BBC Tries To Create Panic Over SIM Swaps

There are some people who never miss an opportunity to exaggerate fraud, claiming they provide education when their real goal is to use hyperbole to gain attention. I am not one of those people. Anyone in search of scaremongering claptrap should look for the many alternatives to Commsrisk. I belong to the school of thought that says risks cannot be prioritized correctly if they are not measured properly. Those of you who read on will now have to share my struggle as I pick through the truth behind a recent BBC investigation into SIM swaps in the UK. To perform this task, it was necessary to keep reminding myself of the following:

  • The growth and the seriousness of SIM swap fraud demands that businesses should do more to prevent it; and
  • The BBC employs some wretched, lazy journalists who distort facts to manipulate the audience.

SIM swap is really easy to do because it relies on people in stores that don’t have a clue of what fraudsters are capable of. The priority in a phone shop is to sell phones when their priority should equally be to look after people’s information…

These are the words of a man who the BBC wants you to know as ‘King Con’. Yes, I am serious. The BBC describes him as “the ultimate fraud expert”. If I was a national broadcaster responsible for telling millions of people that SIM swaps are “really easy” then I would want to be sure this opinion came from somebody who is a bona fide expert, and whose background had been thoroughly vetted before he was paid to engage in elaborate deceptions on my behalf. We will return to the subject of King Con’s qualifications and his real identity. First we must focus on the investigative work he performed at the behest of the BBC, as covered by last week’s Watchdog television show and also during this segment of Watchdog host Steph McGovern speaking to BBC Radio 4.

…he visited six branches of each of the four biggest mobile phone stores [she means networks] so O2, EE, Vodafone and Three, so 24 branches in all, and he tried to get replacement SIM cards for pay-as-you-go phone numbers that weren’t his own. Now, he was armed with basic details about our fake account holders, but crucially he didn’t have photo ID…

…Two out of six Vodafone stores were happy to hand over replacement SIM cards for someone else’s mobile number without asking for photo ID, while a staggering five out of six O2 branches let him walk out with a SIM card for an account which wasn’t his.

To focus on the real data, this man successfully conned staff in 7 of the 24 stores he visited. A failure rate of 29 percent is completely unacceptable. EE and Three received a clear bill of health, but there can be no excuses for Vodafone and O2, who should have done better.

However, these results are also perfectly intelligible, despite the alarmist tone taken by Steph McGovern. Whilst King Con may like to tell other people how to run a business (more about that later) the truth is that these four networks manage over 1,800 stores between them, per the information on their websites. That means they employ thousands of staff who will be expected to handle millions of queries from members of the public over the course of a year. Some of those queries will be from fraudsters. Many more will be from imbeciles. Though it may seem hard to believe, some Brits are so stupid that they will even believe what they see on TV. However gormless these people are, there are still good reasons why telcos should try to help them after they lose their phones, even if they do not possess photo ID. That is another side to this story, not that the BBC cares for such balance.

This other side to the story is important, because a responsible journalist would have focused on the main reason so many O2 stores allowed King Con to obtain a replacement SIM. Unlike other networks, O2 does not require pay-as-you-go customers to show photo ID in order to obtain a replacement SIM. I believe that policy is mistaken, but my opinion is irrelevant; no policy was violated by anyone working in those O2 stores. Furthermore, the intentions behind O2’s policy are clearly good. They know pay-as-you-go services are more generally used by poor people, and that the poor are less likely to have photo ID. The BBC also knows this important fact, although they chose to omit it from their presentation. Their political journalists routinely cover stories about whether photo ID should be mandatory for voting, often presenting the argument that demanding photo ID would exclude poorer voters (see here, here and here). But whilst the BBC seems to refrain from voicing a definitive opinion on whether photo ID is needed to fight electoral fraud, they have no such reticence about saying how consumers should be treated.

A more balanced account would highlight that whilst King Con left O2 stores with SIMs that he was not entitled to, this network uses an alternative mechanism to protect customers from fraud. O2 sends a code to users when their SIMs are replaced, alerting them about what is happening. King Con and his colleagues claim they did not receive those codes. I ask you a simple question: why should we believe King Con and the BBC? There is already plenty of evidence suggesting bias before the investigation began: King Con said it is ‘easy’ to commit SIM swap fraud whilst Steph McGovern deliberately conflated the distinct situations in Vodafone, where a corporate policy was violated, and O2, where no policy was broken. King Con was paid to deceive. The BBC boasts about his skill as a liar. The simplest possible deception in this investigation would be to pretend that no codes had been received by the original O2 SIMs. Neither King Con nor the BBC needs to show any evidence to support this assertion, because there would be no evidence if it is true. On the other hand, O2 may have evidence that the messages were sent, and they insist that they were. Who should we believe? O2 says they sent the messages to all the SIMs. The BBC says none of the SIMs received those messages. It is highly unlikely there was a systematic messaging failure that affected the five SIMs that King Con targeted. So who do you believe in this situation? I see no reason to trust the word of the BBC over that of O2, for reasons that will become clearer as we progress.

