SIM Swapping Attacks: How They Work and How to Prevent Them
SIM swapping — also called SIM hijacking or port-out fraud — is a form of identity theft in which an attacker convinces a mobile carrier to transfer a victim's phone number to a SIM card under the attacker's control. The attack is significant because phone numbers serve as a primary authentication factor across banking, email, and cryptocurrency platforms. The Federal Trade Commission (FTC) and the Federal Bureau of Investigation (FBI) have both documented SIM swapping as a growing vector for account takeover fraud, with the FBI's Internet Crime Complaint Center reporting $68 million in losses attributable to SIM swapping in 2021 alone (FBI IC3 2021 Annual Report). This page covers the mechanism, attack variants, and structural decision boundaries for professionals evaluating exposure and controls in the mobile threat landscape.
Definition and Scope
A SIM swap occurs when the numeric identifier bound to a subscriber's account — the International Mobile Subscriber Identity (IMSI) — is reassigned to a different physical SIM card without the account holder's authorization. The reassignment severs the victim's connectivity and redirects all calls and SMS messages to the attacker's device.
The scope of SIM swapping extends beyond individual consumers. Enterprise employees whose corporate accounts use SMS-based two-factor authentication are equally exposed. The Federal Communications Commission (FCC) issued new rules in 2023 — formalized under 47 CFR Part 64 — requiring carriers to implement more rigorous authentication before processing SIM changes or number ports, acknowledging that carrier-side controls had been insufficient (FCC Report and Order, WC Docket No. 21-341).
Scope classifications relevant to this threat:
- Individual/consumer attacks: Targeting personal banking, social media, or cryptocurrency accounts.
- Enterprise/targeted attacks: Targeting executives, administrators, or employees with privileged account access.
- Port-out fraud (variant): Exploiting number portability rules to transfer a number to a different carrier entirely, rather than swapping SIM cards within the same carrier.
Port-out fraud and SIM swapping are mechanically distinct but produce identical outcomes for the victim — loss of phone number control. The FCC's 2023 rules address both under the same regulatory framework.
How It Works
SIM swapping exploits social engineering vulnerabilities at the carrier level rather than technical vulnerabilities in handsets or operating systems. The attack follows a structured sequence:
-
Reconnaissance: The attacker collects personally identifiable information (PII) about the target — name, address, account number, last four digits of SSN — through phishing, data broker records, prior data breaches, or social media scraping. Mobile phishing and smishing campaigns are a common upstream source of this data.
-
Carrier contact: The attacker contacts the carrier's customer service channel — phone, online chat, or in-store — impersonating the account holder. The attacker presents the collected PII to pass identity verification.
-
Social engineering the representative: The attacker claims the existing SIM was lost, damaged, or that the victim is upgrading to a new device. The representative, if verification steps are inadequate, processes the swap.
-
Number transfer completion: The victim's number is reassigned. The victim loses signal; all inbound calls and SMS now route to the attacker.
-
Account takeover: The attacker triggers password resets on target accounts (email, banking, crypto exchanges) that use SMS-based one-time passwords (OTPs). The OTPs arrive on the attacker's device, enabling full account access.
-
Asset extraction: Funds are transferred, cryptocurrency is moved, or credentials are harvested for resale before the victim identifies the attack.
The entire sequence from step 2 to step 6 can complete in under two hours, which compresses the victim's detection and general timeframe severely. NIST SP 800-63B (NIST Digital Identity Guidelines) explicitly classifies SMS OTP as a restricted authenticator type, citing SIM swapping as the primary threat to its integrity.
Common Scenarios
Cryptocurrency theft: Cryptocurrency exchanges that rely on SMS-based 2FA are a primary target. Because blockchain transactions are irreversible, asset recovery after a SIM swap is structurally impossible without exchange cooperation. The FBI's IC3 has received reports of individual losses exceeding $100,000 in single cryptocurrency SIM swap incidents.
Executive account compromise: High-value corporate targets — C-suite executives, IT administrators, finance officers — are targeted for business email compromise (BEC) follow-on attacks. The attacker gains access to corporate email, then initiates fraudulent wire transfers or harvests credentials. This scenario intersects with mobile security for remote workers and enterprise authentication policy.
Political and activist targeting: Journalists, activists, and political operatives have been targeted via SIM swapping to access encrypted messaging accounts (Signal, WhatsApp) or to intercept sensitive communications. These attacks are documented in reports from the Electronic Frontier Foundation (EFF).
Insider-assisted SIM swaps: A distinct and more difficult-to-prevent variant involves carrier employees who are bribed or coerced into processing unauthorized SIM swaps without a social engineering call. The FTC has documented insider-facilitated cases; the FCC's 2023 rules specifically address this by requiring carriers to implement internal controls and audit logging for SIM change requests.
Decision Boundaries
Understanding the structural boundaries between SIM swapping and adjacent threats clarifies defensive priorities:
| Attack Type | Primary Vulnerability | Carrier Involvement | Victim Device Compromised |
|---|---|---|---|
| SIM Swapping | Carrier authentication | Yes (deceived) | No |
| SIM Cloning | Physical SIM access | No | Requires physical access |
| SS7 Attack | Telecom network protocol | No | No |
| Mobile Malware | Device OS/app layer | No | Yes |
SIM swapping differs from SS7 protocol attacks in that SS7 exploits require technical access to telecom signaling infrastructure, while SIM swapping requires only social engineering. SIM cloning requires physical possession of the victim's SIM card. This means SIM swapping has the lowest technical barrier of the three and the highest volume at scale.
Mitigation decision points structured by control layer:
- Carrier-side controls: Account PINs, verbal passwords, number lock features (offered by T-Mobile, AT&T, and Verizon under varying names), and port freeze options. These are the highest-leverage controls because they interrupt the attack at step 2.
- Authentication layer: Replacing SMS OTP with hardware security keys (FIDO2/WebAuthn) or authenticator apps eliminates the utility of a successful SIM swap for most account takeover scenarios. NIST SP 800-63B recommends this substitution explicitly.
- Account monitoring: Carrier notification alerts for SIM changes, combined with financial account monitoring for unauthorized password reset activity, reduce dwell time.
- Credential hygiene: Reducing the PII surface available for reconnaissance — opting out of data brokers, limiting social media exposure — degrades the quality of data the attacker can collect in step 1.
The FTC maintains a consumer complaint database and guidance on SIM swap fraud under its identity theft resources (FTC IdentityTheft.gov). Professionals assessing organizational exposure should also reference mobile security compliance frameworks relevant to US regulations and evaluate authenticator policy against NIST 800-63B restricted authenticator guidance.
References
- FBI Internet Crime Complaint Center (IC3) 2021 Annual Report
- FCC Report and Order on SIM Swapping and Port-Out Fraud, WC Docket No. 21-341
- NIST Special Publication 800-63B: Digital Identity Guidelines — Authentication and Lifecycle Management
- Federal Trade Commission — IdentityTheft.gov SIM Swap Resources
- Electronic Frontier Foundation (EFF) — SIM Hijacking Documentation
- FTC Consumer Information on SIM Card Swapping