Toronto Police Service (TPS) has arrested 10 individuals and laid over 100 charges in a major “SIM swap” fraud investigation.
SIM swapping is when someone takes over a victim’s cellphone number by exploiting weaknesses in two-factor authentication. The perpetrator often contacts the victim’s phone provider and convinces them they are a client. They then switch the SIM card associated with their account, allowing the criminal to gain access to the phone and receive text messages for password recovery or changes. They can also access social media accounts, bank accounts, and email accounts.
More than 1,500 cellular accounts from across the country were compromised, TPS said, while a total of more than $1 million was lost by individuals, telecom companies, and financial institutions.
“In this scheme, individuals compromised an unsuspecting victim’s cellphone by switching the SIM card associated with the account, either by impersonating the customer at the cellphone store, or otherwise gaining access to the accounts,” said Detective David Coffey, from the Financial Crimes Unit, during the news conference.
The investigation started in June 2023 after multiple telecom companies filed reports with police.
TPS says it executed multiple search warrants in the investigation, where authorities found over 400 fake identifications.
In many cases, suspects will impersonate victims at several locations using fake IDs, according to police.
“Often they would then use the same identification at the victim’s financial institutions to take over their bank accounts,” Coffey said.
In other cases, fraudsters used phishing techniques such as false web links and websites.
- Noah Ibgui, 24, with fraud over $5,000, intercepting private communication, fraudulently obtaining computer service, and mischief to computer data;
- Syed Shan, 23, is facing fraud over $5,000, intercepting private communication, unauthorized use of a computer, and possession of property obtained by crime;
- Syed Hunain, 22, has been charged with two counts of fraud over $5,000, intercepting private communication, unauthorized use of a computer, and possession of property obtained by crime;
- Waseem Abbas, 18, is facing fraud over $5,000 and possession of property obtained by crime;
- Ounali Hussain, 23, has been charged with fraud Over $5,000 and possession of property obtained by crime;
- Huzaifa Motala, 20, is charged with two counts of fraud over $5,000, and public mischief;
- Brandon D’Amico, 21, is facing 18 counts of personation with intent, 18 counts of possessing identity information for fraudulent purposes, 18 counts of intercepting private communications, one count of fraud under $5,000, and four counts of possessing a counterfeit mark;
- Maria Aguja, 19, has been charged with eight counts of personation with intent, eight counts of possessing identity information for fraudulent purposes, and eight counts of intercepting private communications;
- Muhammad Ibrahim, 20, is charged with fraud over $5,000 and public mischief;
- Owais Varachhia, 24, is facing three counts of fraud over $5,000.
Two more individuals are being sought in the case: Nadia Campitelli, 47, who is wanted for three counts of fraud over $5,000, one count of fraud under $5,000, intercepting private communications, and breach of probation, as well as Hervine Umutijima, 26, who is facing seven counts of fraud under $5,000, a mischief to computer data charge, attempted fraud, personation with intent, identity theft and using a forged document.
How SIM Swap Schemes Work
Det.-Const. Michael Gow said that SIM swapping is not about physically taking someone’s SIM card but more like identity theft.
“They’re able to convince the telecommunication companies that they are in fact the customer that they’re going after,” he said during the news conference.
“They will then use that customer’s information, bypass security, and then they’ll take over the phone number and tell the communication company to transfer the phone number of the effective customer over to the SIM card that they possess.”
From there, according to Gow, the phone number is used by fraudsters to get into someone else’s two-factor verification.
“They will go to something like their email and they’ll hit the Forgot My Password button on the email. That one-time password to take over that email is then sent to the suspects, not the victims.”
He said victims have little warning that the crime is happening, except when there is an SOS icon on a phone.
“All they see is SOS in the top right-hand corner of the phone. What that means is there’s a SIM card in their phone and it’s not transmitting any signal. So the victim is none the wiser to what’s happening,” Gow said.
How to Protect Against SIM Swapping
TPS offered ways that Canadians can protect themselves against SIM swapping, including:
Know your digital footprint
Gow said that suspects will track people online as they identify who to target.
“They’re looking for juicy targets. They’re looking for people where they can get a greater yield from… almost cyberstalking them beforehand. And then once they have enough information, then they execute,” he said.
“The more information you are presenting online, the more information they have to pose as you,” Gow added.
Understand privacy settings
Along with limiting what you post online, it’s also important to be cautious when providing any type of personal information. He said to be suspicious of internet surveys or questions that ask personal information such as your mother’s maiden name or first pet’s name.
“Be aware of and the source of when you’re answering those things,” Gow said.
He advised to avoid those types of online surveys and only answer questions from a trusted source.
Be aware
TPS says that many members of the public are not aware of SIM swapping and may not recognize when it happens to them.
“This crime is going vastly unreported and we’re trying to change that by educating the public,” Gow said.
He said that if someone notices the SOS icon on their phone and they have cell towers around— such as in downtown Toronto—it’s a warning sign.
Avoid 2-Step verification
It’s also recommended to avoid using two-step verification using your phone number.
“If you can disable it and use different methods of authentication, say Google Authenticator, Microsoft Authenticator or other like apps, that would be ideal,” Gow said.