What Is a SIM Swap?

A SIM swap attack (also known as SIM hijacking, port-out scam, or SIM splitting) is an account takeover technique in which fraudsters request a SIM replacement (or initiate an MSISDN porting order) from a mobile carrier. This enables them to intercept SMS or calls on their own device, including password reset links and one-time passcodes (OTPs).

The fraudster can then exploit SMS-based Two-Factor Authentication (2FA) to commit banking fraud and gain access to the victim’s accounts. SIM swap scams are often financially motivated and have resulted in:

  • Identity theft
  • Stolen credit card information
  • Drained bank accounts or digital wallets
  • Damage to the victim’s contacts

Cryptocurrency exchanges have become prime targets in recent years, with victims losing millions, as seen in the FTX-related SIM swap fraud ring that stole $400 million in crypto. A growing number of high-profile social media accounts have also been targeted for pump-and-dump stock schemes to inflict reputational damage and spread disinformation.

How Do SIM Swap Attacks Work?

Fraudsters carry out SIM swap frauds by deceiving mobile carriers into transferring victims’ phone numbers onto new SIM cards in their possession.

In a legitimate context, SIM swapping is a service that enables individuals to retain their phone number when switching to a new phone or carrier. However, attackers exploit this process by impersonating the victim or using stolen information to hijack your mobile identity.

Group-IB’s analysis, “The Evolution of SIM Swapping Fraud,” reveals three primary methods used in SIM swapping, including:

  • Phishing websites, where victims were tricked into entering personal and financial details on fake websites.
  • Social engineering phone calls, where fraudsters posed as officials, bank representatives, or service providers.
  • Hybrid approaches, where fraudsters combine phishing sites with follow-up calls to the victims.

We’ll explore these methods and the stages of a SIM swap attack in more detail below.

Step 1: Profiling and Data Theft

The attacker first collects personal information about the victim. This can include full name, date of birth, address, national ID numbers, mother’s maiden name, account PINs, and answers to security questions.

Key methods:

  • A victim’s details are obtained through malware, phishing emails, or websites that trick them into entering credentials or personal data. In a majority of cases, phishing websites have been the primary entry point for SIM swap fraud.
  • Attackers also use smishing (SMS phishing) and vishing calls, steal information from data breaches, buy leaked data on the dark web, or scrape social media.
  • Background check services or OSINT tools can also be used to access leaked personal records.

Step 2: Deceiving Mobile Providers

Fraudsters contact your mobile provider (posing as you), requesting a SIM card replacement. Several SIM swap cases have shown how attackers barraged the victim’s phone with calls or texts to make them turn it off or ignore real carrier alerts.

Key methods:

  • They claim the phone was lost or damaged and request that the number be transferred to a new SIM card.
  • If the carrier’s verification is weak or the attacker has convincing information, the carrier approves the SIM swap. This stage can involve bribing or insider help through offers on underground forums.
  • Attackers may also exploit eSIM platforms or mobile apps to initiate a port-out remotely by tricking the victim into approving a verification request.

Step 3: Completing the Swap and Account Takeovers

The victim’s phone loses service (the original SIM is deactivated once the swap is done), while the attacker’s SIM receives all incoming calls and texts. Fraudsters view SIM swaps as the most robust way to bypass SMS-based authentication for account takeovers, a capability not guaranteed by simpler phishing tricks.

Key methods:

  • They proceed to reset passwords on your online banking or crypto accounts, email, and other targets before the victim notices.
  • They will enter the victim’s username on the login page, click “Forgot password,” and use SMS 2FA codes to unlock the account.
  • The fraudster can now initiate bank transfers or crypto transactions, engage in social engineering tactics, manipulate the victim’s contacts, or interact with service providers in the victim’s name.

While most mobile transactions require additional biometric security methods (such as the user’s face or fingerprint), attackers can circumvent them by using a confirmation authentication code sent to the phone number instead. Some schemes bypass SMS-based authentication entirely by exploiting SS7 (Signaling System 7) protocols used in telecom networks. In SS7 attacks, attackers can intercept and redirect text messages without performing a SIM swap.

Further investigations using Group-IB’s Threat Intelligence revealed that 39% of SIM fraud scams involved multiple unauthorized transactions. Figure 1 illustrates how attackers exploit multiple entry points, including stolen credit card information and mobile banking apps, to conduct unauthorized transactions.

