What Is SIM Swapping?

A SIM swap attack, also known as SIM swapping, SIM splitting, port-out scam, simjacking, or SIM jacking, is an account takeover fraud technique that exploits the reliance on phone numbers and SMS for two-factor authentication and account recovery. Attackers target a fundamental weakness: they convince mobile carriers to transfer the victim's phone number to a SIM card controlled by the attacker, enabling interception of all SMS-based MFA codes and password reset links sent to that phone number, according to Wikipedia, Bitsight, SpecOps Soft, and Keepnet Labs research published in 2025.

Unlike technical attacks that exploit software vulnerabilities, SIM swapping operates through social engineering of telecommunications infrastructure. The attack succeeds by convincing carrier support staff that the attacker is the legitimate account holder experiencing a device problem requiring phone number transfer.

How does SIM swapping work?

SIM swap attacks follow a predictable sequence that combines reconnaissance, social engineering, and account compromise.

Stage 1: Intelligence gathering begins when attackers collect personal information about the target through phishing emails that harvest personal details, purchasing credentials or personal data from dark web breach databases, social media reconnaissance revealing location, employer, and family names, public records searching for address and phone number format, and previous data breaches exposing name, SSN, and date of birth.

Attackers typically acquire full name, date of birth, phone number, email address, and sometimes partial SSN. This information is often sufficient to pass carrier verification procedures.

Stage 2: Carrier social engineering occurs when the attacker calls the victim's mobile carrier such as T-Mobile, Verizon, or AT&T impersonating the victim. The attacker provides the victim's phone number and personal details, claims the phone was lost or damaged and requests a "carrier change" or "SIM swap," requests the victim's phone number be transferred to a new SIM card controlled by the attacker. Carrier support staff, with minimal verification procedures, approves the transfer.

In many cases, attackers exploit weak carrier verification asking only for phone number plus name plus DOB, all publicly available, or social engineer support staff who lack proper training. 96% of SIM swap cases involve either social engineering or insider collusion at the carrier, according to DeepStrike research published in 2025.

Stage 3: Account takeover proceeds once the attacker controls the phone number. The attacker visits the target account's login page for email, cryptocurrency, bank, or other services. The attacker initiates "Forgot Password" or "Reset 2FA" flow. Password reset or 2FA reset link or SMS OTP is sent to the victim's phone number. Since the attacker now controls that phone number, they receive the SMS. The attacker uses the SMS OTP or reset link to change the password. The attacker gains complete account access, including resetting actual 2FA to their own device.

Stage 4: Lateral compromise enables broad access when with access to the primary email account, the attacker can reset passwords on connected accounts including cryptocurrency wallets, bank accounts, and social media, trigger password resets on business email leading to broader corporate compromise, access recovery codes stored in email or cloud storage, and establish persistence mechanisms like backup email addresses and phone numbers.

Most carriers verify identity using information available on public records or from breaches: name, phone number, date of birth, partial SSN. A sophisticated attacker can convincingly claim to be the victim. Front-line support staff often lack training on social engineering attacks and the severity of SIM swapping. They prioritize customer satisfaction through quick resolution over security.

Some attacks involve paid insider accomplices at carriers who facilitate SIM swaps in exchange for payment, bypassing normal verification procedures entirely. Carriers historically haven't maintained detailed records of SIM changes, making it difficult for victims to prove the fraud occurred or for law enforcement to investigate. Many carriers don't notify account holders of SIM changes via secondary communication channels, delaying victim awareness.

How does SIM swapping differ from other MFA bypass techniques?

SIM swapping employs distinct attack mechanisms and operational characteristics compared to other authentication bypass methods.

OTP phishing and MFA fatigue require stolen credentials to initiate authentication flows. SIM swapping can be attempted using only publicly available personal information. Session hijacking operates post-authentication and requires malware or network access. SIM swapping uniquely targets telecommunications infrastructure rather than application-layer security.

The timeline differs substantially. OTP phishing and MFA fatigue achieve compromise within minutes to hours. SIM swapping often requires hours to days to complete the full attack chain from initial carrier contact through account takeover. Session hijacking provides immediate access once cookies are stolen.

Why does SIM swapping matter?

The prevalence and financial impact of SIM swapping attacks demonstrate significant risk to both individuals and organizations.

The FBI's Internet Crime Complaint Center (IC3) received 982 complaints related specifically to SIM swapping attacks in 2024, with total reported losses exceeding $26 million, according to FBI IC3 data and DeepStrike research published in 2025.

Global surge indicators reveal substantial growth. The UK Fraudscape Report documented a staggering 1,055% surge in unauthorized SIM swaps from 2023 to 2024, rising from 289 cases to almost 3,000 cases in 2024. Additionally, 48% of all account takeovers in the UK involved mobile phone accounts in 2024, according to DeepStrike and Bitsight research. Kenya's Safaricom experienced a 327% increase in SIM swapping from 2024 to 2025, jumping from 11 cases to 47 cases, demonstrating global spread beyond developed markets, according to DeepStrike.

In a landmark arbitration case in March 2025, T-Mobile was ordered to pay $33 million to a customer who lost cryptocurrency after a SIM swap attack. This is the largest known SIM swap settlement and sets precedent for carrier liability and negligence, according to DeepStrike and Keepnet Labs research.

SIM swap attacks predominantly target cryptocurrency holders due to high financial stakes with accounts holding $100K-$1M+ in assets, limited recovery mechanisms compared to banks, and irreversible transactions once executed. $28.4 million in cryptocurrency-specific SIM swap losses were reported in 2024, according to DeepStrike and Bitsight.

Individuals aged 60+ suffered the highest financial losses at $6.3 million, with those 61+ representing 29% of UK account takeover victims—a 90% year-on-year increase, indicating attackers increasingly target vulnerable demographics, according to DeepStrike.

