Your mobile phone number is not just for receiving calls and SMS messages. It has become the master key to your online life. Companies use your phone number to verify your account login, banks use your phone number to verify your account access via mobile apps, and cryptocurrency exchanges use your phone number to verify your high-value account access. When a vulnerability is found in the telecom security architecture, it can be exploited within seconds to compromise an individual’s or organization’s entire online presence.
For a long time, a mobile number was used for calls and messages. Recently, it has become the ‘master key’ for accessing other online services, ranging from business email accounts to financial services online and even more valuable online services like cryptocurrencies. As already mentioned above, a large part of the global security architecture is based upon the telecoms network for identification purposes. Therefore, a single vulnerability in the telecoms network can easily be used to compromise an individual’s or organization’s online services within a matter of seconds.
SIM swap fraud is different from other types of cybercrime in that it's primarily human error or a telecom operator's process failure that's exploited. As opposed to traditional cyber intrusions whereby a hacker attempts to gain access to a system or network by penetrating its firewalls and bypassing layers of security software, the attacker gather spersonal details mostly by social engineering and then ports their mobile number to a new SIM card (physical or eSIM) under their own control. Immediately after the port, the new SIM starts to receive the victim’s incoming calls and messages. The victim’s old device will then appear to be disconnected. Since the attacker now has possession of the mobile number, they can start to receive the One-Time Passcodes (OTPs) sent via SMS to the victim’s mobile number for services such as logging into web applications, transferring funds online or even withdrawing cash from an ATM.
The adoption of entirely digital eSIMs within mobile devices continues to facilitate rapid attacks on consumers’ mobile phone numbers, where prior to eSIMs, number port requests would have typically required a visit to a retail store, albeit temporarily. Moreover, the effects of having a number hijacked and then being unable to recover any funds that were subsequently moved to blockchain and other digital financial service providers, in near real time and mostly irrevocably continue to heighten in severity as billions of dollars are being transferred via the various new services emerging.
The following topics are going to be covered in this article:
- What Is SIM Swap Fraud?
- The Attack Chain.
- Why SMS 2FA is the Vulnerability
- The eSIM Acceleration
- The Crypto Connection
- Carrier-Side Detection
- Bank/Fintech-Side Detection
- Regulatory Direction
- Victim Recovery
- How Sanction Scanner Helps
1. What is SIM Swap Fraud?
Fraudulent activity of this nature is typically categorized as identity theft and is focused on the user’s subscription profile rather than the actual device in question. With that in mind, it is first necessary to outline the role of the Subscriber Identity Module (SIM), traditionally a small plastic card though it has more recently been implemented as software to form a profile (e.g. eSIM) on users' devices. The SIM card holds the unique International Mobile Subscriber Identity (IMSI) number, which is used by the cellular network to identify the subscriber associated with a specific telephone number (account).
In normal circumstances, a SIM Swap would occur for a customer, for example, when they purchase a new phone, require an upgrade to their current package or have had a device stolen/lost and require a replacement SIM card to be posted out to them. In the meantime, the telco would update their central database of customers to change the current SIM card to the new SIM card details, mapping the new SIM card to the current mobile phone number.
This type of attack is often perpetrated by someone who has gathered sufficient personal data about an individual to convincingly deceive a customer service representative into believing that they are the real owner of a subscription. A fraudster does not need to physically enter the owner's premises or copy their hard drive in order to gain access. The fraudster asks for an emergency SIM swap, which the customer service representative may activate without requiring any further verification. The moment the SIM is activated on the fraudster's new device, the real owner's device will lose all cellular services. From this point onwards, all calls, text messages (except MMS) and SMS-based 2FA alerts will be diverted to the fraudster's device.
