Unlocking the threat: how SIM card fraud undermines digital security in South Africa

In a digital age where personal information is a currency, SIM cards have unwittingly become the gateways through which cyber and financial criminals exploit unsuspecting victims. South Africa, with its thriving digital ecosystem, is not immune to the rise of SIM-related crimes, witnessing an alarming ramp-up of SIM-swap fraud, identity impersonation, and the industrialised operations of SIM farms.

The 2025 Telecommunications Sector Report released by the Communications Risk Information Centre painted a stark picture — telecom fraud, encompassing a range of scams including SIM-swap, subscription, and identity fraud, cost the nation approximately R5.3 billion in 2024 alone. This figure spotlights an undeniable truth: each SIM-based attack is an identity-based breach, and every breach lays bare a spectrum of risks related to anti-money laundering (AML) and financial crime.

Bradley Elliott, CEO of RelyComply, said: “A SIM card is, effectively, a portable identity token. Once compromised, it gives attackers a back door into bank accounts, digital wallets, and high-risk transactional environments. Put plainly: the SIM card has become the weakest link in the identity chain.”

The mechanics of SIM-swap fraud

SIM-swap fraud is among the most insidious forms of cybercrime plaguing South Africans. In this scenario, criminals orchestrate a con to convince mobile network operators to transfer a victim’s number to a new SIM card, which they then control. Often leveraging personal information gleaned from phishing attacks or the dark web, these criminals intercept calls and texts, including critical One-Time Passwords (OTPs), to gain access to victims' online accounts.

While the Regulation of Interception of Communications and Provision of Communication Related Information Act (RICA) mandates that SIM cards be registered under users' ID numbers and proof of address, the effectiveness of these safeguards has been called into question. South Africans frequently change SIMs, and the ease of acquiring RICA-authorised SIMs from informal traders means that regulatory measures have not adequately curtailed SIM crime.

The rise of SIM farms

Crucially, the emergence of SIM farms — massive operations that can host hundreds of SIM cards — has exacerbated the problem. With their capacity to facilitate industrial-scale identity impersonation campaigns, SIM farms commodify fraud, often stretching across borders. Each illicit SIM card in circulation epitomises a counterfeit identity, amplifying the risks for both organisations and end users alike.

Businesses are particularly vulnerable, especially when they rely on SMS-based OTPs for multi-factor authentication (MFA). Criminals adept at executing SIM-swaps can swiftly hijack user data, leading to significant financial losses. Elliott warns, “The industry’s dependency on SMS-based MFA has created a false sense of security. While OTPs play an important role, they are far too vulnerable to stand alone.”

Rethinking identity verification

As the situation intensifies, experts urge businesses to explore alternative, more secure means of identity verification. Approaches such as advanced biometric systems including FaceID, behavioural intelligence analytics, push notification MFA, and the implementation of apps like Google Authenticator can enhance security, as they are not tethered to phone numbers — making them less susceptible to SIM-related attacks.

"Modern identity verification needs to be layered, risk-based, and adaptive. These technologies exist. The problem is not capability, it’s co-ordination,” Elliott stresses, calling for the need for an interconnected ecosystem among banks, telcos, regulators, and social media platforms.

A growing call for co-operation

The reality is that SMS OTPs, while foundational to digital authentication, reveal a glaring flaw in the financial ecosystem's defence against fraud. A lack of co-ordinated communication between telcos, banks, and regulators allows criminals to exploit gaps created by an absence of shared intelligence. Elliott argues for a more cohesive compliance ecosystem that could pre-empt vulnerabilities in the system.

“Telcos know when SIM-swaps occur. Banks know when high-risk transactions spike. Regulators see emerging patterns first. But these signals remain unshared or shared too slowly to matter. This is where RegTech needs to step in,” he says. Vital improvements can only be achieved through collaboration across sectors, despite varying data privacy standards.

A robust public education campaign on SIM crime is essential, says Elliott. Awareness initiatives that educate users on identifying potential threats and safeguarding their identities will strengthen the collective fight against SIM fraud.

“A SIM compromise is never just a telecom incident; it’s an AML incident. It’s a fraud incident. It’s a financial crime incident. Every weak link — every unverified identity, every siloed database, every unreported SIM-swap — gives criminals a foothold. To reclaim identity integrity, the ecosystem must move as one,” concludes Elliott.

IOS