SIM-swapping fraud
SIM swap fraud involves criminals transferring a victim's phone number to a device they control, often by social engineering a mobile carrier, allowing them to intercept one-time verification codes and take over bank, email, and cryptocurrency accounts protected by SMS-based authentication.
What we know
SIM swap fraud, also called SIM hijacking or SIM jacking, occurs when a criminal convinces a mobile carrier to transfer a victim's phone number to a new SIM card that the criminal controls, or to activate an eSIM under the attacker's control, effectively hijacking the victim's phone service. Once the number is transferred, calls and text messages intended for the victim, including one-time passcodes sent via SMS for two-factor authentication, are instead delivered to the attacker's device, giving them the ability to reset passwords and take over email, banking, and cryptocurrency accounts that rely on text message verification.
Attackers typically gather personal information about a target beforehand, often through data breaches, social media research, or prior phishing, and then contact the victim's mobile carrier, either by phone or occasionally by bribing or socially engineering a carrier employee, claiming to be the account holder and requesting the number be moved to a new device due to a supposedly lost or damaged phone. Some documented cases, including prosecutions covered by the U.S. Department of Justice, have involved insiders at mobile carriers accepting bribes to perform unauthorized SIM swaps directly.
The FBI's Internet Crime Complaint Center has tracked a significant rise in SIM swapping complaints and associated financial losses over the past several years, with cryptocurrency theft representing a particularly large share of reported losses, since cryptocurrency transactions cannot typically be reversed once completed, unlike some bank transfers that may be recoverable if reported quickly. High-profile cases have included the hijacking of prominent individuals' social media and email accounts, including a widely reported 2019 incident in which Twitter's own chief executive at the time had his Twitter account taken over via a SIM swap.
The underlying vulnerability that makes SIM swapping effective is the widespread reliance on SMS text messages as a second authentication factor, a method that security researchers, including guidance published by the National Institute of Standards and Technology, have identified as weaker than app-based or hardware-based authentication methods precisely because it depends on the security of the mobile carrier's account verification process rather than a factor entirely under the user's control.
Mobile carriers have responded by offering additional account security options, including PIN codes or passphrases required before any changes can be made to an account, and enhanced identity verification steps for SIM transfer requests. Consumer protection guidance from the FTC and the FBI recommends setting a unique PIN with one's mobile carrier, avoiding the use of SMS text messages as the sole two-factor authentication method for sensitive accounts such as banking and cryptocurrency exchanges where possible, and using authenticator apps or hardware security keys instead, which are not vulnerable to interception via a SIM swap because they do not depend on the mobile carrier's network at all. Signs of a SIM swap in progress include a sudden and unexpected loss of cellular service or an inability to make calls or send texts, which security experts recommend investigating immediately with one's carrier rather than assuming it is a routine network problem.
Common claims
- SMS two-factor authentication is fully secureFalse - SMS codes can be intercepted via SIM swap; app-based or hardware MFA is stronger
- SIM swapping requires hacking the carrier's serversFalse - usually done through social engineering of customer service staff
- Setting a carrier PIN prevents SIM swap attacksMostly true - a strong PIN significantly raises the bar for attackers