2. The Attack Chain
Fraudsters engage in SIM swap (port-out) fraud as part of an organized attack chain. Typically, they first start collecting open source intelligence about their target, in order to create a profile of the victim. The various steps involved in a typical SIM swap attack follow a four-phase approach:
Phase A - Reconnaissance: A SIM swap fraud attack begins with a reconstruction of a target victim's profile from past data breaches, or even the scraping of public social media profiles. The attacker gathers sufficient information about the target, such as full name, date of birth, physical address, and the name of their mobile phone service provider. Once the name of the mobile phone service provider of the victim is known, the attacker can move on to the next phase.
Phase B - Carrier Engineering: Using this information, the fraudster rings up the victim's mobile phone provider and pretends to be the legitimate owner of the phone number. Fraudsters thrive in chaotic customer service environments where staff are frequently off on stress leave. The fraudster will make up a story that requires immediate action from the customer service staff, such as being stranded at an airport with a broken phone and needing to switch the phone number to another phone immediately. In more sophisticated cases, the scammer may actually send a syndicate member into a retail store of the victim's mobile phone provider and bribe a low-paid customer service staff member to port the number to another phone.
Phase C - Number Portation: The service provider's employee or the paid insider will complete the porting of the telephone number to the perpetrator's SIM card or to an eSIM profile provisioned on the perpetrator's device. This portation will instantly and irrevocably remove the victim's physical telephone device from the lists of cellular subscribers who are able to receive calls and send SMS to that number. Instead, the victim's telephone device will instantly and silently switch to SOS Only mode, displaying the message "No Service".
Phase D- Account Takeover: The attacker starts the process of Account Takeover by beginning the process of "Forgot Password" for online services such as banking, work accounts and social media accounts. Once the process is started, he then proceeds to confirm the Account Takeover by receiving password reset links or one-time passwords (OTPs) sent via SMS to the newly ported SIM card (control of the phone number has now been taken over by the attacker).
3. Why SMS 2FA is the Vulnerability
For over a decade, 2FA via Short Message Service (SMS 2FA) was considered to be a mass-market implementable security solution. For many years it was possible to implement SMS 2FA as a service without having to teach end users to download any software. It worked on all sorts of mass-market handsets globally, it was low-friction to implement and very easy to use. But SMS 2FA treats a communication channel as an identity layer.
As early as 2017, NIST recognized the inherent problem with SMS 2FA in their SP 800-63 Digital Identity Guidelines. In these guidelines, NIST formally restricts SMS-based out-of-band authentication, pointing out that the public switched telephone network (PSTN) is by nature subject to interception, rerouting, and social engineering.
However, despite NIST's explicit warnings regarding SMS 2FA, the practice has become a deeply ingrained operational model for a large number of organizations operating in the retail banking, fintech and enterprise spaces. The vast majority of organizations rely on SMS 2FA as either their primary authentication method or as the default method for account recovery. This leaves these organizations locked in a cycle of ongoing operational pain as they attempt to balance the requirement for high levels of security with the requirement for high levels of accessibility to customers.
4. The eSIM Acceleration
Over the past few years, the physical plastic SIM card has gradually given way to the more consumer-friendly embedded SIM (eSIM). No longer do consumers have to keep searching for that small SIM card tray and using a paperclip to open it. Instead, they can easily switch between carriers or activate an international data plan whilst traveling abroad, all from within their device's settings. But all is not rosy in this new world of eSIMs, as it has also brought about new risks around mobile number hijacking.
Because eSIM activation is fully digital (e.g. via QR code, app or over-the-air on a mobile device), it removes a critical physical friction point that would have otherwise hindered a malicious actor in the past.
The Physical Barrier has been removed: In the past, the thief would have had to physically go to a store and obtain a duplicate of the SIM card. He would have been seen by security cameras. He would have needed a physical copy of the ID of the owner.
The Velocity of Attack: An attacker who compromises a carrier's account information or tricks a remote carrier agent can download and activate the new eSIM profile on a device located anywhere in the world in under a minute. This type of attack is now instantaneous, fully remote, and highly scalable.
