SIM Swapping Attacks: How Criminals Hijack Your Number

Your mobile phone number is far more than a way for people to call you. It is increasingly used as a security credential — the last line of defence protecting email accounts, banking platforms, cloud services, and business applications. SMS-based two-factor authentication, account recovery via text message, and phone-number-linked identity verification all rely on the assumption that whoever holds your phone number is you. SIM swapping attacks exploit that assumption with devastating effect.

flowchart LR
    A["Attacker Gathers Info"] --> B["Calls Mobile Carrier"]
    B --> C["Social Engineers Agent"]
    C --> D["SIM Transferred"]
    D --> E["Receives Victim SMS"]
    E --> F["Bypasses SMS MFA"]
    F --> G["Account Takeover"]
  

A SIM swap attack — also called a SIM hijack or port-out scam — allows a criminal to take control of your phone number by convincing your mobile carrier to transfer it to a SIM card they control. Once they have your number, they can intercept SMS verification codes, reset passwords, and gain access to virtually any account linked to that number. For businesses, a successful SIM swap against a key employee or owner can result in account takeovers, financial theft, and a cascade of secondary breaches.

How SIM Swapping Works

The mechanics of a SIM swap are straightforward, which is part of what makes them so dangerous. Mobile network operators allow customers to transfer their number to a new SIM card — a legitimate service used when a phone is lost or damaged. Attackers exploit this process by impersonating the target to the carrier's customer service team.

Gathering the Target's Personal Information

Before approaching a mobile carrier, attackers research their target. They need enough personal information to pass identity verification. This data is readily available from multiple sources: data breaches, social media profiles, credential harvesting operations, or direct phishing attacks targeting the individual. Typical information sought includes full name, address, date of birth, account number, and answers to security questions.

The proliferation of personal data from large-scale breaches means that for many individuals, this information is already available on dark web marketplaces for a trivial sum. Attackers may also use vishing (voice phishing) calls to extract missing details directly from the target before approaching the carrier.

Social Engineering the Carrier

Armed with the target's personal details, the attacker contacts the mobile carrier — by phone, online chat, or in-store — and requests a SIM transfer, claiming their phone has been lost, stolen, or damaged. Customer service representatives, who handle hundreds of such requests and are incentivised to resolve issues quickly, may approve the transfer based on the information provided without rigorous additional verification.

In some documented cases, attackers have bribed carrier employees directly. In others, they have exploited weaknesses in specific carriers' verification procedures. The result is the same: the target's phone number is ported to the attacker's SIM card within minutes or hours.

The Account Takeover Cascade

Once the attacker controls the phone number, the target's device loses mobile signal — often the first sign something is wrong. The attacker immediately begins resetting passwords on high-value accounts. Email is typically the first target, because email account access enables password resets across almost every other platform. Banking apps, cryptocurrency wallets, business cloud services, and payment platforms quickly follow.

Because SMS-based multi-factor authentication codes are now being delivered to the attacker's device, every account that relies on SMS verification is compromised. The window of access can last anywhere from minutes to hours before the victim realises what has happened and is able to contact their carrier.

Business Impact of SIM Swap Attacks

The consequences of a successful SIM swap can be severe for businesses of any size:

• Financial theft: Bank accounts and payment platforms accessed via compromised credentials can be drained rapidly. Wire transfers and cryptocurrency withdrawals are often irreversible.
• Email account takeover: A compromised business email account enables business email compromise (BEC) fraud, supplier impersonation, and access to sensitive communications.
• Cloud service access: Business applications including CRM systems, cloud storage, HR platforms, and project management tools may be accessed, exfiltrated, or encrypted.
• Reputational damage: An attacker controlling a business owner's phone number and email may impersonate them to clients, suppliers, or staff, causing lasting reputational harm.
• Regulatory exposure: If a SIM swap leads to a data breach, the business may face notification obligations under GDPR or other applicable data protection laws.

