Women’s Website Blames Facebook Quizzes for SIM Swaps

Why you shouldn’t do those ‘fun’ Facebook quizzes

The answer to this question is obvious. Do not do those ‘fun’ Facebook quizzes because you are wasting your life by filling it with brainless rot instead of doing something useful. Another possible reason is that Facebook quizzes are being used by criminals to obtain the data they need for SIM swaps… except there is no literally no evidence to support this wild claim, which was made in an article by ‘tech testing manager’ Carrie-Ann Skinner for Good Housekeeping UK, a publication that would have been called a women’s magazine back in the era when women still purchased magazines printed on glossy paper.

Personality quizzes on Facebook may seem like a bit of harmless fun, but they could be giving hackers a helping hand to commit SIM-swap fraud. Here’s what you need to know.

What people need to know is that a lot of things ‘could’ theoretically allow criminals to obtain information about a person, and hence make it easier to take control of that person’s accounts. It does not follow there is any particular reason to suspect quizzes on Facebook are being used by criminals who commit SIM swap fraud.

These quizzes may ask you for basic personal information such as the name of your first pet or the town in which you were born, and they’ve been linked to a sophisticated scam which has been dubbed ‘SIM-swap fraud’.

Where is the evidence of this link? Skinner somehow forgets to mention the source for this claim.

This kind of personal information is often used to set security questions for your mobile phone account. If hackers get hold of it, they can use it to answer these security questions correctly and access your account. Armed with this information, a SIM-swap fraudster can head to a mobile phone store and impersonate you, claiming your SIM has been lost or stolen and requesting a new one. Once they get a new SIM card, they can plug it into their phone and receive your calls and text messages.

Half-truths are presented as full-blown threats. Whilst it is correct that some UK stores should be more stringent when demanding customer information before a replacement SIM is issued, even the overblown ‘King Con’ exposé for the BBC failed to trick any staff working for two out of the four national mobile networks. Of the minority of stores where staff were manipulated into issuing replacement SIMs, the BBC’s criticism focused on their not demanding photo identification, which is not to say that no form of identification was offered by the BBC’s agents, nor that the information they supplied was limited to the type which might be obtained through a typical Facebook quiz. The BBC’s desperate desire to maximize the shock value from their story makes me believe their agents provided the telco stores with extensive information about the hypothetical victims, such as their home addresses or numbers they had previously dialed, none of which would be collected by a typical Facebook quiz.

‘With ‘your’ SIM, the fraudster can now get in touch with the bank, claiming to have forgotten the online banking password. They are offered a one-time code to use to change it via text and clear out your funds,’ an expert from price comparison site BroadbandChoices explained.

A fourth-rate journalist with a name quotes a fifth-rate copywriter with no name, whilst somehow confusing the copywriter with a genuine expert. Contrary to the words chosen by the fourth-rate journalist, the fifth-rate copywriter provides no explanation of how a crime might be committed in this instance, especially as it is unclear how the supposed fraudster learned where their victim banks. Having gone to the trouble to visit a phone store to obtain a replacement SIM, is the criminal supposed to call every bank until they get so lucky that they not only find the one used by their target, but they also find a member of staff who does not ask the most basic questions to verify the identity of the bank’s customers? Or did the Facebook quiz also require the victim to supply the bank’s sort code and the victim’s account number?

It is true that Action Fraud, the UK’s national fraud reporting agency, has told the UK press there has been a rise in the number of SIM swaps reported annually. However, the total numbers of SIM swaps reported by Action Fraud are in the low hundreds, which hardly suggests that social media quizzes have become instrumental to the hijacking of telephone accounts. Skinner might convince her editors that she is performing a public service but I see little reason to think the world is a better place by giving the dimmer readers of Good Housekeeping UK reasons to fear their bank accounts will be raided after they complete “seemingly harmless quizzes that promise to reveal [their] unicorn name”, especially as the average unicorn-name-seeker will have bugger all in their savings account. Criminals do not go to a lot of trouble to steal from people who have nothing.

The industry has learned that sophisticated schemes designed to phish personal data are targeted at individuals with considerable wealth. Rich cryptocurrency investors are the likeliest victims because their accounts can be accessed online and it is much easier to launder cryptocurrency than funds taken from a conventional bank account. For all their failings, banks have rules and procedures that protect customers whose funds are stolen. So whilst there has been a rise in SIM swaps, and whilst people should generally be more protective of their personal data, it is an outrageous exaggeration to assert that the readers of Good Housekeeping UK are putting their “friends and family” at risk of SIM swap fraud by sharing Facebook quizzes with them.

SIM swaps have entered the public consciousness, not least because mobile phones are ubiquitous and there are always charlatans who will amplify any fear in the hope of gaining attention. This is further proven by fact-checking resource Snopes needing to debunk fake news about SIM swaps. People need to be careful, but it is irresponsible to fill the empty heads of less intelligent members of the public with baseless concerns. There are enough real crimes for people to worry about.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.