They target fast, frictionless payment systems such as e-commerce platforms (secured by 3DS) and direct payments to merchants and digital wallets. Fraudsters were also able to perform physical point-of-sale (POS) transactions via Apple Pay and Android Pay. This trend highlights how criminals coordinate SIM swapping with tactics that appear legitimate, making it harder for banks and security teams to detect unauthorized SIM swaps.

Are SIM Swap Scams on the Rise?

Fraud databases have recorded an increase in SIM swap attacks over recent years, driven by the widespread use of SMS for authentication and the allure of quick financial rewards. Phishing attacks remain a primary gateway for these schemes.

According to the FBI’s 2023 Internet Crime Report, over $48 million in losses were reported due to port jacking or SIM-swapping scams. The UK’s 2025 Fraudscape report reveals a surge of up to 1,055% in 2024, with nearly 3,000 cases reported (compared to 289 in 2023), impacting multiple telecoms organizations.

Several factors contribute to the rise in SIM swap fraud, as outlined below.

  • Criminals exploit the growing reliance on SMS 2FA. Many banks, email providers, and crypto exchanges rely on texting a one-time PIN via 2FA SMS codes to verify logins or password resets.
  • The anonymity of digital currency makes cryptocurrency theft a highly profitable crime, where fraudsters gain access to digital wallets via SIM swaps. Transfers are generally irreversible and harder to trace compared to traditional financial transactions.
  • The use of eSIM (embedded digital SIMs) has introduced new opportunities. If an attacker can register a victim’s number to an eSIM on a device they control, it achieves the same outcome without needing a physical SIM card.
  • Fraudsters use social media platforms like Facebook and Instagram to access publicly available personal data. Attackers use direct messaging to impersonate trusted contacts, tricking victims into sharing phone numbers or other sensitive details.
  • The growing underground economy for SIM swap services has significantly lowered the barrier to entry. SIM-swapping related Telegram channels advertise identity kits and recruit insiders from telecom companies to facilitate fraudulent attacks. The popularity of such services indicates an increasing desire, particularly among younger users, to engage in this tactic.
  • Criminals are increasingly leveraging SIM swap attacks alongside other cybercrime trends like phishing-as-a-service (PhaaS), credential theft, and money mule networks. Organized phishing networks use SIM swaps to launder funds to mule accounts, exploiting a key vulnerability in banking applications.

Understanding the latest phishing tactics can help counter the rise of SIM swap scams, as attackers frequently exploit human error to gather sensitive personal details used to initiate SIM swaps. Based on an in-depth investigation into PostalFurious, Group-IB’s phishing investigation guide equips security teams with proven strategies to quickly detect and stop these fraud attempts.

Warning Signs That You’re the Victim of a SIM Swap

When attackers pull off a SIM swap attack, your phone number and the one-time codes tied to it move to a new SIM card under their control. From then on, they can reset passwords, drain bank accounts, and lock you out of nearly every service linked to your mobile number.

Here are the warning signs of unauthorized SIM swapping, either as it’s unfolding or soon after:

  • Sudden loss of phone service. If your mobile device displays “No Service” or you’re unable to make calls despite having paid your bill, it could be a sign that your SIM has been deactivated due to a swap.
  • Unauthorized transactions. If you suddenly see transactions you don’t recognize, SIM swapping might be the cause. In this case, you must call the bank to dispute unauthorized charges and secure your accounts before the damage gets worse.
  • Locked-out bank or email accounts. Passwords are suddenly invalid, or you receive “Your password has been changed” alerts. Attackers use the captured SMS channel to reset credentials.
  • Unusual account activity. You might receive emails about password resets, account recovery, login attempts, or 2FA codes that you didn’t request. Your contacts might also receive suspicious texts or WhatsApp messages from your number.
  • Blocked accounts. You’re unable to access your online banking, email, or social media accounts, indicating attackers have already reset passwords using your hijacked phone number.

Immediate Actions if You Notice These Signs

  1. Call your carrier from another phone and request a SIM-swap lock or port freeze.
  2. Log in quickly from a trusted device and change passwords on high-value accounts (email, banking, social).
  3. Disable SMS‐based MFA where possible; switch to app-based authenticators or hardware keys.
  4. File a fraud report with your carrier and affected financial institutions.
  5. Monitor credit and transaction alerts for at least 30 days.

