If you work in marketing then you can stop reading now. This is one of those occasional Commsrisk articles which is solely for people who care about reducing consumer scams, not for people who want to maximize attention by pretending to care as loudly as possible. For the purposes of this article, I am going to imagine there are people in management positions who can and want to set rational priorities for the reduction of networked consumer crimes. Whether such people exist is a debate for another day.
The problem with a lot of the marketing of consumer protection — we should use the correct word when describing the fact that many businesses, industry associations and even some regulators misuse statistics about consumer crime as a way to promote themselves — is that it conflates information that is useful to the consumer with information that is effective for advertising. Scaring consumers with exaggerated or misleading statistics is not designed to ‘raise awareness’. If we wanted to give consumers advice that will help them reduce the risks they take then we would spend most time warning the most people about the biggest risks, less time warning about middling risks, and the least time warning about risks which are small.
Something different tends to happen in practice. Smaller risks get exaggerated by people trying to sell mitigations for those risks. Other risks receive less focus than they should. For example, the comms industry has put negligible effort into tackling romance scams, despite a substantial body of evidence about the very many people worldwide who have suffered both financial losses and the loss of their dignity and self-esteem.
SIM swaps provide an excellent example of a lot of noise being generated to distort the reality about the scale and dynamics of crime. Over the course of many years, long-established readers of Commsrisk will appreciate how we tried to debunk misleading assertions about SIM swap fraud in order to concentrate the attention of professionals on its actual frequency and severity. For example:
- A lot of fake news about SIM swaps gives the impression that anybody might fall victim to a SIM swap. However, the evidence from rich countries is that SIM swappers go to considerable effort to research and select their targets. The evidence from developing economies is less conclusive; SIM swapping may be less discriminate in countries where mobile money is widely used. However, there are still mainstream news stories that exaggerate how widespread SIM swap crime really is.
- The true extent of SIM swap crime can also be inferred from the action taken by businesses to mitigate financial losses caused by SIM swaps. If Western businesses were as motivated to tackle SIM swaps as their peers in sub-Saharan Africa then they would not have fallen five or six years behind the African telcos that first introduced SIM swap APIs (see here, here).
- Another telltale sign is that lawyers in the USA advertise their services to rich victims of cryptocurrency thefts enabled by SIM swaps.
- Around 2018, mainstream UK news outlets like the BBC tried to create a panic by exaggerating the threat of SIM swap crime. One women’s magazine was so keen to generate a wave of panic that they claimed Facebook quizzes were used to gather personal data for SIM swappers despite having no evidence to support this claim.
- Old media spread so much misinformation about SIM swaps that scumbags on social media decided to feed the fake news panic. This prompted fact-checking website Snopes to write a 2019 article that debunked false claims about SIM swaps.
- The UK police also leapt on the fake news bandwagon. They fed newspapers stories about the number of SIM swap crimes rising 400%. However, a Freedom of Information request revealed many of the SIM swap crimes had been double-counted. Police records were so shabby that they were unable to reproduce the SIM swap figures they had circulated to the press.
- The Spanish also receive far more news about SIM swap crime, but for different reasons. Spanish telcos receive many more fines for SIM swap infringements than telcos in other European countries (see here, here). The most obvious explanation is that GDPR data protection rules are interpreted and applied very differently in Spain.
The tawdry history of statistics about SIM swap fraud still does not prompt journalists to question the validity of the claims they are repeating. The press is too busy looking for the next sensational headline. And so, the UK public has been fed this year a string of stories about SIM swap crime supposedly rising 1,000%. This gets treated as authoritative because it is taken from a ‘national anti-fraud database’ although it is different to the data collected by the police from the public. A misleadingly high proportionate rise can be caused by undercounting of crime in previous years, but only one news outlet (other than Commsrisk) observed that the national anti-fraud database had reported a much lower figure for SIM swaps in the previous year than the official police statistic.
Why should any of this matter? It matters because resources are finite and we will do a better job of reducing crime if we target resources efficiently. If crimes are highly targeted then it will generally be more efficient for the government, regulators, police and businesses to apply highly targeted methods to reduce crime. If crimes are more widespread then more widespread countermeasures are justified. ‘Raising awareness’ can be effective marketing, but it will have negligible impact if you are trying to warn a few hundred potential victims of crime by scaring several million other people who need not worry about it. There may not be any overlap between multimillionaire cryptocurrency investors and women who do Facebook quizzes.
This leads to an observation about a statistic that I never see anyone use. There are statistics about the number of victims of crime. There are statistics about the value of losses. However, we never see statistics about the yield of a crime, as calculated by dividing the losses by the number of victims. Some decision-makers are so innumerate (or so disinterested in rational prioritization) that they readily confuse the number of crimes with the value of crimes, or will intentionally choose whichever statistic serves their marketing goals. Yield would be a single-figure method of illustrating the difference mitigation strategies required for different kinds of crimes. A crime where very few individuals each lose enormous amounts deserves a different response to a crime where very many individuals each lose a small amount. Warning consumers through the use of mass media is a better strategy for reducing the latter. Selective implementation of additional controls on high-value transactions would be better at reducing the former.
The following figures are taken from the US Federal Bureau of Investigation’s Internet Crime Complaint Center (IC3) 2024 Report except for the yield, which I calculated.
| Complaints | Total Losses (USD) | Yield (USD) | |
|---|---|---|---|
| Phishing/Spoofing | 193,407 | $70,013,036 | $362 |
| SIM Swap | 982 | $25,983,946 | $26,460 |
Need I write more? Professionals should be using the calculation of yields to obtain a better understanding of crime and how to mitigate it. Yield helps to emphasize the relationship between the frequency and impact, or at least highlights the relationship between the frequency with which we gather information about crime and the total amount that is reportedly lost to criminals. If the total value of crime has increased because the yield has increased then that is very different to the total value of crime changing because the yield remained constant for a larger number of victims. Understanding frequency and impact is one of the most basic elements of rational risk management, though it rarely influences the way decisions are made about protecting consumers from networked crimes.



