SIM Swapping Attacks: How They Work and How to Prevent Them

SIM swapping is a form of identity fraud in which an attacker convinces a mobile carrier to transfer a victim's phone number to a SIM card controlled by the attacker. The technique bypasses authentication controls that rely on SMS-based verification, making it one of the most operationally significant threats to account security across banking, cryptocurrency, and enterprise identity systems. This page describes the mechanism, classifies the primary attack variants, and establishes the regulatory and technical boundaries that define how the threat is categorized and addressed within the mobile security landscape.

Definition and scope

SIM swapping — also termed SIM hijacking or SIM porting fraud — exploits the legitimate account management processes that mobile network operators use to reassign phone numbers when customers replace lost or damaged SIM cards. Once a phone number is transferred, any SMS message or voice call sent to that number — including one-time passwords (OTPs) and authentication codes — routes to the attacker's device rather than the legitimate subscriber.

The Federal Trade Commission (FTC) classifies SIM swapping as a category of account takeover fraud, distinct from device theft or malware-based credential compromise, under its consumer protection enforcement framework at 16 CFR Part 314. The Federal Communications Commission (FCC) issued rules effective July 2023 (FCC Report and Order, WC Docket No. 21-341) requiring carriers to implement secure customer authentication procedures before processing SIM changes or number port-outs, addressing a regulatory gap that attackers had exploited for years.

The Federal Bureau of Investigation (FBI) Internet Crime Complaint Center (IC3) received 2,026 SIM swapping complaints in 2022, reporting adjusted losses exceeding $72 million (IC3 2022 Internet Crime Report). Because mobile phone numbers function as a root authentication factor across financial, healthcare, and enterprise platforms, the threat surface extends far beyond telecommunications into any sector relying on SMS multi-factor authentication.

For broader classification of mobile-specific threats within cybersecurity frameworks, the page defines how this threat category maps against established control frameworks.

How it works

A SIM swap attack proceeds through four discrete phases:

  1. Reconnaissance — The attacker collects personally identifiable information (PII) about the target: full name, address, date of birth, account number, and the last four digits of a Social Security Number. Sources include data broker databases, prior breach dumps, phishing campaigns, and open-source social media profiling.

  2. Carrier impersonation — The attacker contacts the victim's mobile carrier — either through a retail store, customer service phone line, or online account portal — and poses as the account holder. The attacker presents the collected PII to satisfy identity verification challenges.

  3. SIM reassignment — Once the carrier representative accepts the fraudulent identity verification, the phone number is ported to a new SIM card or eSIM profile under the attacker's control. The victim's legitimate SIM simultaneously loses network connectivity.

  4. Account takeover — With the phone number now routing to the attacker's device, the attacker initiates password reset flows or MFA challenges on target accounts — email, banking, cryptocurrency exchanges — receiving all verification codes necessary to complete the takeover.

NIST Special Publication 800-63B, Digital Identity Guidelines: Authentication and Lifecycle Management (NIST SP 800-63B), classifies SMS OTP as a "restricted" authenticator category, specifically noting that phone-number-based verification is vulnerable to SIM swapping and recommending that organizations at higher assurance levels migrate away from it entirely.

Common scenarios

Financial account fraud represents the highest-volume scenario. Attackers target bank accounts, brokerage platforms, and payment applications — particularly those using SMS OTP as the sole second factor. The FTC's data shows that account takeover losses from mobile-enabled fraud disproportionately affect victims aged 40–69 (FTC Consumer Sentinel Network Data Book 2022).

Cryptocurrency theft is the highest-severity scenario by dollar value. Because cryptocurrency wallets and exchange accounts often use phone-number-based recovery, a successful SIM swap can result in irreversible fund transfers. The IC3's 2022 figure of $72 million in reported losses is widely understood to underrepresent actual losses, as cryptocurrency theft frequently goes unreported or is attributed to other fraud categories.

Enterprise credential compromise occurs when an employee's personal phone number is used as an MFA factor for corporate systems — a configuration common in organizations that have not enforced hardware token or authenticator app policies. A SIM swap against an employee with administrative privileges can cascade into a full network compromise, making this scenario a concern under NIST SP 800-53 Rev. 5 controls in the IA (Identification and Authentication) family (NIST SP 800-53 Rev. 5).

Social media and email account hijacking enables follow-on fraud: impersonation of executives, cryptocurrency scams broadcast to large follower bases, or access to email archives containing sensitive documents.

Decision boundaries

The primary classification boundary in SIM swap prevention lies between carrier-side controls and account-holder-side controls — two distinct layers with different ownership and enforcement mechanisms.

Carrier-side controls include: mandatory callback verification to a pre-registered number before processing SIM changes, port freeze or port lock features (available on carriers including AT&T, T-Mobile, and Verizon under their respective account security programs), and the FCC's 2023 requirement that carriers notify customers of SIM change requests via a pre-existing contact method before execution.

Account-holder-side controls operate independently of carrier policy and include: migration from SMS OTP to TOTP authenticator apps (such as those compliant with RFC 6238 from the Internet Engineering Task Force (IETF RFC 6238)) or FIDO2-compliant hardware security keys, use of a dedicated Google Voice or VoIP number for account recovery that is not tied to a SIM card, and enrollment in carrier-offered PIN or passphrase locks that require in-store verification for account changes.

The contrast between these two control layers is operationally significant: carrier-side controls reduce attack surface at the infrastructure level but are not uniformly enforced across all carriers and retail channel employees. Account-holder-side controls reduce the value of a successful SIM swap by removing SMS as an authentication dependency entirely — the approach NIST SP 800-63B explicitly recommends for high-assurance use cases.

Organizations assessing their exposure should evaluate authentication factor dependencies across all critical accounts, referencing the how to use this mobile security resource page for guidance on navigating relevant control frameworks and service provider categories indexed within this network.

References

Read Next

Mobile Security Listings ANA › Professional Services Authority › National Cyber › Mobile Security Authority Mobile Security Providers The Mobile Security... Mobile Security Directory: Purpose and Scope ANA › Professional Services Authority › National Cyber › Mobile Security Authority Mobile Security Network: Purpose and Scope The Mobile... Mobile Encryption Standards: Device Storage and Data in Transit ANA › Professional Services Authority › National Cyber › Mobile Security Authority Mobile Encryption Standards: Device Storage and Data...