Tools and Techniques for Early SIM Swap Detection

Some telecom operators enable early SIM swap detection by providing real-time alerts whenever a SIM card is reissued or ported to a new device. 80% of SIM swap attempts succeed if not promptly caught. Receiving these alerts early reduces the window of opportunity for fraudsters, giving you a better chance to prevent significant financial damage.

In addition to staying vigilant, individuals and organizations can rely on the following services to help detect SIM swapping attempts in the early stage.

1. Carrier-Verified SIM-Swap APIs

Mobile-network operators now expose “SIM-swap check” interfaces, typically part of the GSMA/CAMARA framework or the Telefónica Open Gateway, that tell you when a phone number was last re-provisioned or ported. It is the most reliable way to confirm a recent swap because the data comes directly from the carrier’s core network.

Actionable steps:

  1. Sign a business-to-business agreement with your primary carrier (or its wholesale partner) for SIM-swap API access.
  2. Have your developers call the API during high-risk points such as login, password reset, or funds transfer.
  3. Set a rule in your identity platform: if last-swap ≤ 24 hours → require app-based MFA or hardware key; otherwise allow the normal flow.
  4. Log each API response for audit evidence and post-incident forensics.

2. Third-Party SIM-Swap Lookup Services

If you serve customers across multiple carriers or countries, integrating with every telco separately is impractical. Aggregators such as Twilio Lookup (and several regional providers) bundle many carrier feeds into one API, returning a simple flag that the SIM changed recently.

Actionable steps:

  1. Create an account with a lookup provider and obtain API credentials.
  2. Insert the lookup call alongside existing fraud checks (device fingerprint, IP reputation) in your login backend.
  3. Cache responses for an hour or two to control cost while still catching fresh swaps.
  4. Trigger an alert to your Security Operations Center (SOC) whenever a swap flag coincides with a large transaction or profile change.

3. Risk-Based Fraud Engines

Device-intelligence platforms such as Group-IB Fraud Protection, evaluate hundreds of signals (device fingerprint, behavioural patterns, IP anomalies) and can ingest the carrier or aggregator SIM-swap result as just another factor. The engine then issues a single risk score for each session.

Actionable steps:

  1. Deploy the vendor’s JavaScript snippet or mobile SDK to collect device and behavioural data.
  2. Feed SIM-swap results into the same risk engine via a custom attribute.
  3. Define automatic actions: allow, step-up, or block based on a risk-score threshold that you fine-tune during a pilot phase.
  4. Monitor the engine’s dashboard to validate that genuine users pass and bot traffic is curtailed.

4. Adaptive MFA and Conditional-Access Rules

Even with authoritative SIM-swap data, you still need policy logic that decides what to do when a swap is detected. Modern identity providers (Azure AD Conditional Access, Okta Adaptive MFA, PingOne, etc.) let you build “if/then” trees.

Actionable steps:

  1. Create a conditional rule: IF SIM swapped in last X hours OR device risk ≥ Medium THEN require FIDO2 key or offline TOTP; ELSE allow passkey or push.
  2. Pilot the policy with a small user group to measure friction and false positives.
  3. Roll out organization-wide once help-desk feedback confirms the workflow is clear.

5. Transaction-Time Re-Checks

Attackers sometimes wait until a user logs in legitimately, perform a SIM swap, and then attempt a wire transfer. Re-validating the SIM status right before a sensitive action closes that gap.

Actionable steps:

  1. Integrate a second SIM-swap API call just before executing high-risk events (bank transfer, password change, adding a payee).
  2. If the swap flag is true, freeze the action and launch an out-of-band verification (call-back, video KYC).
  3. Record the incident in your SIEM for ongoing fraud analytics and reporting.

6. Consumer-Side Safeguards

Not all risk can be mitigated server-side. End-user education and carrier-level locks add another defensive layer.

Actionable steps:

  1. Provide a quick link and instructions for users to set a port-out or SIM-swap PIN with their carrier.
  2. Make app-based or hardware-key MFA the default, leaving SMS codes only as a fallback.
  3. Enable instant alerts when a phone number or recovery method is changed in the user’s profile.
  4. Publish a “lost-signal checklist” (e.g., call support from another line within 30 minutes) so victims can act quickly.

