How does SIM swapping work as a fraud technique and who does it target?
SIM swapping convinces a mobile carrier to transfer a victim's phone number to a SIM the scammer controls, giving them access to SMS-based authentication codes for financial and social media accounts.
Last reviewed: 10 June 2026
Explanation
SIM swapping, also called SIM hijacking, exploits the account management systems of mobile network operators. Most carriers allow customers to transfer their number to a new SIM when they lose a phone or switch devices. This process requires some form of identity verification — but the verification standards vary enormously, and scammers have developed techniques to pass them.
Social engineering of mobile carrier staff is the most common approach. A scammer calls the carrier's customer service line, claims to be the account holder, and provides personal details to pass verification — details often gathered from data breaches, social media, or earlier phases of the fraud. If successful, the carrier transfers the number. Within minutes, the scammer receives all SMS messages sent to that number, including two-factor authentication codes for banking apps, email accounts, and social media.
Targeting is deliberate. SIM swap fraud requires effort and carries more legal risk than phishing, so it is typically deployed against high-value targets: people with significant cryptocurrency holdings, active stock trading accounts, or accounts with payment credentials attached. An attacker who knows a specific individual holds valuable digital assets will invest in the verification hurdles.
The downstream impact is rapid. With access to SMS-based authentication, the attacker resets passwords on financial accounts, drains crypto wallets, and may access email to identify further high-value targets. All of this can happen within an hour of a successful swap, long before the real account holder notices their phone has lost service.
Common red flags
- Your phone loses signal unexpectedly and cannot make calls or receive messages
- You receive an unexpected notification that your SIM or account settings have changed
- Authentication codes start arriving when you have not initiated any login
- You are locked out of accounts and password reset texts are not arriving
- Your mobile carrier contacts you about a number transfer you did not request
What to do now
- Switch financial account authentication from SMS codes to an authenticator app
- Set a PIN or passphrase on your mobile account that must be quoted for any account changes
- Contact your carrier immediately if your phone unexpectedly loses service
- Alert your bank and any crypto exchanges immediately if you suspect a SIM swap
- Report to your national cyber security authority and your carrier's fraud department
Frequently asked questions
Is SMS-based two-factor authentication still worth using?
It is significantly better than no second factor at all. SMS-based authentication stops most opportunistic attacks. For high-value accounts, switching to an authenticator app or hardware key provides substantially stronger protection against SIM-swap-specific attacks.
Can you sue a mobile carrier for a successful SIM swap?
Legal actions against mobile carriers for failing to prevent SIM swaps have been pursued in some jurisdictions, with mixed outcomes. The case is stronger when the carrier demonstrably failed to follow its own stated verification procedures.