eSIM Swap Fraud
Attackers exploit carrier eSIM provisioning processes to transfer your phone number to a digital SIM they control, achieving the same account-takeover outcome as a physical SIM swap without needing a SIM card.
Last reviewed: 1 June 2026
What this scam is
An eSIM (embedded SIM) is a digital SIM profile stored on a chip inside your device rather than a removable physical card. eSIMs allow carriers to activate and transfer phone number profiles remotely, without requiring an in-store visit or a physical card to be swapped. This remote provisioning capability is convenient for consumers but creates a new attack surface that mirrors traditional SIM swap fraud.
In an eSIM swap attack, a fraudster uses the same social engineering techniques as a physical SIM swap — impersonating you to your carrier using stolen personal details — but targets the eSIM provisioning process specifically. The goal is to have your number transferred to an eSIM profile on a device they control. Once accomplished, the attacker receives all your calls and SMS messages, including one-time authentication codes, and the attack proceeds identically to a conventional SIM swap.
eSIM swap fraud is in some respects harder to detect than a physical SIM swap because your physical SIM card does not go dead — in a physical swap, the loss of signal is a clear early warning. In an eSIM swap, the transfer may occur silently or you may receive a carrier notification that is easy to dismiss as routine. The attack is growing in prevalence as eSIM adoption increases and as fraudsters adapt the SIM swap playbook to new provisioning systems.
How it works
The attacker first collects personal details about the target: name, address, date of birth, account number, and carrier account PIN if possible. These are gathered from data breaches, social media research, or phishing.
The attacker contacts the carrier — by phone, online portal, or live chat — and impersonates the account holder. They claim to want to set up eSIM on a new device or add an eSIM profile to an existing account. They use the harvested personal details to pass identity verification.
If the carrier's verification is bypassed, they provision an eSIM profile containing the target's phone number to a device the attacker controls. The attacker now receives calls and SMS messages directed to that number, including banking one-time codes and authentication messages for any service linked to the number.
In some variants, the attacker simultaneously initiates password resets on high-value accounts, intercepting the authentication codes as they arrive on the attacker's device. The window of opportunity may be slightly longer than in a physical SIM swap if the victim does not notice the attack quickly — since their physical phone may continue to function normally for some time.
Why this scam works
eSIM provisioning is designed to be convenient and largely remote, which reduces friction for legitimate users but also reduces the physical barriers that made some SIM swap attempts harder. There is no in-store visit required, no physical card to produce, and the process can be completed entirely online or by phone.
As with physical SIM swaps, the attack exploits the gap between the data carriers use for identity verification and the ease with which that data can be obtained from breaches and social media. Carriers that do not require a dedicated secure PIN for eSIM provisioning requests are particularly vulnerable.
Growing consumer awareness of physical SIM swaps has not fully translated to awareness of the eSIM variant, meaning the attack benefits from a lag between the technique's prevalence and public knowledge of it.
A typical pattern
A person receives an email from their carrier confirming an eSIM profile has been added to their account. They do not remember requesting this. By the time they call their carrier to query it, an attacker has already used the provisioned eSIM to intercept SMS codes and access their primary email and one financial account. The carrier reverses the eSIM provisioning within hours, but account recovery for the affected services takes longer.
Common red flags
- Carrier notification of an eSIM provisioning or profile change you did not initiate
- Unexpected loss of mobile calls or SMS even though your physical SIM appears active
- Password reset emails or authentication codes arriving that you did not request
- Login alerts from unrecognised devices on linked accounts
- Carrier confirms an eSIM profile was added to your account
- Accounts linked to your phone number show signs of compromise
Sanitized example messages
Illustrative, sanitized examples. Personal details are replaced with placeholders such as [phone number] and [fake link].
Your [carrier] eSIM has been successfully activated on a new device. If this wasn't you, contact us at [official number].
An eSIM profile change has been made to your account. Visit [link] to review this change.
[Carrier] account update: a new device has been added using your phone number. Confirm this was you.
Your number has been provisioned to a new device. If you did not request this, call [official number] immediately.