Defending Against SIM Swap Attacks

Move Away from SMS-Based Authentication

The most impactful change a business can make is to eliminate SMS as a second factor for any sensitive account. Authenticator apps — such as Google Authenticator, Microsoft Authenticator, or Authy — generate time-based one-time passwords (TOTP) that are tied to the device, not the phone number. Because they do not involve the carrier's infrastructure at all, they are immune to SIM swap attacks.

For the highest-assurance accounts, hardware security keys (such as YubiKey or similar FIDO2 devices) provide phishing-resistant MFA that cannot be bypassed through SIM swapping, phishing, or most other remote attack techniques. Deploying hardware keys for executives, finance staff, and IT administrators provides the strongest protection where it matters most.

Set a Carrier PIN or Passcode

Most major mobile carriers allow customers to set a dedicated account PIN or passcode that must be provided before any SIM transfer can be processed. This is a simple, free control that significantly raises the bar for attackers. Ensure every employee whose phone number is linked to a business account has set a carrier PIN, and include this in your organisation's security baseline.

Some carriers also offer a "number lock" or "SIM lock" feature that prevents any port-out request from being processed without additional in-person or authenticated verification. Where available, this should be enabled for all critical business accounts.

Minimise the Use of Phone Numbers as Identity

Audit every business system and service to identify those that use a phone number for account recovery or as a primary authentication factor. Where alternatives exist — email-based recovery with strong authentication, or app-based MFA — make the switch. Reducing the number of systems that rely on phone-number identity limits the blast radius of a successful SIM swap.

Monitor for Early Warning Signs

Train employees to recognise the immediate warning sign of a SIM swap: unexplained loss of mobile signal on a device that is otherwise functioning normally. If an employee's phone suddenly loses all signal — particularly if it coincides with receiving no calls or messages that would otherwise be expected — they should immediately contact their carrier from a different device and alert their IT or security team.

Where available, enable account alerts on business banking and email platforms that notify via a secondary channel (such as a backup email address) when password changes or new device logins are detected.

Organisational Policy Considerations

Beyond technical controls, SIM swap risk should be addressed in your organisation's broader security policies. Key considerations include:

• MFA policy: Mandate the use of app-based or hardware MFA for all business systems. Explicitly prohibit SMS as a second factor for administrative accounts, financial platforms, and cloud services holding sensitive data.
• Personal device usage: If employees use personal mobile numbers as authentication factors for business accounts, ensure they are also following the carrier PIN and authenticator app recommendations above.
• Incident response procedures: Your incident response plan should include a specific procedure for suspected SIM swap attacks, including who to call at the carrier, how to regain account access, and when to involve law enforcement.
• Employee awareness: Ensure staff understand that their personal phone number may be targeted specifically because of their business role, and that data brokers and breach databases often have enough information to facilitate an attack.

What to Do If You Are Attacked

Speed is critical. If you suspect a SIM swap is in progress:

1. Call your mobile carrier immediately from a different phone and request an emergency lock on your account and number.
2. Change passwords on critical accounts — starting with email — from a device and network not associated with the compromised number.
3. Notify your bank and any payment platforms immediately. Request that outgoing transactions be frozen while you regain control.
4. Alert your IT team or managed security provider so they can monitor for unusual access across business systems.
5. Report the attack to Action Fraud (UK) or the FBI's IC3 (US). SIM swap fraud is a criminal offence, and reporting contributes to law enforcement intelligence.
6. Notify your cyber insurer if business accounts have been accessed or funds moved. Early notification is typically required under policy terms.

SIM swapping demonstrates a fundamental vulnerability in how our digital infrastructure has evolved: we have built account security around phone numbers without adequately securing the phone number itself. For businesses, the practical response is to treat phone numbers as weak credentials and invest in stronger alternatives. The technology exists — authenticator apps and hardware keys are widely available, often free, and require minimal effort to deploy. The question is simply whether your organisation acts before or after an attacker exploits the gap.