Number Porting Scams

Number porting scams — also called port-out scams or unauthorised number porting — are closely related to SIM swap attacks but exploit a different process. While SIM swaps move a number within the same carrier, number porting transfers your number to a completely different network operator. The legitimate purpose of number porting is to allow customers to keep their phone number when they switch carriers. Fraudsters abuse this process to gain control of your number.

Number porting is governed by regulations in most countries that require carriers to honour a valid porting request. This makes the process both essential for consumer freedom and exploitable if identity checks are bypassed. Once porting is initiated, the original carrier is typically required to release the number quickly — sometimes within hours — leaving little time for you or your carrier to stop the transfer.

Once ported, the attacker controls your number on their chosen network. Every SMS message you receive — including banking one-time codes, password reset confirmations, and login verifications — arrives at the attacker's handset. They can then systematically access accounts linked to your phone number.

Unlike SIM swaps, which may be more easily reversed by contacting your current carrier, a port-out requires coordination between two carriers, which can slow down reversal. The regulatory process that makes porting quick and easy for legitimate customers also makes it harder to undo when fraudulent.

The fraudster first gathers personal information about the target, using the same methods as in a SIM swap: data breaches, phishing, social media research, or purchasing stolen data. They need enough to pass the identity verification used by the destination carrier when processing a port-in request.

They then contact a second carrier — one you don't currently use — and request to port your number to them, often with a new prepaid or pay-as-you-go account set up for the purpose. They provide your name, address, account number, and any other verification details that particular carrier requires.

If the destination carrier accepts the port request, the regulatory framework requires your current carrier to release the number, often automatically. The process triggers a notification — sometimes an SMS or email — but by the time you see it, the port may already be in progress.

Your phone loses service, and the attacker begins using your number immediately to intercept authentication codes and initiate account takeovers. Because porting has been completed, simply calling your original carrier and asking for a swap back is more complex than in a standard SIM swap case — both carriers must be involved in reversing the port.

The speed of the attack is critical. Fraudsters move through password resets on high-value accounts as quickly as possible, knowing that you may notice the loss of service and begin the reversal process.

Port-out scams succeed because regulators require carriers to process valid porting requests quickly and with minimal friction — this protects genuine consumers who want to switch providers. The same speed that benefits real customers creates a narrow window of exploitation.

Personal data availability from breaches means fraudsters frequently already have the details needed to impersonate someone convincingly. Destination carriers vary in how rigorously they verify identity for port-in requests, creating weak points in the system.

Most people are unaware that their number can be ported without any action on their own phone or SIM card, making the attack harder to anticipate or detect before it happens.

A person's mobile service stops working while they are at home in full signal coverage. They assume a temporary network issue and wait. An hour later, they receive an email from their bank about a new payee being added — but their phone shows no signal to receive the bank's SMS verification for the change. Contacting their carrier from a landline, they are told a number porting request to another carrier was processed that morning. The attacker had already used their number to intercept multiple authentication codes for financial accounts. Recovery required both carriers to coordinate the port reversal, taking over 24 hours.

Your request to transfer your number to [carrier] has been received. If this was not you, contact us immediately at [fake link] or [number].

We are processing your number port to [carrier]. Your current service will end within [timeframe]. Visit [fake link] to manage your account.

Porting confirmation: [phone number] will be transferred on [date]. To cancel, call [number] by [time].

A port-in request for your number has been submitted. If this wasn't you, contact us at [number] now.

Contact your carrier to ask whether they can add a port-freeze or porting lock to your account — a feature that requires an additional verification step before any porting request can proceed. Not all carriers offer this, but it is worth asking.

Set a carrier account PIN that must be provided alongside your number before any transfer or account change is authorised. This adds friction that can stop or at least slow a fraudulent port request.

If your phone loses signal unexpectedly, contact your carrier immediately and ask whether a port request has been submitted for your number. Ask them to place a hold on any pending transfer while you verify your identity through official channels.

Check your email and any other account recovery contact for unexpected notifications. If a port is in progress, some carriers send notification messages. Acting on these quickly can allow you to halt the process before it completes.