SIM Swap Scams

A SIM swap scam — also called SIM hijacking or SIM jacking — is an account takeover attack in which a fraudster persuades your mobile carrier to reassign your phone number to a SIM card they control. Once your number has been moved, every SMS message and phone call intended for you — including one-time security codes sent by your bank, email provider, or other services — is received by the attacker instead.

The attack does not require physical access to your phone or any sophisticated hacking. It exploits the legitimate process carriers use when a genuine customer loses their phone or gets a new SIM card. The fraudster calls or visits a carrier store posing as you, supplies enough personal information to pass identity verification, and requests a SIM transfer. If successful, your existing SIM card is deactivated within minutes, and you typically notice because your phone loses signal unexpectedly.

The consequences can be severe. Armed with your phone number, the attacker can request password resets for any account linked to that number, intercept the SMS codes those resets send, and take over your email, banking, cryptocurrency, and social media accounts in quick succession. Financial losses from SIM swap attacks can be substantial because the attacker controls the authentication layer that most services use to verify identity.

Your personal data — often obtained from previous data breaches, social media, or phishing — is what makes the impersonation convincing. The more information about you that is publicly available or previously exposed, the easier it is for a fraudster to pass a carrier's identity checks. This is why data hygiene and proactive security measures matter long before an attack occurs.

The attack typically begins with research. The fraudster collects personal information about the target: full name, date of birth, address, the last four digits of a Social Security or National Insurance number, account numbers, or answers to security questions. This information can come from data breaches, social media profiles, or targeted phishing.

Armed with this information, the fraudster contacts the mobile carrier — by phone, online chat, or in person at a retail store — and claims to be you. They provide the personal details they have gathered to pass identity verification, then report a problem such as a lost phone or damaged SIM and request a transfer of the number to a new SIM they already hold.

If carrier staff accept the identity check, the transfer is processed. Your SIM card loses service, and the attacker's SIM begins receiving your calls and texts. At this point, the attacker moves quickly.

They request a password reset for your primary email account, intercept the SMS verification code, and gain access. From your email, they can reset passwords for other accounts — banking, cryptocurrency wallets, investment platforms — using the same intercept method. Each service that relies on SMS two-factor authentication becomes accessible to the attacker.

The window of the attack is often very short — minutes to hours — because the attacker knows you will notice the loss of service and contact your carrier. This urgency is why targets can lose access to multiple accounts before they are aware of what is happening.

SIM swaps succeed because mobile carriers must balance security with customer service. A customer who has genuinely lost their phone needs to be helped quickly and without too much friction. The same process that assists real customers can be exploited by someone with enough personal data to impersonate them.

SMS two-factor authentication is widely used as a security layer, and most people — reasonably — assume receiving a code on their phone means they are secure. The SIM swap attack undermines this assumption entirely by redirecting those codes to the attacker.

Data breaches have made personal information widely available. Fraudsters often already know the answers to common identity-verification questions before they even contact a carrier, because that information has appeared in breach databases or on public social media profiles.

A person notices their phone has lost all signal mid-afternoon. Assuming a coverage issue, they wait. Within an hour they receive an email notification — from a different device — that their email password has been changed. They attempt to log in and find their password no longer works. By the time they contact their carrier and confirm a SIM transfer was made that afternoon, the attacker has already accessed and changed the passwords on several linked accounts including their primary email and one financial account. Their carrier restores the number, but recovery of the affected accounts takes several days.

Hi, I've lost my phone and need to transfer [carrier] number [phone number] to a new SIM. Here are my account details: [personal info].

Your [carrier] account has been updated. If you did not make this change, contact us at [fake link].

We noticed a SIM transfer request on your account. Confirm this was you at [fake link] or call [number].

Your new SIM is active. Your old SIM [code] is now deactivated. Contact [carrier] if you have questions.

If your phone suddenly loses signal in an area where you normally have coverage, and you cannot make calls, send texts, or use mobile data, contact your carrier immediately using a different phone or Wi-Fi calling. Do not assume it is a network outage — treat it as a potential SIM swap and ask whether your number has been transferred.

To reduce the risk of an attack succeeding: set a carrier PIN or account passcode with your mobile provider — a separate code that must be provided before any account changes are made. Ask your carrier whether they support a 'port freeze' or number-lock feature, which requires additional verification before your number can be ported or transferred.

Review the accounts that use your phone number for authentication. For high-value accounts — especially email, banking, and cryptocurrency — switch from SMS-based two-factor authentication to an app-based authenticator or a hardware security key. These methods are not vulnerable to SIM swaps because they do not rely on your phone number.