Blog / eSims
esim scams

December 16, 2024

From eSIM Swaps to Phishing: The Most Common eSIM Scams and How to Protect Your Customers 

eSIM technology promises seamless connectivity, but for unsuspecting users, it has also become a gateway to financial disaster.

esims

When Jyotsana Bhatia received a call encouraging her to convert her physical SIM card to an eSIM, she thought it was the beginning of a journey to better mobile connectivity. But that same day, she lost Rs 27 lakh ($32,000) to what turned out to be an eSIM scam

Are eSIM cards safe then?

As technology changes, scammers evolve their tactics hoping to capitalize on new trends. The growing popularity of eSIM and eSIM-enabled devices has opened a new vista for scammers who are hell-bent on stealing the personal data and money of their victims. 

These eSIM scams have become so popular in a place like India that the police had to circulate an alert warning people about them, according to a report by The Hindu newspaper. They noted that about 100 people had lost 70 million Indian Rupees ($826,000) to them already as of September 25, 2024.

So, while eSIM cards are safe in themselves, scammers can exploit them to steal the data and money of end users

eSIM providers, who offer various connectivity services to eSIM users, must get on top of this situation by understanding what these eSIM scams are, putting in place the technology to prevent them, and also educating end users about them. 

In this article, we will examine the most popular eSIM scams and how you can prevent them. We’ll cover: 

  1. The most common types of eSIM scams
  2. How to scam-proof your eSIM product
  3. Educating end users about eSIM scams: Useful prevention tips to suggest 

Do you want to create new revenue streams from the growing eSIM market? Book a demo with Zendit to learn how you can resell eSIMs by integrating our API into your website or app. 

1. The most common types of eSIM scams

    Scammers have become sophisticated in their approach to electronic subscriber identity module (eSIM) scams. Understanding the variety of these scams is the first step toward preventing them. 

    Below are the five most popular eSIM scams: 

    eSIM swap scams

    eSIM swap scams can occur in two ways: swapping a physical SIM for an eSIM and swapping a eSIM from one device to another. 

    With the former, the scammer convinces the mobile network provider to transfer the number on an end user’s physical SIM to an eSIM they control. 

    The scammer would have stolen the end user’s personal data through phishing attacks or other forms of data breaches. By supplying the requested information, they can impersonate the end user and convince the mobile network provider to complete the switch. 

    Once the porting occurs, the scammer controls the end user’s mobile number and can take control of their bank accounts or cryptocurrency wallets. 

    The second type of SIM swap scam is transferring an eSIM profile from one phone to the other. 

    Normally, such a transfer should happen only when the end user is switching phones. The scammer will convince the mobile network operator that they are switching mobile phones and request a transfer of the eSIM profile to a device they control.

    This gives the scammer control of the end user’s phone number and access to their online accounts.  

    You can gain some insights into the popularity of these scams by Googling “Reddit eSIM swap scam.” The result will be several Reddit threads where people share their experiences with eSIM swap scams. 

    Phishing or activation scams

    Here, fraudsters impersonate mobile network operators, pretending to help end users activate their eSIM profiles (through SMS messages, social media messages, emails, or phone calls). 

    They will request activation codes or QR codes (depending on the activation method) in the process. Once they have these codes, they create the eSIM profile on their devices and gain control of the end user’s phone number. 

    “Usually, the scammers made calls claiming that one needed to upgrade the existing physical SIM to e-SIM by updating the KYC details,” according to a staff of the Kerala Police Cyberdome quoted by The Hindu newspaper. “People who followed their instructions would automatically receive a QR Code. The moment one exchanged the QR code with them, the operation became a success, and they took control of the newly created e-SIM to retrieve all related banking information.”  

    Fake eSIM providers

    Scammers can claim to be eSIM providers offering connectivity services – activation of eSIM profiles, mobile and data plans, and remote management of eSIM profiles. 

    Since the eSIM market is relatively new, many end users don’t know who to trust. 

    Some of these fake eSIM providers are phishing for details like phone numbers while others receive payments without providing any connectivity service. 

    There is another class of fake eSIM service providers who trick users into downloading malicious or fake eSIM profiles on their devices. Once users download that profile, they hack the device and steal important information. 

    Man-in-the-middle attacks

    This is also a form of activation scam but hackers don’t impersonate mobile network operators. Instead, they steal the activation codes of users who are activating their eSIM profiles on unsecured networks (like public WiFis). 

    With the activation codes, they can steal the eSIM and access the online accounts of end users.  

    Social engineering attacks

    Hackers can also impersonate the customer service agents of a mobile network carrier and pretend to help the end users with something related to their eSIM. 

    Some of them will send notifications that an eSIM profile will be deactivated if the user doesn’t do certain things. They will offer to help do those things and steal personal data (including debit or credit card information) in the process. 

    2. How to scam-proof your eSIM product

      As an eSIM provider, the cybersecurity of your customers should be a priority. 

      While most of these scams target end users directly, you can still take actions that will improve the security of your customers. 

      Verify carriers

      Though the eSIM market is young, it is still possible to identify legitimate, reputable, and authorized carriers. 

      By only providing connectivity services (activation of eSIM profiles, voice plans, and data plans, among others) from legitimate carriers, you can protect your customers from malicious eSIM profiles and fake mobile and data plans.  

      Sometimes, hackers will offer too-sweet-to-be-true deals that can captivate the attention of eSIM resellers. By falling into these gimmicks, in the name of better offers, you can become complicit in the woes of your customers. 

      Before embracing any deals, ensure they are coming from reputable carriers that you can trust.  

