SIM-Based Identity Verification Bypass
Criminals hijack your phone number through a fraudulent SIM swap or eSIM transfer, intercepting the SMS codes and calls your accounts rely on for identity verification, then use that access to break into email, banking, and crypto accounts.
Last reviewed: 5 July 2026
What this scam is
SIM-based identity verification bypass, commonly known as SIM swapping, occurs when a criminal convinces a mobile carrier to transfer your phone number to a SIM card or eSIM profile they control. Because so many services use a text message or phone call to your number as proof that you are you — resetting a password, confirming a login, or approving a transaction — control of the number effectively becomes control of your digital identity.
The attack targets the carrier's customer service process rather than any technical flaw in your phone itself. Armed with enough personal data to answer security questions or impersonate you convincingly, an attacker can complete the swap in a single phone call or a fraudulent online request, often without you receiving any warning until your phone suddenly loses all signal.
Once the number is under the attacker's control, they cycle rapidly through your most valuable accounts — email first, since it frequently unlocks everything else, followed by banking, cryptocurrency exchanges, and social media — resetting passwords via the hijacked number faster than most people realize their phone has gone dead.
How it works
The attacker first builds a profile of the victim using data from breaches, data brokers, or social media: full name, date of birth, address, and answers to common security questions. Some obtain this through a preceding phishing message that appears to be from the carrier itself, asking the victim to 'verify' account details.
With enough information, the attacker contacts the carrier by phone or through an online chat, reporting a lost or damaged phone and requesting the number be moved to a new SIM or eSIM. Carrier staff working through high call volumes, or automated online self-service portals with weak verification, approve the transfer. The victim's phone loses service without warning — this is often the only visible sign something has happened, and it is easy to mistake for a network outage at first.
With the number active on their own device, the attacker requests password resets on the victim's email, banking, and cryptocurrency accounts, intercepting the SMS or voice-call verification codes those services send. Email is usually the first target because so many other password resets route through it. Within minutes to hours, the attacker can lock the victim out of everything and move funds before the victim realizes what has happened, since their only symptom initially was a dead phone.
Why this scam works
The bypass works because carriers are optimized for customer convenience — quickly restoring service to someone who genuinely lost a phone — rather than rigorous identity verification, and the security questions used to confirm identity (address, date of birth, last four of an account number) are exactly the data most commonly exposed in breaches and data broker listings. Meanwhile, the broader digital ecosystem's reliance on SMS as a 'strong' second factor means whoever controls the phone number inherits trusted access to dozens of unrelated accounts simultaneously, turning one social-engineering success into a cascading takeover.
A typical pattern
A scammer gathers a target's name, date of birth, and last known address from a data broker listing, then calls the victim's mobile carrier claiming to have lost their phone and needing an urgent SIM replacement. The call center agent, working through a high call volume, accepts the scammer's answers to basic security questions and ships a new SIM activation to the scammer's device, silently deactivating the victim's phone. Within the hour, the scammer uses SMS-based one-time codes now routed to their own phone to reset the victim's email password, then uses that email to reset banking and cryptocurrency exchange passwords, draining accounts before the victim even notices their phone has lost signal.
Common red flags
- Sudden, unexplained total loss of phone signal or 'SOS only' status
- Password reset confirmation emails you did not request
- Login alerts from unfamiliar devices or locations on email, bank, or crypto accounts
- A text or call from your carrier confirming a SIM change you did not request
- Inability to send or receive calls and texts that persists beyond a normal outage
- Notification of a new device added to your account without your action
- Unexpected large withdrawals or transfers shortly after a loss of phone signal
Sanitized example messages
Illustrative, sanitized examples. Personal details are replaced with placeholders such as [phone number] and [fake link].
[Carrier Name]: Your SIM card change request has been completed. If you did not request this, call us immediately.
Your password for [Email Provider] was just reset. If this wasn't you, secure your account now.
New device login detected for [Bank/Exchange Name] from [Location]. Was this you?
[Carrier Name]: We noticed unusual activity on your account and have temporarily suspended service.
Your two-factor code is [Code]. Do not share this code with anyone.
Common variations
- Phone-based social engineering of a carrier call center agent
- Online self-service portal exploited with stolen personal data, no human contact needed
- Insider carrier employee bribed to process the fraudulent transfer directly
- eSIM QR-code transfer requested fraudulently rather than a physical SIM swap
- Port-out fraud, moving the number to an entirely different carrier the attacker controls
How to verify before you act
If your phone suddenly shows no service, no signal, or 'SOS only' with no explanation such as a known outage, treat it as a potential SIM swap immediately and contact your carrier using another phone or a landline. Ask specifically whether a SIM or eSIM transfer was recently processed on your account. Simultaneously check your email account from another device for any password reset notifications you did not initiate, and check bank and exchange accounts for login alerts from unfamiliar devices or locations.
Payment methods used
- Cryptocurrency
- Bank/wire transfer
- Gift cards
- Money transfer services
- Payment apps to 'friends & family'
Who is usually targeted
- Cryptocurrency holders
- People who reuse SMS-based two-factor authentication across accounts
- Individuals with data exposed in prior breaches
- High-visibility social media or public figures
What to do immediately
- Contact your carrier immediately from another phone or landline to reverse the SIM transfer
- Change your email password from a secure device and revoke active sessions
- Change passwords on banking, cryptocurrency, and any linked financial accounts
- Contact your bank and any exchange to freeze accounts and reverse unauthorized transfers if possible
- Enable a carrier PIN and move critical accounts to app-based or hardware authentication
- File a police report documenting the SIM swap and any resulting financial loss
- Check for and remove any unfamiliar devices or forwarding rules added to your email account
How to prevent it
- Set a PIN or passcode on your mobile account that must be provided before any SIM or number change
- Move away from SMS-based two-factor authentication toward an authenticator app or hardware security key wherever possible
- Use a unique, non-guessable answer for carrier security questions rather than true, publicly discoverable facts
- Ask your carrier whether they offer enhanced port-out or SIM-swap protection and enable it
- Avoid posting your date of birth, address, or phone number publicly on social media
- Use a separate, non-SMS-linked email as the recovery contact for your most sensitive accounts
- Monitor for unexpected loss of phone signal and treat it as a potential emergency, not a network glitch
Evidence to preserve
- Screenshots of the exact time your phone lost signal
- Carrier account activity log showing the SIM or number change
- Password reset and login alert emails from affected accounts
- Bank and exchange transaction records showing unauthorized activity
- Any correspondence with your carrier about the incident and its resolution
- Police report number and filing documentation
Where to report it
- Action Fraud (UK) — UK national fraud & cybercrime reporting centre
- FTC ReportFraud (US) — US Federal Trade Commission fraud reports
- FBI IC3 (US) — US Internet Crime Complaint Center
- Scamwatch (Australia) — Australian competition & consumer reporting
- Your bank's fraud line — Use the number on the back of your card or in your banking app — never a number the caller gives you
Always verify reporting routes and emergency contacts on the official government or agency website for your country.
Frequently asked questions
How quickly can a SIM swap drain my accounts?
It can happen within minutes once the attacker controls your number, since password resets and verification codes are typically sent and used in real time. Speed of response is critical.
Is SMS two-factor authentication still worth using?
It is better than no second factor, but an authenticator app or hardware security key is significantly more resistant to SIM-swap-based bypass and is recommended for your most important accounts.
Can I get my carrier to compensate me if a SIM swap happens through their negligence?
Policies vary by carrier and jurisdiction. Document everything and file a formal complaint; some carriers offer compensation or have been held liable in regulatory or legal proceedings for inadequate verification.