SIM Hijacking and Mobile Account Takeover Scam

SIM hijacking — also called SIM swapping or SIM jacking — is an account takeover attack in which a fraudster convinces your mobile carrier to move your phone number to a SIM card they control. Once your number is transferred, every call and text message intended for you — including one-time security codes from your bank, email provider, or cryptocurrency exchange — is received by the attacker instead.

The attack exploits the legitimate carrier process for replacing a SIM when a customer loses their phone or upgrades their device. The fraudster calls or visits a carrier store, claims to be you, provides enough personal information to pass identity verification, and requests the transfer. If successful, your SIM is deactivated within minutes and the attacker begins intercepting your messages.

The consequences can be severe and swift. Armed with your phone number, the attacker requests password resets for accounts linked to that number, intercepts the SMS verification codes, and takes over your email, banking, cryptocurrency wallets, and other accounts in rapid sequence. Financial losses from SIM hijacking can be substantial, and recovery of taken-over accounts can take days or weeks.

Personal data collected through data breaches, social media, or targeted phishing is what makes the impersonation convincing. The more information about you that is publicly available or has been exposed in a breach, the easier it is for a fraudster to pass a carrier's identity checks. The attack is not a technical exploit of phone hardware — it is social engineering of carrier staff.

The fraudster first gathers personal information about the target: full name, date of birth, home address, account number with the carrier, last four digits of a Social Security or National Insurance number, or answers to security questions. This data may come from previous breaches, social media profiles, or phishing.

Armed with this information, the fraudster contacts your mobile carrier — by phone, online, or in person at a retail store — and claims to be you. They report a problem such as a lost phone, damaged SIM, or device upgrade, and request that your number be moved to a new SIM in their possession.

If carrier staff accept the identity check, the transfer is completed. Your phone loses all cellular service. The attacker, whose SIM now owns your number, begins immediately: requesting a password reset for your primary email account, intercepting the verification SMS, and logging in. From your email, they reset other accounts in sequence — banking, cryptocurrency, payment apps.

The attack window is short, typically hours, because the attacker knows you will notice the signal loss and contact your carrier. Speed is essential to the fraud; significant account access is often achieved before the victim discovers what is happening.

SMS two-factor authentication is widely understood as a security measure, so most people assume their accounts are protected by it. The SIM swap undermines this assumption entirely, because it redirects verification codes to the attacker — turning the security layer against its intended beneficiary.

Carrier identity verification processes must balance security with the legitimate need to help genuine customers who have lost their phones. This balance creates an exploitable gap: with enough personal data, an attacker can pass checks that are designed to assist real customers in distress.

The attack happens silently from the victim's perspective until the damage is done. A dropped signal is easily attributed to a network issue, giving the attacker a window before the victim realises the situation and contacts their carrier.

Your SIM card has been changed. If you did not authorise this, contact us immediately. [carrier notification]

A new device has been added to your account. If this was not you, secure your account at [link]. [email notification]

Password reset requested for your account. Enter this code: [code]. [bank SMS — received by attacker]

If your phone suddenly loses all signal in an area with normal coverage, treat it as a potential SIM swap rather than a network outage. Contact your carrier immediately using a different phone or Wi-Fi calling.

Proactively: set a carrier PIN or account passcode with your mobile provider — a separate code required before any account changes or SIM transfers are processed. Ask whether your carrier supports a number-lock or port freeze feature that prevents transfers without additional in-person verification.

For your most sensitive accounts, switch from SMS-based two-factor authentication to an authenticator app or hardware security key. These generate codes locally on your device and are not vulnerable to SIM hijacking because they do not depend on your phone number receiving a text message.