SIM-Swap Account Takeover Impersonating PayPal
Criminals convince your mobile carrier to transfer your phone number to a SIM they control, then use PayPal's SMS-based account recovery to lock you out and drain your balance. The attack exploits PayPal's reliance on phone-number verification as a fallback authentication route.
Part of: SIM Swap Scams
Last reviewed: 8 June 2026
PayPal supports several two-factor authentication methods, including one-time passcodes sent by SMS. This convenience becomes a liability when an attacker successfully performs a SIM swap — persuading your mobile carrier to port your number to a new SIM card. Once they own your number, every SMS PayPal sends to 'verify' you arrives on the attacker's phone instead.
The fraudster typically begins by gathering your personal information from data breaches, social media, or phishing — enough to answer your carrier's identity questions. After the port, they trigger a PayPal password reset, receive the SMS code, change the account email address, and lock you out within minutes. By the time you notice your phone has lost service, the damage may already be done.
SIM-swap attacks feel especially violating because victims often have no idea they have been targeted until their phone goes dark. PayPal itself has sent all the correct security prompts, but they have been intercepted at the carrier layer — a step entirely outside PayPal's control.
How this scam works on the PayPal brand
Real PayPal account recovery sends a verification code to the phone number on file, then allows a password change. Scammers exploit this by first obtaining your full name, phone number, and enough personal details — from public profiles or data-broker sites — to impersonate you with your carrier. They call or visit a carrier store claiming a lost or damaged phone.
Once the port succeeds, your phone shows 'No Service' or 'SOS Only.' The attacker immediately triggers a PayPal password reset. They receive the SMS code, set a new password, change the linked email address, and remove your two-factor device. They may then move any balance to a linked bank, initiate PayPal Credit purchases, or use stored payment methods before you can react.
Some SIM-swap rings pair this with pre-sent phishing emails asking you to 'confirm your number' — giving them your phone number if they did not already have it. Others use carrier insiders who port numbers for a fee, making the attack faster and harder to spot.
Common red flags
- Your phone suddenly shows 'No Service' or loses all carrier signal without explanation
- You receive unexpected SMS messages from your carrier about a SIM or account change you did not initiate
- PayPal sends a password-reset email you did not request
- You are locked out of PayPal and the recovery code goes to a number you no longer control
- Unusual PayPal transactions or email-address changes appear in account history
- Your carrier account shows a recently ported or replaced SIM
How to protect yourself
- Switch PayPal's two-factor method from SMS to an authenticator app (Google Authenticator, Authy) or a hardware key — these cannot be SIM-swapped
- Set a SIM-lock PIN or account security passphrase with your mobile carrier to block unauthorised port requests
- Use a unique email address for PayPal that you do not publish anywhere publicly
- Enable PayPal's login notifications so every sign-in triggers an alert to your email
- Freeze or lock your carrier account online when you are not actively changing services
- Check your phone for unexpected loss of signal and contact your carrier immediately if you see it
How to report it
- Call your mobile carrier immediately to reverse the unauthorised SIM swap and restore your number
- Contact PayPal at paypal.com/disputes or call the number on your PayPal statement to freeze the account
- File an identity-theft report with the FTC at identitytheft.gov
- Report to your national cybercrime body: IC3.gov (US), Action Fraud 0300 123 2040 (UK)
- Forward any related phishing emails to [email protected]
Frequently asked questions
How do I know if I have been SIM-swapped?
The clearest sign is your phone losing all carrier service suddenly. Check if you can still make calls — if not, contact your carrier right away and ask whether your number has been ported or the SIM replaced.
Can PayPal refund money lost to a SIM-swap attack?
PayPal investigates each case individually. If the attacker used your account without your authorisation you should file a dispute promptly, as time limits apply. There is no guarantee of a refund, so prevention is critical.
Is SMS two-factor better than nothing?
Yes — SMS 2FA defeats simple password-only attacks. But an authenticator app or hardware key is significantly stronger because neither can be intercepted via a SIM swap.