Porting Authorisation Code (PAC) Fraud
Fraud in which an attacker obtains the Porting Authorisation Code needed to move a victim's phone number to a new carrier without the victim's consent.
Also known as: PAC code fraud, number port fraud
Last reviewed: 10 June 2026
In many markets, transferring a mobile number to a new carrier requires a Porting Authorisation Code (PAC) issued by the current carrier. PAC fraud involves an attacker calling the victim's carrier — impersonating the victim using personal data harvested through OSINT or data breaches — to request this code, then using it to complete an unauthorised port.
Once the number is ported, the attacker receives all SMS messages to that number, including authentication codes. The victim typically notices only when their phone loses service or they receive notification of the transfer.
Carriers are required in many jurisdictions to implement security processes before issuing PACs, such as identity verification or account PINs. Customers should set strong account PINs with their carrier and opt in to any available port-lock features.
Examples
- An attacker uses leaked data to pass a carrier's security questions and obtain a PAC, completing a silent number transfer.
- A victim's phone displays 'No Service' — the first sign their number has been ported to a fraudster's SIM.