[The scam] relies on the mobile phone companies not sticking to their own rules

McGovern sought to conflate the differing scenarios in O2 and Vodafone, but this investigation was only able to find two Vodafone stores were staff violated a policy requiring them to check photo ID before issuing a replacement SIM. Three networks had the relevant policy, 18 of their stores were visited, and two stores failed to respect the policy. The BBC deftly avoided making the observation that the Vodafone staff who endangered customers should both be fired. Vodafone’s rebuttal of the Watchdog story puts it more politely than I would.

Every employee in our 400 plus retail stores is given mandatory training, reinforced by regular reminders, which makes clear that a customer must supply photographic ID before completing a SIM swap in-store. To support this progress we have provided our stores with ID scanners.

It is therefore very disappointing that two employees did not follow this process. We are also deploying a new system which will highlight where staff override the controls.

King Con failed to fool most staff in most stores, even though he says this fraud is “easy”. The BBC said he had “basic information” about the accounts he was targeting. What does “basic” mean in this context? That is never explained. Did King Con possess other forms of ID for the account owners? Did he know personal details unlikely to be available to the average fraudster, such as information about the phone calls they had previously made? How many of these accounts were associated with people whose details would not match the description of a fat, balding, middle-aged man with a pronounced London accent? The BBC’s presentation is skewed, and if it was skewed in the opposite direction we might be hearing how some telcos successfully protected their customers even when challenged by a man “who knows every trick in the scammers’ book”.

We should be clear about exactly how far the BBC was willing to go to mislead its audience. Steph McGovern literally stated a falsehood during her Radio 4 interview. The following may appear to be a simple slip of the tongue. I believe it to be representative of serious bias.

Two out of six Vodafone stores were happy to hand over replacement SIM cards for someone else’s mobile number without asking for photo ID [my emphasis]

Remember that quote from above? Only a minute later the BBC plays a clip that was secretly recorded at one of the Vodafone stores.

Do you have any ID with you, driver’s licence or passport?

McGovern seizes upon this recording as proof that Vodafone staff should have known better, and she is right to be critical. But this clip also highlights the casual way she substitutes a fiction for the facts. It was false for her to characterize those Vodafone staff as being “happy” to hand over SIM cards “without asking for photo ID”. They did ask for photo ID. Their mistake was not to insist upon photo ID.

However, all of this has just been a distraction. None of this relates to the real causes of risk in this scenario. Time and again McGovern tells us that if SIM swaps occur, then bank accounts will be raided. She only briefly mentions the essential weakness that motivates the criminals.

…[speaking as quickly as humanly possible] this type of fraud is only successful with the few banks that still rely on text message authentication for money transfers [can now slow down for emphasis] BUT this is an increasingly popular scam, hundreds of people fall victim to it every year, and to work it relies on the mobile phone companies not sticking to their own rules…

Heaven forbid that banks should be held responsible for identifying their own customers! How did business priorities get so mangled that if a criminal removes thousands of pounds from a bank account then the blame is allocated to a business that sells cheap pay-as-you-go mobile phones, and not to the bank that paid the money out? There was a time when Brits could only withdraw money by literally visiting the bank on their high street. When did British society change so fundamentally that banks were allowed to outsource responsibility for knowing who they are dealing with? And what qualifies McGovern to voice an opinion about who is most at fault?

Banks have let customers down, but BBC journalism is of such a shoddy quality it ignores the risks taken when banks assume a mobile phone is never used by anyone but its owner. It would also be a crime if a husband took his wife’s phone and used it to empty her bank account. Obviously no phone company could prevent that from happening. The common point of failure is the overly casual approach taken by some banks, not the business of providing a communications service. The shockingly lazy conclusion of journalists like McGovern is that phone companies should treat their customers more harshly, restricting their access and increasing the burdens placed upon them, because making it easy to obtain a replacement phone service does not suit the interests of banks that want to make it too easy to withdraw money.

