SIM-Hijacking to Intercept Wise OTPs and Drain International Transfers
Criminals hijack victims' phone numbers by fraudulently porting them to a new SIM, then use Wise's SMS-based one-time passcodes to bypass login security, change the account email address, and initiate international transfers before the victim can react.
Part of: SIM Hijacking and Mobile Account Takeover Scam
Last reviewed: 8 June 2026
Wise is an international money-transfer service that enables quick cross-border payments in dozens of currencies. For many users, especially those sending money abroad regularly, Wise holds significant balances and is linked to bank accounts in multiple countries — making a compromised Wise account unusually damaging.
Wise uses SMS one-time passcodes as a login and transfer-verification factor. When a criminal successfully ports the victim's phone number to a new SIM — a process known as SIM hijacking — they receive all SMS messages sent to that number, including every Wise OTP. With the OTP in hand, the attacker can complete password resets, approve new linked accounts, and authorise large international transfers.
The speed of the attack is what makes it so destructive. From the moment the port completes to the moment the attacker initiates and approves a transfer can be a matter of minutes. International transfers, once sent, are extremely difficult to recall.
How this scam works on the Wise brand
Wise's genuine login flow sends a six-digit SMS code to the registered mobile number as a second factor. Wise also requires OTP verification for actions like adding a new linked bank account or initiating large transfers. All of these security checkpoints become vulnerabilities if the attacker has already taken control of the phone number.
The attack typically starts with the attacker acquiring the victim's name, phone number, and some personal details — enough to impersonate them with the mobile carrier. After a successful port, the attacker opens a password-reset request on Wise, receives the OTP, and sets a new password. They then navigate to the Transfers section, enter their own bank account details as the recipient, and verify the transaction via another OTP to their hijacked number.
Victims discover the attack when their phone goes dark. By then, the transfer may already be confirmed and the attacker has begun the carrier-restore process to avoid leaving traces for too long.
Common red flags
- Your phone loses all carrier signal unexpectedly — no service, no calls, no SMS
- You receive an email from Wise about a password change, email change, or new device login that you did not initiate
- A Wise transfer confirmation arrives in your email but the transfer is not one you made
- Your carrier texts you about a SIM swap or port request you did not make
- Wise app shows a new linked bank account you did not add
How to protect yourself
- Switch Wise's two-factor method to an authenticator app if Wise offers this option; avoid SMS-only 2FA
- Set a SIM-lock or account passcode with your mobile carrier to block unauthorised port requests
- Enable Wise email notifications for every login, transfer, and account change
- Contact Wise's support immediately if you notice your phone has lost service unexpectedly
- Do not publish your mobile number on public social-media profiles — it is a primary input for SIM-swap attacks
- Use a separate email address for Wise that is not linked to other accounts or posted publicly
How to report it
- Call your mobile carrier immediately to reverse the unauthorised SIM swap
- Contact Wise support at wise.com/help to freeze the account and dispute unauthorised transfers
- File a report with the FTC at reportfraud.ftc.gov (US) or Action Fraud 0300 123 2040 (UK)
- Report to your national financial regulator if significant funds were lost
- Forward any phishing emails to [email protected]
Frequently asked questions
Can Wise reverse a transfer sent from my hijacked account?
Wise will attempt to recall the transfer if reported quickly, but international transfers often clear within hours and recovery is not guaranteed. Report the incident to Wise support immediately, and also contact your bank if the attacker also accessed linked accounts.
Does Wise support hardware security keys?
Wise's 2FA options vary by account type and region. Check wise.com/settings/security for the strongest available option and avoid relying solely on SMS codes.
How do attackers get my phone number for a SIM swap?
Phone numbers are widely available from data breaches, public social-media profiles, business directories, and data-broker websites. Removing your number from data-broker sites reduces your exposure over time.