SIM-Swap Attack Targeting Stripe Dashboard Accounts
Criminals SIM-swap the mobile number registered on a Stripe account to intercept 2FA codes, change the account email, and redirect future payouts to attacker-controlled bank accounts — causing both immediate financial loss and disruption to the merchant's payment operations.
Part of: SIM Swap Scams
Last reviewed: 8 June 2026
Stripe's dashboard powers the payment operations of millions of businesses. For many merchants, a compromised Stripe account means both the theft of existing balances and the redirection of all future customer payments. SIM-swap attacks targeting Stripe are therefore doubly damaging: the attacker's reach extends not just to today's payout but to every payment processed until the merchant discovers the compromise and regains control.
Stripe uses SMS-based verification as one route for account recovery and certain sensitive actions. If an attacker successfully ports the merchant's phone number, they can trigger a Stripe password reset, intercept the SMS code, change the account email, modify the payout bank account, and begin receiving the merchant's revenue without the merchant knowing until a payout fails to arrive.
The attack is particularly insidious for small businesses that may not check their Stripe dashboard daily — a redirected payout may not be noticed for days or weeks.
How this scam works on the Stripe brand
Stripe sends login alerts and security-change notifications to the registered email address and phone number. An attacker who has also changed the email address (possible once they have access via SMS reset) can neutralise both alert channels.
The SIM-swap against Stripe unfolds as follows: the attacker gathers the merchant's personal details — possibly from LinkedIn, the business website, or a data broker — and impersonates them with their carrier. After the port, they initiate a Stripe password reset via SMS, access the dashboard, change the payout bank account to one they control, and update the security email. The merchant's next expected payout arrives in the attacker's account, not their own.
In some cases the attacker also rotates API keys, locking out any automated integrations and causing further operational disruption beyond the financial loss.
Common red flags
- Your phone loses carrier service unexpectedly
- Stripe sends a password-reset or email-change confirmation you did not initiate
- Your expected Stripe payout does not arrive and the payout bank account in the dashboard has changed
- API keys have been rotated or new API keys appear in your Stripe dashboard
- Your carrier shows a recent SIM swap or port event
How to protect yourself
- Switch Stripe 2FA to an authenticator app or hardware key — remove SMS as the sole recovery method where possible
- Set a SIM-lock PIN with your mobile carrier to block unauthorised port requests
- Enable Stripe's email notifications for every login, payout-account change, and API-key creation
- Review your Stripe payout schedule and reconcile payouts monthly to catch any discrepancies quickly
- Use a dedicated email address for Stripe that is not widely published or reused elsewhere
- Restrict sensitive Stripe operations to specific trusted IP addresses using Stripe's security settings where available
How to report it
- Contact your mobile carrier immediately to reverse the SIM swap
- Contact Stripe's support team via dashboard.stripe.com and request an emergency account freeze
- Report to the FTC at reportfraud.ftc.gov and file an identity-theft report at identitytheft.gov
- Report to IC3.gov (US) or Action Fraud 0300 123 2040 (UK)
- Forward any phishing emails to [email protected]
Frequently asked questions
How long before a redirected Stripe payout might be noticed?
Merchants who reconcile regularly will notice within a payout cycle (typically 2–7 days for most Stripe accounts). Merchants with less frequent reconciliation could miss the change for longer. Setting up Stripe email notifications for payout events is the fastest detection method.
Can Stripe reverse a payout sent to an attacker's bank account?
Stripe will work with affected merchants and may be able to recall payouts in transit, but this depends on timing and the recipient bank's cooperation. Report immediately — the faster you act, the greater the chance of partial recovery.
Does Stripe notify merchants of payout-account changes?
Yes. Stripe sends email notifications for payout-account changes to the registered email address. This is why attackers change the email address early in the compromise — ensure your Stripe email and phone notifications go to accounts you check frequently.