How to Respond if You’re a Victim of SIM Swapping

If you suspect a SIM swap has already happened (e.g., you’ve lost service and suspect fraud), contact your mobile service provider immediately to suspend the number. While most victims report fraud on the same day, a significant portion delays action, increasing risk exposure.

Here’s what you can do to regain control of your accounts and phone number:

1. Contact your mobile service provider

Regaining control starts with getting your number back. Call your provider via an airtime-free call that works even if your device has been deactivated.

They will suspend the number and help secure your account with a new PIN or verification method. They can also confirm if a SIM swap was made.

2. Notify your banks, crypto exchanges, and financial institutions

Request that they freeze accounts and block all transactions. Report any unauthorized transactions to start the dispute process. Many banks have response teams for digital fraud that will walk you through the necessary steps to protect your finances.

For crypto exchanges, quickly move any remaining funds to a secure wallet under your control and revoke smart contract permissions.

3. Reset your passwords and disable 2FA

Change your passwords to something strong and unique and disable 2FA in account settings to prevent attackers from locking you out of more accounts.

Start with your email access, which can be used to reset other accounts. Use any recovery keys that were previously stored offline (Google, Microsoft, and most crypto exchanges issue these during 2FA setup).

Some services let you recover an account by proving prior ownership (confirming old passwords, the month you created the account, or recent login locations).

4. Check for secondary compromises

Once you have your number back, review your accounts for any new forwarding rules, recovery emails added, or devices authorized that you don’t recognize.

Attackers often add themselves as backups or modify security settings to maintain access. Remove any you find. Additionally, monitor your financial statements and account activity regularly over the following weeks.

5. File reports

In cases of significant theft, report the incident to law enforcement or agencies and consumer protection. While recovery of funds is unfortunately rare in SIM swap cases, reporting creates an official record and can aid in insurance or legal claims.

Group-IB’s certified Digital Forensics and Incident Response laboratory assists organizations in collecting and documenting digital evidence in compliance with legal requirements, thereby supporting asset recovery and prosecution.

Examples of SIM Swap Attacks

Group-IB’s Fraud Protection system continues to surface SIM swap cases, and our recent investigation into a phishing network targeting insurance customers reveals how quickly these attacks can escalate into severe financial losses.

Below are a few headline incidents that highlight how attackers leverage SIM swapping to drain funds, seize official accounts, and disrupt business operations.

1. Hijacking of SEC Account (January 2024)

The U.S. Securities and Exchange Commission’s account was hacked to issue a fake announcement claiming that the agency had approved Bitcoin ETFs for trading on security exchanges.

What happened:

  • The X account (@SECGov) was hacked through a SIM-swapping attack on the mobile phone number associated with the account.
  • Multi-factor authentication (MFA) was not enabled, as they had asked X support to deactivate it when encountering problems logging into the account. If MFA was enabled via SMS, the hackers would still be able to breach the account as they would have received the OTPs.

While MFA is often implemented as a form of enterprise Identity Access Management (IAM) to prevent credential theft and dictionary attacks, techniques that circumvent MFA have existed for some time. See Group-IB’s analysis of the phishing campaign going after Okta identity credentials for a deeper look at how attackers bypass MFA to conduct supply chain attacks.

2. Powell SIM Swapping Crew (2021 – 2024)

In January 2024, U.S. authorities charged a criminal ring for conducting one of the largest SIM swap schemes on record.

What happened:

  • Attackers used SIM swaps to steal $400 million in cryptocurrency from 50 victims, including one company.
  • They allegedly used identification card printers to forge documents, then posed as victims visiting Apple, AT&T, Verizon, and T-Mobile retail stores.

3. Marks & Spencer Cyber Attack (April 2025)

The hacking group Scattered Spider, best known for attacks on MGM and Caesars, targeted the UK retailer Marks & Spencer in a cyber attack.

What happened:

  • Attackers impersonated employees and tricked IT help desk staff using SIM-swapped phone numbers to reset credentials and gain access to internal systems.
  • The incident caused significant operational disruption and resulted in M&S losing millions in sales.

Best Practices for Preventing SIM Swap Fraud

To protect against SIM swap attacks, individuals must secure their mobile numbers and accounts; financial institutions must enhance their authentication processes; and mobile carriers must strengthen customer validation. SMS-based verification should be recognized as inherently vulnerable.