      Monitor suspicious activities

      A user who normally purchases data worth $100 every month suddenly purchasing $1,000 worth of data in a given month is a ground for suspicion. Similarly, a user creating four eSIM profiles within 2 weeks should create some concerns. 

      When these suspicious activities occur, you should contact the user to confirm if they are the ones requesting these services. Such quick discovery of the activities of scammers can help prevent further damage. 

      Verified and secured activation channels

      If you provide eSIM activation and remote management to users, then your activation channels must be very secure. 

      It will not speak well for your company if your customers lose money or their data because hacking your website is a child’s play for scammers. 

      “eSIM providers must implement encryption and secure provisioning protocols to address these concerns,” according to Shahira Ahmad Faud, Senior Marketing Specialist at Mobilise Global, a telecom SaaS and connectivity firm. “Providers are advised to adhere to data protection regulations when deploying eSIM technology.”

      esim scams

      Multiple authentication methods

      To ensure that your customers are not being impersonated, you can add multiple authentication methods as a layer of security on your website or app. 

      This can include biometric verification, sending one-time passwords (OTPs) to their email addresses, or requesting codes from authenticator apps (from Google, Microsoft, or Apple). 

      Robust customer service

      Active customer service can also help to quickly restrict the activities of scammers when a scam has been discovered. 

      If your customers can easily reach you when they suspect foul play, it will be easier to limit the damage that the hackers can do.  

      Dedicated customer service lines

      However, given that hackers can also impersonate customer service agents, you must have dedicated lines that your customers can identify with you. 

      In this way, they can easily discover when the person on the other line is impersonating your company. 

      Cooperate with other industry stakeholders

      Carriers, resellers, and regulatory bodies will have to cooperate to stem the tide of eSIM scams while they are still in their infancy. 

      Participating in such discussions and implementing relevant data protection guidelines resulting from them can help safeguard your customers. 

      3. Educating end users about eSIM scams: Useful prevention tips to suggest

        Though your cybersecurity actions can prevent certain scams, end users also have to take responsibility for preventing eSIM scams. 

        Therefore, as part of your communications with your customers, you should educate them about how to prevent eSIM scams. 

        Below are some useful prevention tips you can suggest to your customers: 

        • Cautiously sharing sensitive information with known people: End users should avoid sharing sensitive information like passwords and passcodes. Even if their devices are secured, that of the recipient may not be and hackers can steal those information from them. 
        • Avoiding sharing sensitive information with unknown people: “Avoid recklessly exchanging confidential information and data with unknown people,” advised the Kerala Police Cyberdome. 

        Many scammers have tricked users through phone calls, text messages, social media messages, and emails. By refusing to respond to unknown numbers, email addresses, and social media accounts, users can prevent eSIM scams.  

        • Regularly updating their devices: Regular device update is one prevention tip suggested by Cognitive Market Research, a market research firm, in its study on eSIMs. Keeping a phone’s software up to date can protect it from malware and hackers
        • Avoiding unsecured networks when activating eSIM profiles: eSIM profile activation should only be done on secure private networks. Users may even consider using a virtual private network (VPN) for added security. 
        • Enabling two-factor authentication: Most phones (both iPhones and Android phones) allow fingerprint verification and some also permit facial recognition verification. Using any of these two methods can make it harder for scammers to access sensitive apps. 

        Users can also enable two-factor authentication to add an extra security layer. 

        • Quick response to suspected scams: Reporting a scam immediately can help prevent further damage. Encourage your customers to report suspected scams as soon as possible. 

        How zendit protects you and your customers

        As said above, working with verified and reputable mobile carriers is one way you can protect your customers. 

        At zendit, we ensure that we only provide eSIMs from reputable mobile carriers across the globe. When you integrate our plug-and-play API, you are providing your customers with a global catalog of eSIMs from carriers they can trust.

        In addition, we provide state-of-the-art security protocols for secure transactions. 

        You can regenerate API keys if you believe the former key has been compromised, whitelist IP addresses to connect your integration with trusted hosts, secure your product catalog by disabling products you don’t intend to sell, use ShieldWall to authenticate transactions, and also verify the authenticity of any webhook you use in the integration process.

        Having a security-conscious company like zendit as your partner can help you provide improved mobile connectivity to your customers while protecting them from scammers and hackers.

        Do you want to expand your revenue streams by securely reselling eSIMs to your customers? Book a demo to see how Zendit works or contact us to learn more about how our product can help your business.

        Takeaways

        • Are eSIM cards safe? Though they are more secure than physical SIM cards, scammers have been targeting them. Popular scams include SIM swap fraud, phishing for activation codes, impersonation by fake eSIM providers, man-in-the-middle attacks, and social engineering tactics. 
        • eSIM providers must implement robust security measures, such as partnering with verified carriers, monitoring suspicious activities, securing activation channels with encryption, and offering multi-factor authentication.
        • Providers should educate their customers on safe practices, such as verifying requests, avoiding unsecured networks, enabling multi-factor authentication, and quickly reporting suspected scams.
        • Partnering with security-conscious companies like Zendit ensures access to reputable carriers, advanced security protocols, and a safer experience for users.

        Check out these posts 😍

        esim versus sim

        Previous Post

        esim security

        Next Post

        Start selling with zendit.

        Get Started Now Talk to our Sales Team

        Worried about spam?

        Rest assured, we won’t flood your inbox. We’ll simply keep you informed about our progress, new features, and helpful support articles.

        Check out our privacy policy for more details.

        👋 Hi There
        Drop us your email, and we'll get back to you shortly! ✨

        Please wait...
        This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
        Thank you! Our team will reach out to you shortly!
        Send another mail