eSIM fraud: Don't respond to fraudsters' blandishments or threats

Investigate before you respond to demands from anonymous sources for personal or banking info

An embedded-SIM (eSIM) fraud has emerged as the latest tool in fraudsters’ arsenal for phishing people. Only last week they managed to get away with Rs 21 lakh from the bank accounts of four unsuspecting victims in Telangana using this method.  

Says Ritesh Bhatia, a Mumbai-based cybercrime investigator, cybersecurity consultant, and data privacy professional: “An eSIM is an embedded SIM built into a smartphone, which removes the need for a physical SIM.”

Both SIM and eSIM hold information like SMS, contacts, emails, etc. The eSIM is activated by the network provider remotely. There are a few ways through which fraudsters carry out this scam.

Method 1: Fraudsters illegally purchase databases of mobile numbers. Says Bhatia: “Once they have the numbers, it’s easy to find out which ones have eSIM-enabled phones. Usually it is higher-end phones that are eSIM-enabled. And they belong to the wealthy.”

Models like iPhone 11 Pro and Samsung Galaxy Z Flip have eSIM-enabled phones. Says Bhatia: “The fraudster will offer an eSIM upgrade, explain the benefits, and convince you to follow his instructions.” In doing so, the victim hands over crucial information that enables fraudsters to gain control of their bank accounts.

Method 2: Some fraudsters don’t target high-end eSIM mobile users. They have databases of banking details as well. If they are able to get a one-time password using these details, they move to the next step.

 

The fraudster calls the victim, posing as a representative of his mobile service provider. Sometimes, instead of a call, a text message is sent, supposedly for eKYC update. The message threatens deactivation of the SIM card if the person does not act immediately. They send an email to the victim containing a text which has to be forwarded to the official customer care number. By doing so, they register their email ID with the victim’s number, so that they can put in an official request to convert the SIM into an eSIM.

Says Rajesh Mirjankar, managing director and chief executive officer, Infrasoft Technologies: “Once this happens, the victim’s phone loses connectivity. All SMS messages, calls, etc are diverted to the duplicate SIM being used by the fraudster.”

Thereafter, the victim’s phone number and everything else it’s linked to, including bank account, is under the fraudster’s control. Adds Mirjankar: “Meanwhile, the victim’s phone has no network and he is completely unaware of the fraud. The fraudster takes over the victim’s identity on another device.”

What to do: In the next few years, removable SIM cards may become obsolete. Says Bhatia: “Understand your device’s specification. If your phone is not eSIM-enabled, how is anyone offering you an upgrade?” Most importantly, avoid sharing any details with random callers.

Mirjankar suggests you should avoid ‘clickbaits’ and beware of unsolicited emails, texts or calls asking for personal or financial information, even if they claim to be calling from your bank. Avoid sharing personal data online. Do not provide bank details on any link or forms. Only use websites or apps for financial transactions that use a secure payment gateway.