I could go on poking holes in this story, by emphasizing how McGovern presents stats like “cases of SIM swap have rocketed by 60 percent since 2016” without bothering to explain the source of this number, or how it was calculated. I searched for the relevant statistics at Action Fraud, the UK’s central police resource for fraud, but the closest story I could find was this recent piece about BBC licences being a magnet for scammers. Though I failed to find the pertinent data, the search did make me wonder why a journalist would wail about ‘hundreds’ of people falling victim to SIM swaps. Why does McGovern not provide the exact number of victims, when she acts as if the percentage increase has been calculated precisely? But now I want to move on to the fraud ‘expert’ who conducted this investigation for the BBC.

…his mam and his mates might refer to him as Tony, but we refer to him as King Con ’cause he’s the ultimate fraud expert, he’s one of the UK’s most notorious fraudsters…

That was how McGovern described him. And this is how the BBC wants us to see King Con…

McGovern and other BBC journalists kept referring to this man as King Con throughout, as if his real name is a mystery. But his real name is not a mystery. His real name is Tony Sales, and he only came to the public’s attention after he received a miserable 12-month prison sentence in 2010. Why does the BBC go to such trouble to disguise the real identity of the convicted criminal they have chosen to employ? Sales was already a BBC regular (such as this appearance on BBC Scotland) before they invented this silly new name for him.

Despite the comical aura that the BBC is trying to project, Sales has not been hiding from public view. Sales has long promoted himself as a public speaker and fraud consultant, as demonstrated by this crappy showreel he put together:

Look again at that video. Is this the office you imagine would be the operational base of a multi-million-pound-stealing-king-of-frauds-turned-successful-media-personality?

Sales’ popularity with the BBC tells us more about the flaws of how the BBC does research than how criminals steal. According to Sales, he stopped committing crime after his 2010 conviction. At the same time, he pretends to be an expert on frauds that have gained prominence only recently. The phone industry has changed a lot since Sales was convicted. So what makes Sales an expert on SIM swap, a crime he describes as “easy”? Has Sales continued to commit crime in the time since? Or perhaps Sales knows about SIM swaps because he has been working for telcos, helping them to identify flaws in their procedures?

Either Sales has pertinent knowledge of SIM swaps because he continues to commit fraud, or else he should never have been allowed to do this BBC investigation because his commercial interests mean he cannot be impartial. If Sales has been doing legitimate work on SIM swap prevention it must have been with the knowledge of the businesses who engaged his services, so he is motivated to skew the results of this investigation by favoring his customers over other telcos. Or maybe Sales’ expertise is just another bluff from a man who has made a career out of bluffing, though the BBC are using him to sensationalize their stories by portraying him as “the ultimate fraud expert” and encouraging him to make wild claims about fraud and the ways businesses behave.

It seems to me that Tony Sales is still a con artist, and the BBC is continuing to help him scam the naive. How else do we explain that a man who markets himself as Britain’s greatest fraudster, and who supposedly advises major retail businesses and governments, has enjoyed such little success as a fraud consultant and media personality that he has amassed just 367 followers on Twitter over the course of 7 years. Now Sales has made the following ultra-cheapo video (57 views at date of writing) to help him profit from his new BBC-advertised persona of ‘King Con’:

Earlier this year Sales began marketing a new business venture he set up, called We Fight Fraud Limited. Since he started working with the BBC, the company has adopted a fancy new website. The slick presentation may lead you to think this is a solid business, but the official records for We Fight Fraud Limited reveal a company that has terminated four out of five company officers since it was incorporated in 2017. One of the officers who stood down is Sales himself! The only remaining officer of this business is Adam Boome, who is also seemingly the largest shareholder. Would it shock you to learn that Adam Boome is a former BBC Editor? No, me neither.

The only satisfaction I receive from reviewing this investigation is that the BBC, and King Con, clearly failed to gain the attention they were hoping for. Despite the advertising campaign across the many media resources belonging to the BBC, despite the GIF, and the other social media promotional gimmicks, a quick search of Google shows that hardly any other news outlets repeated this story. That must come as a big disappointment after the BBC spent so much taxpayer’s money on marketing a convicted criminal.

I draw two conclusions from this BBC investigation by ‘the ultimate fraud expert’. Firstly, SIM swaps are serious, and more should be done to tackle them, both by telcos and the businesses that rely too much upon telcos. Secondly, there are some people who should never be trusted, and others who will cynically promote liars in order to gain the attention of gullible members of the public.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.