A SIM swap takes 4 minutes to execute at a telecom service centre. In those 4 minutes, a fraudster gains control of a phone number they do not own — the number linked to the victim's Aadhaar, bank account, and OTP delivery channel. By the time the victim realises their phone has no service, a loan application may already be in the system using their identity. The Fraud Risk AI detects the swap before the OTP is sent.
How SIM-Swap Fraud Works in Indian Lending
The mechanics are well-documented and depressingly simple. A fraudster obtains a victim's PAN, Aadhaar number, and mobile number — available through data breaches, social engineering, or dark web purchase. They visit a telecom outlet with fraudulent identity documents and request a SIM replacement or number portability on the victim's number. Once the swap is processed, all OTPs and authentication messages intended for the victim are delivered to the fraudster's new SIM.
The fraudster then initiates a loan application at one or more digital lenders using the victim's identity. Aadhaar OTP-based verification — the cornerstone of digital KYC in India — is effectively compromised: the OTP goes to the fraudster, who completes the verification, and the application proceeds through the pipeline as if it were a legitimate borrower. By the time the loan is disbursed, the fraudster has transferred the funds and vanished, leaving the victim to dispute a loan they never took.
The window between SIM swap and loan disbursement is typically 2 to 8 hours for fast-disbursing digital lenders. The Fraud Risk AI collapses this window to zero by detecting the swap at the moment of application, before any OTP is sent.
The 8 SIM-Swap Signals the AI Monitors
| Signal | Data Source | SIM-Swap Indicator | False Positive Risk | Weight |
|---|---|---|---|---|
| SIM issue date vs application date | Telecom API (TRAI-mandated) | SIM issued within 72 hours of application — primary indicator | Low — legitimate users rarely apply immediately after SIM change | Critical |
| Number portability event | MNPAS / Telecom API | Port-in completed within 7 days of application | Low — legitimate port-in users typically have weeks of history on new network | Critical |
| Device fingerprint change | App SDK / Browser fingerprint | Mobile number previously accessed from Device A; current session from new Device B | Medium — device upgrades are common; requires combination with other signals | High |
| Location mismatch | IP geolocation / GPS (if consented) | Application from city/state inconsistent with registered address and prior account activity | Medium — travel creates legitimate mismatches; weighted by distance magnitude | High |
| Velocity of bureau enquiries | CIBIL / Experian API | 3+ enquiries in 48 hours from different lenders on same PAN | Low — spam-apply behaviour is a fraud marker regardless of SIM swap | High |
| Aadhaar OTP timing anomaly | UIDAI OTP logs (internal) | OTP completed in under 8 seconds — fraudsters pre-stage the process | Medium — fast typists exist; requires combination signal | Medium |
| Bank account activity gap | Bank statement analytics | No transactions on linked bank account in 30+ days prior to application | High — dormant accounts are common; use as corroboration only | Supporting |
| Application time of day | Application timestamp | Application submitted between 2 AM and 5 AM — fraudster operating window | Medium — shift workers apply at unusual hours; weighted by geography | Supporting |
The SIM-Swap Detection Timeline
Legitimate
Customer's Mobile Number Has 6+ Months of Normal History
Mobile number registered to customer for 3 years. App logins from consistent device (Samsung Galaxy, Mumbai IP range). Bank transactions weekly. Bureau enquiry 6 months ago for personal loan. Fraud AI baseline established — all signals within normal parameters.
04:12 AM
Fraudster Completes SIM Swap at Telecom Service Centre
SIM swap completed on victim's number. Telecom records show new SIM issued at 11:47 PM the prior evening — unusual time for a service centre transaction. Network shows 4 hours of "no service" before the number came live on new SIM. Fraud AI receives SIM age data from telecom API when application is initiated.
04:18 AM
Loan Application Submitted — 3 Critical Signals Converge
Application received: ₹4.8L personal loan. Fraud AI checks in parallel: (1) SIM issued 4.5 hours ago — Critical signal. (2) Application from Ahmedabad IP; registered address Mumbai — High signal. (3) 2 bureau enquiries in last 6 hours from other lenders — High signal. Combined fraud score: 94/100. Application auto-held. OTP suppressed. Fraud investigation team alerted within 90 seconds.
04:20 AM
Application Held Pending Manual Verification
Application placed in fraud review queue. Borrower (the victim) has not yet been notified by their telecom of the SIM swap — they are asleep, their phone showing no service. Fraud investigation team initiates: callback attempt to the original network number (fails — number now on new SIM); verification of address via secondary check. Application never disbursed. Victim contacted at 9 AM via email registered on account.
The Balance: Fraud Detection Without False Positives
The most expensive fraud detection model is not one that misses fraud — it is one that creates false positives. A legitimate borrower who travels for work and purchases a new SIM card because their old phone broke should not find their loan application blocked and their identity suspended. The Fraud Risk AI uses a tiered response architecture rather than a binary block-or-pass system.
A single moderate signal — new SIM with no other corroborating indicators — routes the application to a step-up verification: the borrower is asked to complete a secondary authentication via their registered email address and confirm their PAN and registered address verbally during V-KYC. This adds 5 minutes to their journey while generating corroborating evidence that is either reassuring (confirmed identity match) or further damning (cannot confirm details). Only the combination of multiple high-weight signals, or a single Critical signal, results in an application hold for investigation.
The OTP Is Not the Authentication — It Is the Target
The entire architecture of OTP-based authentication assumes that the phone number is controlled by the person who owns it. SIM swap attacks invalidate that assumption. The Fraud Risk AI checks the validity of the phone-to-person link before the OTP is sent — not after it is verified. Catching a SIM swap after OTP completion is damage limitation. Catching it before OTP dispatch is fraud prevention.