- CybAfrique Newsletter
- Posts
- The SIMple scam
The SIMple scam
CybAfriqué is a space for news and analysis on cyber, data, and information security on the African continent.
The SIMple scam
So, you generally think that your money in the bank is safe, and it mostly is. You have a password and two-factor authentication. Maybe you’ve even got one of those little dongles that blink random numbers at you, and your deposit is protected by insurance and policy. You, minus the insurance, are a fortress, except this fortress has a backdoor whose key is held by your mobile phone provider.
This and all its offshoots are the premise of what is popularly called a SIM-swap fraud, which is costing the South African economy R5.3 billion a year (nearly $300 million). A fraudster, armed with some personal information, calls up your mobile provider and says, “Hi, I’m you, and I’ve lost my SIM card. Can you please activate this new one for me?”
If the mobile provider is not having a particularly diligent day, they say, “Sure, sounds legit,” and poof, your phone number now belongs to someone else. Your phone goes dead, and you probably think it’s bad reception. But then the fraudster, who now controls your number, goes to your bank’s website. They type in your email and click “forgot password.” The bank, in its infinite wisdom, sends a one-time password to your phone number, which is now their phone number. The frauds do what frauds do. They can drain your accounts, apply for loans in your name, and generally have a grand old time with your financial life.
Now for the fun part: who foots the bill for this R5.3 billion party? Well, it’s complicated. The banks will tell you it’s the mobile providers’ fault for not having stronger security on SIM swaps. The mobile providers will tell you it’s the banks’ fault for relying on SMS-based two-factor authentication, which everyone knows is not the most secure method. And they both, if you press them, will probably mumble something about how it’s also a little bit your fault for not guarding your personal information more closely.
It’s a case of misaligned incentives. The banks don’t want more secure authentication methods because that’s more money and friction for their customers. The mobile providers don’t want to spend a lot of money on more rigorous SIM-swap checks because that also adds friction for their customers. And you, the customer, are caught in the middle, probably not thinking too much about any of this until all your money is gone.
Along with South Africa, Nigeria, and Ghana are countries that face similar problems and have tried to enforce stronger identity requirements during registrations and retrievals. The Ghana Chamber of Telecommunications estimates that GHS 346 million (approximately USD 28.5 million) was lost to such scams that year.
FEATURES
Research by Dubawa has revealed that ahead of Nigeria's 2027 general elections, there is a significant and growing threat from AI-generated disinformation designed to manipulate voters and destabilize the political landscape. Experts warn that the widespread use of social media for news, coupled with low digital literacy, makes the country exceptionally vulnerable to sophisticated deepfakes and simpler "shallowfakes."
Investigation by the Foundation for Investigative Journalism (FIJ) reveals that sensitive personal data of Nigerian citizens, including National Identification Numbers (NINs), Bank Verification Numbers (BVNs), dates of birth, and photographs, remain available for purchase online for a shockingly low price. Despite previous exposés and government assurances, a reporter was able to buy the complete data sets of four different individuals for a total of just N560 (approximately $0.40) from a website called NINPrint.com.
Philip Takyi points out that while cyber insurance is a vital tool, its adoption is low in regions like Sub-Saharan Africa, Southeast Asia, and Latin America. This is primarily because most available insurance products are designed for mature economies and do not account for the unique local operational, regulatory, and cultural contexts.
HEADLINES
NIMC directs SIM swap, registration complaints to telecom operators
Nokia to power Medusa submarine cable connecting Morocco to Europe
Digital gossip: when WhatsApp groups become serious cyber-risk zones
Somalia to require Digital National ID for bank account services starting in September.
Tinubu says the administration won’t lose focus on cybersecurity.
Cybastion and the Ivorian government launch construction of a data centre in Abidjan
aWhy cybersecurity is no longer optional in Africa’s mobile‑first economy
Nigeria has the highest number of breached email accounts in Africa.
MTN South Africa launches biometric digital identity system to combat fraud
Cyberwar and information manipulation: ANSSI-CI trains institutional managers in Abidjan
Reply