We’ll explore these best practices in more detail below.

For Businesses

  1. Disable SMS OTP for admin, finance, and API accounts, then implement conditional-access rules that demand MFA again when a login comes from a new device or location. Require FIDO2 hardware keys or push-based authenticator apps for every privileged user and all high-value actions.
  2. Educate your workforce about SIM swap fraud and social engineering (such as recent ClickFix attacks) to report suspicious requests related to their phone numbers or accounts.
  3. Enroll executives and admins in carrier “number-lock/port-freeze” programs and use Mobile Device Management (MDM) tools to alert your SOC if any device reports a new SIM or IMSI.
  4. Maintain a tested incident response plan for account takeover (ATO) attempts. Isolate affected accounts immediately, freeze transactions, require out-of-band identity re-verification, capture forensic logs, and assign roles across SOC and customer support teams.

For Individuals

  1. Set up a PIN or passcode on your mobile carrier account. Some carriers offer the option to set a “Do Not Port” flag or additional ID checks if someone tries to make changes to your account.
  2. Replace SMS-based 2FA with authenticator apps (such as Google Authenticator and Authy) or hardware security keys for essential accounts. Many SIM swap frauds target crypto and bank accounts that use SMS 2FA, so removing that vector significantly reduces the risk.
  3. Never reveal OTPs or PINs related to your accounts and phone numbers. Stay alert for unexpected 2FA prompts or password reset messages. If you receive one without initiating it, take immediate action (in our experience, it’s rarely a blip in the ether).
  4. Use a separate phone number (or VoIP line) for everyday sign-ups and social media, and reserve your main number exclusively for banking and other essential accounts.

For Financial Institutions and Carriers

  1. Banks should implement risk-based authentication for high-risk actions, combining device fingerprinting, geolocation, and carrier SIM-swap signals. Several banks now block wire transfers if a customer’s SIM was reissued within the past 24 hours.
  2. Mobile carriers need to strengthen SIM-swap controls with equal levels of verification for new and existing customers. They should require a one-time PIN sent to the existing SIM and photo ID verification in-store before porting out. Ofcom already mandates this approach in the UK and the FCC in the US.
  3. Treat failed fraud attempts as early indicators of reconnaissance attacks rather than isolated incidents. Customer service teams should monitor changes on CRM systems for suspicious account activity sequences and patterns of upgrade resetting.
  4. Fraudsters trade SIM-swap kits, mule accounts, and stolen numbers in real time, so banks should share threat intelligence feeds (e.g., FS-ISAC, SWIFT ISAC, Visa CAMS) to help auto-block repeat attempts. They can also coordinate with merchants and identity verification providers to distribute URL blocklists and takedown statuses, effectively shrinking the victim pool.

Does Group-IB Offer SIM Swap Protection?

Group-IB’s Fraud Protection solution combines device fingerprinting, fraud intelligence, and behavioral analysis to protect user accounts against SIM swap attacks.

Here’s how our anti-fraud solution bolsters your organization’s protection at multiple levels:

Verifies device and SIM identifiers for each login or payment.

Group-IB’s device identification technology can monitor user sessions and transaction data in real time to detect signs of fraud.

What this means:

  • If a mismatch or recent SIM change is detected, the session is flagged for additional verification or blocked.
  • Security teams can integrate device history and geolocation consistency with behavioral analysis (such as typing speed, mouse movement, login habits, session patterns, etc.) and threat intelligence.
  • Seamless user authentication within mobile applications through patented Global ID and Cloud ID technologies, reducing false positives by 20% when switching to new devices and SIM cards.

Fraud Protection has enabled AVO Bank to effectively detect session fraud and prevent the theft of customer funds in real time for online portals and mobile apps. The bank can now identify and block phishing attacks targeting top management.

Also, Group-IB’s Digital Risk Protection secures your digital ecosystem by actively monitoring digital assets and eliminating external threats that enable SIM swap attacks.

The Fraud Protection platform secures over 500 million users worldwide from payment fraud and social engineering attacks across web and mobile apps used in banking, fintech services, e-commerce, and gambling.

Get in touch with our experts today to build your defense against SIM swap attacks and other forms of digital fraud.