Scattered Spider, also known as Octo Tempest, a threat actor group first observed in 2022, is known for targeting mobile telecommunications providers and business process outsourcing (BPO) organizations to facilitate SIM swapping attacks. Their operations combine SMS phishing, sophisticated social engineering, and AiTM techniques, according to NetRix Global research published in 2025.

What are the limitations of SIM swapping attacks?

Despite their effectiveness, SIM swapping attacks face operational and defensive constraints that limit success rates in certain environments.

Carrier-level defenses post-2024 have improved significantly. Following high-profile breaches and the T-Mobile settlement, major carriers including T-Mobile, Verizon, and AT&T have strengthened verification procedures requiring in-person verification for SIM swaps, secondary notification via registered email before SIM change is activated, longer delay windows of 48 hours before SIM change becomes active allowing user reversal, and PIN-protected accounts that require additional secret questions.

These changes have reduced SIM swap success rates from 40-60% to 15-25% for carrier-level attacks, though insider-assisted attacks still succeed at high rates.

Physical proximity awareness can limit attacks when if the victim is nearby and realizes their phone has lost signal during the SIM swap, they may quickly contact the carrier to reverse it before the attacker completes account takeover.

Account recovery options beyond SMS frustrate SIM swapping when modern platforms increasingly offer recovery codes stored securely written down or in encrypted backup, backup email addresses not tied to phone number, security questions, and third-party account recovery like Google account recovery via trusted contacts. These alternatives provide paths to account recovery that don't rely on SMS.

Law enforcement investigation now treats SIM swap attacks seriously. FBI and Secret Service investigators can identify insider collusion or patterns of fraud using carrier records and timestamp data, leading to arrests. Notable 2024-2025 prosecutions have deterred some lower-level attackers.

Detection through monitoring enables rapid response when victims monitor for unusual account access from unexpected location or device, password change notifications from accounts, cryptocurrency withdrawal alerts from wallets, and email forwarding rule changes. Immediate action including password reset and asset transfer can be taken within minutes if alerts are monitored in real-time.

How can organizations defend against SIM swapping?

Defense against SIM swapping requires eliminating reliance on SMS-based authentication and implementing alternative security controls.

Eliminate or restrict SMS-based MFA by moving away from SMS-based MFA to app-based authenticator apps like Google Authenticator, Authy, or Microsoft Authenticator that generate codes locally and are not transmitted via SMS. For accounts that must use SMS, implement SMS filtering to prevent interception. Deploy hardware security keys using FIDO2 as primary MFA with SMS as fallback only. The FBI and CISA have officially recommended against SMS for authentication citing lack of encryption and ease of interception, according to FBI and CISA guidance published in 2025 and SpecOps Soft research.

Deploy hardware security keys (FIDO2) as the primary authentication method. Implement FIDO2 hardware tokens or platform authenticators like Windows Hello or Face ID that cannot be compromised via SIM swapping. FIDO2 verifies the legitimate service before authenticating, making SIM swapping irrelevant to the authentication process. Prioritize FIDO2 deployment for high-value accounts including admin, financial, cryptocurrency, and email, according to Trend Micro and Keepnet Labs research.

Implement strong account recovery mechanisms beyond SMS by requiring users to register multiple recovery email addresses not tied to the compromised phone number, generating and securely storing account recovery codes as printed or encrypted backup, implementing "trusted contacts" or "trusted devices" for account recovery, and requiring security questions in addition to phone verification for sensitive resets. This ensures that even if SMS is compromised, account recovery has alternative paths, according to SpecOps Soft and Keepnet Labs research.

Deploy account security notifications by sending all account change notifications to multiple channels including primary email, secondary email, and SMS. If email and phone show conflicting information, flag as potential compromise. Notify users of any SIM change detected on their phone number, which some carriers now offer. Enable users to "lock" their account to prevent unauthorized changes, according to Keepnet Labs.

Implement behavioral analytics and impossible travel detection to monitor for impossible travel where account accessed from different countries within impossible timeframe, alert on account password changes combined with unusual device or location, monitor for lateral movement where successful login to primary account is immediately followed by attempts to access linked accounts like email and crypto wallets, and implement real-time fraud scoring based on behavioral patterns, according to Bitsight and Vectra AI research.

Deploy user education on SIM swapping by educating users that carriers will never request account verification via unsolicited calls, teaching users to recognize social engineering attempts, and advising users to proactively contact carriers and request SIM swap protection including PIN/password protection for account, verbal passphrase requirement for support calls, whitelist of authorized devices, and request for in-person-only SIM changes. Organizations should educate employees on SIM swapping risks and carrier protection options, according to SpecOps Soft and Keepnet Labs research.

Advocate for carrier-level security measures by verifying that carriers implement biometric or in-person verification for SIM changes, SMS PIN/password-protected accounts, delayed activation windows of 48 hours before SIM changes become active, automatic verification via secondary email before SIM swap is completed, and comprehensive audit logs of all SIM changes with timestamps and support agent IDs.

Deploy continuous credential monitoring to monitor for leaked personal information including SSN, name, and DOB in dark web breach databases, notify users immediately if their personal information appears in breaches, enable users to freeze or lock their mobile accounts to prevent unauthorized SIM changes, and integrate dark web monitoring with credential rotation strategies, according to DeepStrike and Expert Insights research.

Establish incident response readiness by maintaining relationships with carriers for rapid SIM swap reversal, designating escalation contacts at carriers for emergency account access restoration, maintaining detailed inventory of which accounts are protected by what authentication methods, and creating playbooks for rapid credential rotation if SIM swapping is detected, according to Keepnet Labs.