eSIM vs physical SIM: Security differences, risks, and how fraudsters exploit them

A 47-year-old employee in Bengaluru lost over ₹11.9 lakh after fraudsters allegedly tricked him into sharing sensitive information during a fake eSIM activation process. In a separate incident, an IT engineer from Noida lost more than ₹24.8 lakh from her bank accounts and credit card after a scammer claiming to be a telecom executive convinced her to upgrade her 4G SIM to 5G.

These are not unusual cases of SIM fraud, as another 27-year-old man from Bengaluru lost over Rs 7 Lakh in a SIM-Swap scam. What makes it more suspicious as the victim never even received a suspicious call. 

India has over a billion smartphone users, in which your SIM card, whether a physical SIM or a digital eSIM, is one of the most important components of your phone because it helps verify your identity. 

Must read: No call, no link, no Clue: This Bengaluru youth loses ₹7.2 lakh in SIM-swap fraud

In addition, the majority of services, including banking, payment apps, and social media platforms, rely on mobile numbers to send OTPs and security alerts. If scammers gain control of your SIM, they may be able to get acces to your OTPs, reset passwords, and access sensitive accounts. Therefore, it is crucial to understand the difference between physical SIMs and eSIMs, and how criminals can misuse each type.

What is eSIM?

An eSIM stands for embedded SIM,  which is built directly into your phone's motherboard. This SIM does not require a physical card, as it can only be activated via scanning a QR code or entering an activation code provided by your carrier.

Due to its embedded nature, it offers an additional layer of protection against theft. Since they cannot be removed from a device, attackers must gain access to both the unlocked handset and credentials to authorise an eSIM transfer. However, it may not be as safe as presumed, and its compatibility is also a bigger challenge. 

Must read: A duplicate SIM, stolen OTPs and ₹87 lakh gone: Know why BSNL is now paying ₹55 lakh

What is Physical SIM?

A physical SIM refers to a Subscriber Identity Module, which consists of a small plastic card with a tiny chip that connects you to a mobile network. The chip stores your phone number, your network credentials, and a unique identifier that tells your carrier who you are. Once inserted into a smartphone, a SIM card links the device to a mobile network, enabling services such as calling, texting, internet access, and video streaming.

eSIM vs physical SIM: Security Difference

• Physical SIMs can be easily stolen, whereas eSIMs cannot be physically removed. 
• Physical SIM can be cloned using specialist hardware, but eSIM cannot be physically cloned.
• Physical SIM can be swapped by stealing or convincing your carrier to issue a duplicate. An eSIM swap requires convincing your carrier to transfer the digital profile to another device.
• Physical SIM gives a thief immediate access to OTPs if the card is in their phone. eSIM requires account-level access to redirect OTPs.
• Physical SIM loss is immediately obvious as your phone stops working. eSIM compromise may be less immediately apparent.

While eSIMs may come as a safer option, scammers have found unique ways to exploit the technology and trick users into transferring control of their mobile numbers. Here are ways scammers are exploiting eSIMs:

Must read: Apple may introduce a similar security feature to Google's Theft Detection: What users should know

How fraudsters are exploiting eSIMs in India

Fake 5G upgrade scam: Fraudsters reportedly call people posing as telecom executives, and offer an upgrade from 4G to 5G SIM. After the victim agrees, the fraudsters initiate an eSIM activation request on their number without any OTP or link verification. The victim's mobile network is immediately disabled, and they drain bank accounts using the intercepted OTPs.

eSIM-to-physical SIM conversion scam: Fraudsters are also posing as bank executives and contacting people and convincing them that their eSIM needs to be converted into a physical SIM due to security reasons.

TRAI impersonation scam: It's a scam in which fraudsters impersonate TRAI through fake calls or messages, claiming a SIM card will be deactivated due to fraud or KYC issues. They create a sense of urgency to trick users into sharing sensitive information such as Aadhaar details, OTPs, and banking credentials.