How does a SIM swap attack work?

An attacker contacts your mobile carrier, impersonating you using personal information (name, address, last four of national ID, account number) obtained from data breaches or social media. They claim their phone was lost or damaged and request your number to be ported to a new SIM they control. Once the transfer completes, they receive all calls and SMS messages — including banking OTPs and password reset codes. The attack can be completed in under 30 minutes.

What information do attackers use to authorise a SIM swap?

Mobile carriers typically verify identity by asking for: the account holder name, billing address, account number or last 4 digits of a national ID, and often the last 4 digits of a recent bill. All of this information is readily available from data broker websites, social media, and the multiple large-scale data breaches that include address history, national ID fragments, and phone numbers. The information barrier to SIM swap is extremely low.

Which carriers provide the best protection against SIM swap?

Carriers with the strongest SIM swap protections include those offering: number transfer PINs (a separate PIN required to authorise any number port), mandatory in-store ID verification for SIM replacements, and account-level porting freeze options. In the UK, the major carriers offer number porting freeze on request. In the US, AT&T Number Lock, T-Mobile SIM Lock, and Verizon Number Lock are the most effective options. Enable these if available to you.

How do I detect if my SIM has been swapped?

The primary indicator is sudden loss of all mobile service — calls, texts, and data — on your existing SIM. This means the number has been ported away. Secondary indicators include: unexpected notifications from your mobile account about SIM changes, failed phone calls from your network, or authentication failures on accounts that use SMS OTP (because the codes are going to the attacker's SIM). Contact your carrier immediately if you experience unexplained loss of service.

Does removing SMS as an MFA method completely protect against SIM swap?

Removing SMS OTP from financial accounts significantly reduces SIM swap risk — the attacker can no longer receive OTPs for your banking logins. However, many banks still use your mobile number for password reset flows even if SMS MFA is not your primary login factor. Ask your bank whether SMS is used in any account recovery path and, if so, how to remove it or replace it with an alternative recovery method.

SIM Swap Attacks: How Fraudsters Target Financial Accounts

SIM swap fraud (also called SIM hijacking or port-out scam) is the process of socially engineering a mobile carrier into transferring a victim's phone number to an attacker-controlled SIM. Once successful, the attacker receives all SMS messages and calls intended for the victim — including banking one-time passwords, password reset codes, and authentication alerts. The attack requires no technical sophistication: only personal information and a phone call.

What Is a SIM Swap Attack?

A SIM swap attack occurs when a fraudster convinces your mobile carrier to transfer your phone number to a SIM card they control. Once they hijack your number, every call and text message intended for you—including one-time passcodes and account recovery links—flows directly to the attacker's device. Because so many financial institutions rely on SMS-based verification, your phone number effectively becomes a master key to your bank accounts, investment portfolios, and cryptocurrency wallets.

How Fraudsters Pull It Off

SIM swapping rarely begins with the phone company. It starts with reconnaissance. Attackers gather personal details about you from data breaches, social media oversharing, and phishing emails. Armed with your name, date of birth, address, and the last four digits of your account, they impersonate you when contacting your carrier.

Social engineering: The fraudster calls customer support claiming a lost or damaged phone and requests activation on a new SIM.
Insider bribery: Some attackers pay corrupt telecom employees to perform the transfer directly.
Phishing for PINs: Fake security alerts trick victims into revealing carrier account PINs and verification answers.
Port-out fraud: The number is moved to an entirely different carrier, making recovery slower and more confusing.

Why Financial Accounts Are the Prime Target

Money is the motive. After seizing your number, attackers trigger password resets on your email, then cascade into every linked account. Banking apps, brokerage platforms, and crypto exchanges send their SMS codes straight to the criminal. Within minutes, funds can be wired out, assets liquidated, or digital currency drained to anonymous wallets that are nearly impossible to trace or reverse.

Warning Signs of a SIM Swap

Your phone suddenly loses all signal or shows "No Service" without explanation.
You stop receiving calls and texts while others say your line is active.
You get unexpected notifications about SIM activation or account changes.
You're locked out of email or banking apps despite knowing your password.

How to Protect Yourself

Defending against SIM swap fraud requires reducing your reliance on the phone number as a security factor. The strongest defense is replacing SMS verification with methods an attacker cannot intercept by stealing your number.

Use app-based or hardware authenticators: Authenticator apps and physical security keys generate codes on your device, not over the cellular network.
Add a carrier PIN or port-freeze: Ask your mobile provider to lock your account against unauthorized transfers.
Limit personal data exposure: Avoid publicly sharing your birthday, address, and phone number that fuel impersonation.
Use a dedicated password manager: Strong, unique passwords stored in Titan Passwords prevent a single breach from unlocking multiple accounts.
Enable account alerts: Turn on instant notifications for logins, transfers, and password changes.

Stay One Step Ahead

SIM swap attacks succeed because they exploit weak links in identity verification and password hygiene. By moving away from SMS-based codes, locking down your carrier account, and managing credentials securely with Titan Passwords, you remove the easy paths fraudsters depend on. Vigilance and layered protection turn your accounts from soft targets into fortified ones, keeping your finances firmly in your control.

The Attack in Five Steps

Information gathering: Attacker compiles personal details from data broker sites, social media, dark web breach databases, and public records
Carrier contact: Attacker calls the mobile carrier, claims to be the account holder, and requests a SIM replacement (phone lost/damaged)
Social engineering: Attacker provides sufficient personal information to pass the carrier's identity verification — often straightforward given the data available
SIM activation: Carrier ports the number to the attacker's SIM — typically within 30 minutes
Account takeover: Attacker triggers "forgot password" on banking apps, receives SMS reset codes, resets credentials, and accesses accounts

Reported Cases and Scale

The FBI's Internet Crime Complaint Center (IC3) reported SIM swap losses of $72 million in 2022, rising significantly in subsequent years as the technique became more widely known among fraud groups. Notable cases include the takeover of high-value cryptocurrency accounts using SIM swap against SMS MFA. UK Finance reported multiple high-value banking fraud cases attributable to SIM swap in 2024 and 2025.

Layered Protection Strategy

Enable carrier SIM lock / number lock — prevents porting without additional in-person verification
Replace SMS MFA with hardware FIDO2 keys or authenticator apps on all financial accounts
Review bank recovery flows — ensure your mobile number is not used as a recovery fallback
Use unique strong passwords — eliminates credential stuffing as the initial access vector
Enable all account change alerts — immediate notification of suspicious activity

SIM swap fraud SMS MFA social engineering financial fraud

For informational purposes only. This does not constitute financial or legal advice. Consult qualified compliance and legal professionals for regulated financial environments.

← MFA for Financial Accounts: Hardware Keys vs T Using a Password Manager for Banking and Finan →