SIM Swapping
A fraud in which an attacker convinces a mobile carrier to transfer the victim's phone number to a SIM card the attacker controls, enabling them to intercept SMS messages and calls including authentication codes.
Also known as: SIM swap fraud, SIM hijacking, phone number takeover
Last reviewed: 10 June 2026
SIM swapping exploits the mobile carrier's customer-service process. Attackers gather personal information about the victim through social media, data breaches, or purchased data, then contact the carrier impersonating the victim to request a SIM transfer — claiming the phone is lost, damaged, or they have a new device. Once the number is ported, all calls and texts to the victim's number — including one-time passwords — are received by the attacker.
With SMS-based authentication codes in hand, attackers can reset passwords and access email, banking, cryptocurrency exchanges, and social media accounts. High-value cryptocurrency holders and celebrities have been targeted in organised SIM-swap campaigns resulting in millions of dollars stolen.
Mitigations include setting a SIM PIN or port-freeze with your carrier, using authenticator apps or hardware keys instead of SMS for MFA, and placing account-level notes requesting in-person ID verification for any changes.
Examples
- An attacker uses leaked personal data to convince a carrier's helpdesk to port a victim's number; they then reset the victim's cryptocurrency exchange account using SMS codes.
- A fraudster impersonates a victim at a carrier store with a forged ID to obtain a new SIM bearing the victim's number.