Common variations
- Pure-remote variant — eSIM provisioned entirely through carrier's online portal or phone-based service
- Paired phishing attack — carrier portal credentials phished first to enable self-service eSIM addition
- Multi-device provisioning — attacker adds their eSIM without removing the victim's existing profile
- Business account variant — corporate lines targeted for access to company authentication systems
How to verify before you act
Contact your carrier to ask whether your account can have eSIM provisioning locked behind an additional security step — a separate PIN or in-person verification. Not all carriers offer this, but it is worth requesting.
Enable any available carrier account alerts for SIM changes, eSIM provisioning, or account configuration changes. If your carrier offers SMS or email notifications for account modifications, enable them — an alert sent to your email may be the fastest warning you receive.
If you notice that your phone is suddenly not receiving calls or texts despite appearing to have signal, or if you receive a carrier notification about an eSIM change you did not initiate, contact your carrier immediately from a different device.
Payment methods used
- Cryptocurrency wallet drain via intercepted authentication codes
- Bank transfer from compromised banking accounts
- Account credential resale
- Cryptocurrency
- Bank/wire transfer
- Gift cards
- Money transfer services
- Payment apps to 'friends & family'
Who is usually targeted
- Cryptocurrency holders
- High-value account holders using SMS two-factor authentication
- People whose personal data has appeared in data breaches
- Early adopters of eSIM-capable devices
What to do immediately
- Contact your carrier immediately using a different phone to report the unauthorised eSIM provisioning
- Ask the carrier to remove the attacker's eSIM profile and restore your number to your device only
- Change passwords on all accounts linked to your phone number from a device not dependent on SMS authentication
- Switch from SMS two-factor to app-based authentication on critical accounts
- Contact your bank to flag potential compromise and review for unauthorised transactions
- Report the fraud to your national cybercrime reporting body and telecommunications regulator
How to prevent it
- Set a carrier account PIN required for all account changes including eSIM provisioning
- Ask your carrier whether eSIM provisioning can be locked to require in-person verification
- Switch from SMS two-factor authentication to an authenticator app or hardware key on all important accounts
- Enable carrier account change alerts so any modification triggers an immediate notification
- Minimise the personal information about you available publicly to make impersonation harder
Evidence to preserve
- Carrier notification of the eSIM provisioning event
- Exact time the change was made
- Any account compromise notifications received around the same time
- Bank or financial statements showing the period of the attack
- Records of carrier correspondence during the reversal process
Where to report it
- Action Fraud (UK) — UK national fraud & cybercrime reporting centre
- FTC ReportFraud (US) — US Federal Trade Commission fraud reports
- FBI IC3 (US) — US Internet Crime Complaint Center
- Scamwatch (Australia) — Australian competition & consumer reporting
- Your bank's fraud line — Use the number on the back of your card or in your banking app — never a number the caller gives you
Always verify reporting routes and emergency contacts on the official government or agency website for your country.
Frequently asked questions
How is eSIM swap different from a regular SIM swap?
A physical SIM swap replaces your SIM card and kills your phone's signal — you notice immediately. An eSIM swap provisions a digital profile on the attacker's device, and your physical SIM may continue to appear functional briefly before you lose calls and texts. The outcome is the same: the attacker receives your messages and codes.
Does having an eSIM make me more vulnerable?
Having an eSIM-capable device does not inherently make you more vulnerable — the attack targets the carrier's provisioning process, not your device. What matters is whether your carrier requires strong verification before provisioning additional eSIM profiles, and whether you have a carrier PIN in place.
Can I have my number locked so no eSIM can be provisioned without in-person verification?
Some carriers offer this as an account security option. Contact your carrier and ask specifically about eSIM provisioning controls and whether an additional verification step or lock can be applied. Availability varies by carrier and country.
I received a notification that an eSIM was activated but I did not do it. What do I do?
Call your carrier immediately from a landline or a different phone. Ask them to remove the unauthorised eSIM profile and lock your account against further changes. Then change passwords on all accounts linked to your phone number from a separate device not relying on SMS authentication.