The attacker emptied the victim’s bank accounts via the work phone.
Adobe Stock / AOP
Insurance and financial advice FINE tells payment instrument fraud, which was committed on the company’s board chairman’s work phone. The attacker was able to take 37,000 euros from the victim’s bank accounts with a sim swapping attack, where the victim’s connection is hijacked to another sim card by deactivating the old sim card.
The solution states that the criminals had identified themselves to the operator with the customer’s personal identification number and ordered a new sim card for the company’s phone, the replacement date of which was set for June 9, 2021. On the day in question, the phone stopped working, and the criminals emptied the victim’s accounts without her knowledge, because the phone did not receive confirmation messages from the banks about the money transfers.
The chairman sought compensation from the insurance company for the lost money from the company’s liability insurance, because according to him, the damage was caused by a phone owned by the company.
In the decision of the insurance company from September last year, it is stated that the damage that occurred is not covered by the liability insurance, because according to the limitation condition, the insurance does not cover monetary loss that is not related to material or personal damage.
FINE agrees with the insurance company and does not recommend a change.
“The damage is a so-called pure financial loss, which has resulted from the fact that, according to the damage report, the phone was somehow hijacked by criminals and used to commit payment instrument fraud,” the decision says.
Sim swapping is becoming more common
The information security company Check Point warned in August about sim swapping scams, which are becoming more common. At worst, the attack can lead to the emptying of accounts, as happened in the case presented above.
Sim swapping attackers gain access to the victim’s phone data and gain full control of the device. In this way, the attackers gain access to, for example, the victim’s banking, instant messaging and social media applications.
– This could mean emptying your bank account or becoming a victim of identity theft, in which case a criminal could buy goods and services over the internet in your name, Check Point’s country manager for Finland and the Baltics Sampo Vehkaoja said in the announcement.
The signs of a sim swapping attack are easy to spot. The connection is completely disabled, so the phone cannot access the network. So it’s not just a disconnection of the mobile internet connection, but you can’t make calls or send text messages with the phone.
– If this happens, contact the authorities and your mobile operator so that they can disable the SIM card and start the process to restore your data, Check Point advises.
Check Point lists vigilance with its own data as protection methods.
– Be careful with the websites you visit. Make sure the site is official and that the connection is secure.
In addition, the information security company recommends being careful with various fishing messages and websites.
– Check for typos in e-mails or text messages, even if you know the sender. Pay attention to the sender’s address to make sure it is genuine. The same goes for links and attachments that look strange.
The “Beware, verify, warn” campaign of authorities and companies has collected really good instructions for identifying and avoiding online scams. You can find the instructions below.
BEWARE of suspicious messages and contacts:
- links in text messages or e-mails.
- Unexpected phone calls in the name of IT support.
- unexpected phone calls from the bank, police or other authorities.
- links suggested by the search engine to the websites of banks or authorities.
- surprise wins or raffles popping up on the website.
MAKE SURE where the contacts are coming from and that you log into the services the right way:
- who the message or call came from. Banks and authorities rarely call unexpectedly. Make sure that the call you receive is definitely from the person on whose behalf the caller presents himself.
- that you always log into the online bank or the authority’s service through the correct website. The surest way to get to the right page is to write the direct address of the company or authority in the address field of the web browser (for example, orgössö123.fi/com). You can save the address as a bookmark. You can also use an application provided by a bank or authority.
WARN others about scams too:
- your bank if you’ve lost money or you realize you’ve given your information to fraudsters. Contact the bank immediately and tell them what has happened. In this way, the bank can try to prevent misuse of your credentials.
- preferably through written channels of the company or authority in whose name the scammer has approached you
- your loved ones so that they know how to watch out for scams
- others by reporting a crime to the police.