name changed) phone stopped working unexpectedly in June 2021, when he was waiting for his elderly mother to arrive from the hospital. It had been agreed with the mother that she would call when the taxi was close to home, so that the boy would know to go meet his mother. However, Peka’s phone could not be contacted.
– I called DNA on another phone to ask if they have any problems. The customer service advised to wipe the sim card on the hem of the shirt and it would start working again. This is what I did and it had no effect. I called customer support again, who advised me to change the sim card to another phone. That didn’t help either, Pekka says.
Later that day, Pekka received a call from DNA. The customer support employee said that he had been bothered by previous calls about Peka’s connections not working.
– They said that I had ordered a new sim card, which would have been delivered to me by post. I hadn’t done anything like this. I was directed to the nearest store to get a new sim card, and the next morning I left my home in Vimpel to Seinäjoki to the DNA store.
A new sim card was activated at the DNA store, which was inserted into a new phone that Pekka was buying on the same trip. However, unexpectedly, the credit card did not work during the payment phase.
– I wondered which card was wrong and checked my online bank. I noticed to my shock that the accounts had been emptied, Pekka says.
Pekka had fallen victim to a sim swapping attack.
The criminal orders the victim’s sim card
DNA’s anti-fraud manager Ilkka Tuominen says that in a sim swapping attack, criminals attempt to illegally change the sim card of a certain person.
The attacker gets access to the victim’s phone data and can gain full control of the device. Through this, the criminal can gain access to, for example, banking, instant messaging and social media applications. In the world, such attacks are significantly more common than in Finland.
Sim swapping can thus lead to account deletion or identity theft, as happened to Peka.
Pekka cannot tell where his information was obtained so that it was possible to order a new sim card. He estimates that it could be private car dealerships, but in this case the bank credentials have not been visible anywhere.
As one possibility, Pekka raises the visit to the online bank’s fake website instead of the real one.
– I don’t keep bank credentials anywhere visible, but they are only in my head, Pekka states.
Tuominen says that ordering a new sim card by phone is possible.
– Then we go through the operator’s normal identification process, and it must contain enough information that the operator considers the customer to be correct, Tuominen says and elaborates:
– The criminal may have received or found some documents that contained personal information. Criminals may have made inquiries in someone’s name or led the victim to wrong websites. Usually, these are scams that are specifically targeted at specific individuals. They have not been made by chance.
Mother’s money for criminals too
According to Peka, the bank did not intervene in the emptying of the account in any way. The funds were transferred in three installments of 10,000 euros. In addition to this, the fraudsters made a credit card purchase of 7,000 euros. However, Peka’s fear that the criminals had made a quick loan did not come true.
– Where the money was transferred is completely known. The names and bank addresses of the persons appear in my online bank. One person was in foreclosure, so the foreclosure company stopped the money transfer. I got 9,000 euros back from this money. 1,000 euros remained with the criminal, because 10 percent of the foreclosure payments must be given to the foreclosure person.
Pekka is particularly saddened by the fact that, in addition to his business and personal money, the criminals were able to take from his account the 5,000 euro chest money of his elderly mother, which had been transferred to Pekka’s online bank.
– The bank said that my mother’s money must be in the online bank if I have access to it. I already said then that I don’t want the cash in the online bank because it’s my mother’s. At this point, the bank should have said that they can also be put on the account so that there is no access to them other than by doing business at the bank’s branch. In my opinion, insufficient information has been given regarding the bank. I could have done this with my other funds as well.
The attackers have not been caught
According to Peka, the police are investigating the case as serious payment instrument fraud and data breach. However, the police have not been active anymore, even though Pekka has offered to identify the persons to whose accounts the money has been transferred.
– The police seem to have thrown in the towel and say that the persons will not confess, Pekka states.
Pekka calls for the operators’ responsibility in such cases.
– The whole system should be changed. How can an outsider request to renew a sim card with someone else’s credentials just by calling. It’s too easy.
– I have made a complaint to DNA about the matter, but it has been determined that the matter can be taken to the courts. DNA has said that the case will be given to a private law firm to handle, and it will be very expensive for me if I lose. This is not right that people are being threatened like this.
Pekka feels that he is completely alone with the matter, and there is no support available from any direction.
– The money has been lost. You have to go through the courts or try to negotiate with the banks. Another bank I use says I have been careless. I think the operator has behaved in giving my sim card to the wrong person.
Pekka also points out that by reacting correctly to the first contact, DNA could have prevented the account from being emptied.
– It was about a few hours. If I had had time to change the sim card for myself again, the money transfers would have been prevented. I was told that the sim card is just dirty or there is a problem with the phone.
Tuominen considers DNA’s customer service instructions to be justified.
– The operating instructions were logical when thinking about electronics in general and smart cards. Wiping quite often solves the problem when, for example, a layer of oxidation or grease may have gotten on the card. If it is suspected that the device may be broken, a request to try another device is also logical.
However, Tuominen admits that the changing of the sim card shown in the customer information should have been noted more closely.
– When the customer has requested to change the SIM card, it is recorded in the customer’s information. Since the card exchange scam is very rare, it did not come to mind during the first contact. In that sense, there is something to be clarified in our process regarding the case.
Protect yourself from attacks
Tuominen advises to always be careful in situations involving private information. He advises how to protect yourself from attacks:
– We carefully keep track of where the property goes, and we do not give identification numbers to outsiders. Make sure that devices are used in situations where bystanders cannot see what is happening. Sufficiently complex passwords are used. As for the phones, the phones are stored with the screen protector on.
If the connections suddenly disappear from the phone, Tuominen advises to ask those close to you if they have encountered the same problems.
– If they are not, you should contact customer service. However, it is very unlikely that it would be a card exchange scam, advises Tuominen.
Pekka has its own instructions for cases where the phone stops working. Based on his experience, he himself would immediately contact the bank. He advises others to keep an eye on the phone’s activity.
– You can’t sleep overnight, you have to act immediately. If I had been contacted an hour earlier, the money could have been saved, says Pekka.
Tuominen emphasizes that cases similar to the one in Peka’s case are rare in Finland.
– It is extremely rare that such situations come across. Each case has some special features. When they happen, you can say that the operator also learns from them. In such a case, simply changing the SIM card is not enough to lose money. You cannot log into the bank with just a SIM card.
The name of the person who appeared in the article has been changed due to the sensitivity of the matter.