Cash App Account Takeover via SIM-Swap Scam
Criminals who cannot intercept a Cash App sign-in code by social engineering instead perform a SIM swap — transferring the victim's phone number to a SIM they control — so that Cash App's SMS-based sign-in codes arrive to the attacker's device rather than the victim's.
Part of: Account Takeover Scams
Last reviewed: 7 June 2026
Cash App's authentication relies on a sign-in code sent to the user's registered phone number. If an attacker can control that phone number — by convincing a carrier to transfer it to a new SIM — they receive all future sign-in codes and can log in to Cash App without any social engineering of the victim. This technique is called SIM swapping.
The SIM-swap process typically involves a fraudster calling the victim's mobile carrier, impersonating the account holder, and requesting a SIM change. They claim to have a new phone or a lost SIM and provide personal details (name, date of birth, partial account number) sourced from data breaches or social-media research. Some carriers have robust verification, but account compromises via SIM swap remain a significant problem industry-wide.
The victim notices the attack when their phone suddenly loses signal — the carrier has moved the number to the attacker's SIM. At that point, the attacker is already receiving SMS messages on the victim's behalf, including Cash App sign-in codes, enabling full account takeover.
How this scam works on the Cash App brand
The SIM-swap attack on a Cash App account unfolds in two phases. First, the attacker gathers enough personal information about the victim to impersonate them to the carrier — this may come from social-media research, data-broker records, or a prior phishing campaign. Then they contact the carrier and request the SIM transfer.
Once the swap succeeds, the attacker logs in to Cash App using the victim's phone number, receives the sign-in code on their now-controlling SIM, and enters it to complete the login. They immediately change the linked bank account to their own and withdraw the available balance. The entire post-swap phase may take under five minutes.
The victim, who has lost phone service, may not immediately connect the outage to a financial attack. By the time they visit the carrier store to restore their service and then check their Cash App, the funds are already gone.
Common red flags
- Your phone suddenly loses all carrier signal without a known cause
- You receive a notification from your carrier about a SIM change or new SIM activation you did not request
- You stop receiving SMS messages unexpectedly
- Notifications from Cash App (or your bank) about a sign-in or account change you did not initiate
- Your Cash App balance has been transferred out when you regain access
- Your linked bank account in Cash App was changed to one you do not recognise
- You receive emails about Cash App activity while your phone is without service
How to protect yourself
- Contact your mobile carrier and ask them to add a SIM-lock or additional PIN to your account
- Use an authenticator app linked to an email address rather than SMS for account recovery where possible
- Enable Cash App's Security Lock (Profile > Privacy & Security) so every payment requires biometric or PIN confirmation
- Act immediately if your phone loses carrier signal unexpectedly — visit the carrier store or call from another phone
- Maintain a backup communication method (e.g. a trusted contact's phone) so you can act while your number is compromised
- Limit publicly available personal information on social media to reduce SIM-swap intelligence gathering
- Report a suspected SIM swap to your carrier, Cash App, and local law enforcement promptly
How to report it
- Contact your carrier immediately to report the unauthorised SIM change and request reversal
- Report through Cash App: Profile > Support > Report a Scam
- File a complaint with the FTC at reportfraud.ftc.gov
- Report the SIM swap to the FCC at consumercomplaints.fcc.gov
- Report to the FBI's IC3 at ic3.gov if financial loss occurred
Frequently asked questions
What is a SIM swap and how does it relate to Cash App?
A SIM swap transfers your phone number to a new SIM held by the attacker. Since Cash App uses your phone number to send sign-in codes, the attacker then receives those codes and can log in to your account. The attack does not require your co-operation once the carrier is deceived.
How can I add protection against SIM swaps at my carrier?
Most major carriers allow you to add a port-freeze, SIM lock, or an additional PIN or passcode that must be provided before any SIM change is processed. Contact your carrier's fraud or security team to enable these protections on your account.
Will Cash App reimburse SIM-swap fraud losses?
Report the fraud immediately through the app. Cash App investigates fraud reports and may be able to recover funds if the attack is reported quickly, depending on the specific circumstances and the speed of the attacker's withdrawals.