Major global carriers, recognizing the operational vulnerability, have introduced stricter verification controls when provisioning an eSIM remotely over the air. In their security frameworks, a 'step-up' in authentication is mandated for such remote provisioning of an eSIM. This can, for instance, involve a face-to-face biometric verification using the camera of the user's smartphone, a verification pin sent to a pre-registered email address (e.g. a backup email address) and left active for a short period of time to be entered by the user remotely, or a short delay (e.g. a few minutes) to allow for a face-to-face verification with a retail store employee (if available) prior to activation of the eSIM profile.
5. The Crypto Connection
As outlined previously, the primary purpose behind hijacking a mobile number is to use the related email address in order to gain control over the account(s) associated with it, most notably cryptocurrency exchange accounts (i.e. digital wallets). The largest exchanges continue to suffer from the effects of SIM swapping (not to be confused with porting).
Traditional wire transfers can usually be recalled, frozen or even reversed if detected in time. Bitcoin and other digital currencies, however, are by their very nature irreversible once sent. A single mis-click or moment of haste can result in permanent loss of value.
The typical attack ecosystem moves like a cascade:
Successful SIM Swap ➔ Email Account Takeover ➔ Crypto Exchange Takeover ➔ Asset Liquidation & Drain
The FBI's Internet Crime Complaint Center (IC3) includes SIM-swapping in its list of threats to holders of digital assets. The center reports that complaints of SIM-swapping have decreased in terms of raw numbers thanks in part to the enhanced verification processes employed by major global carriers, but the impact on the holders of the digital assets in question remains significant. For example, the IC3's 2024 Internet Crime Report recorded nearly 1,000 formal complaints of SIM-swapping filed with the agency, resulting in over $25.9 million in reported losses.
The gateway to these crypto losses is almost always an Account Takeover (ATO) of the victim's primary email address. As explored in our comprehensive analysis of Account Takeover Fraud, an email account serves as the cornerstone of digital identity. By resetting the email password via an SMS token, the fraudster gains the ability to bypass email notifications from the crypto exchange, silence automated security warnings, and ultimately authorize the final outbound transfer of digital assets to un-hosted private wallets.
- SEC Official X Account Hijacking (January 2024)
The attackers completed a SIM swap on the phone number associated with the official U.S. SEC X account. They published a fake announcement of approval for a Bitcoin ETF that resulted in extreme price volatility worldwide.
- The Arrest of Eric Council Jr. (October 2024)
The FBI arrested 25-year-old Eric Council Jr. for using a fraudulent ID at a cell phone store to port the victim's line in the high-profile SEC SIM-swapping conspiracy.
- The $400 Million FTX Drain Indictment (February 2024)
A federal indictment unveiled in February 2024 detailed how the "Powell Gang" had conducted a SIM swap on the AT&T account of an FTX employee in order to steal over $400 million while the cryptocurrency exchange was teetering on the brink of collapse.
- Vitalik Buterin's X Account Breach
Some miscreants gained access to Ethereum co-founder Vitalik Buterin's X profile after a SIM swap of a T-Mobile line associated with him, then sent a phishing link to his followers that drained $690,000.
6. Carrier-Side Detection
SIM swapping starts within the mobile telecommunications infrastructure. Therefore, it is within the mobile network operators' (MNOs) sphere of influence to implement necessary measures to prevent a number from being disabled by fraudulent SIM swapping. The way that SIM changes were managed as customer service issues in the past is no longer relevant and MNOs must put in place necessary controls to manage SIM swapping issues in order to detect and prevent fraudulent activity before a number is disabled.
Strict Identity Verification & In-Person Protocols
Move away from knowledge-based authentication (such as your mother's maiden name or billing address) and introduce strict identity verification for high-risk account actions (for example, requesting a physical SIM replacement or activating an eSIM profile). High-assurance verification can take place in a physical retail store, where customers present government-issued photo identification. Carriers can leverage physical ID scanners, which are able to read relevant information from ID documents, and later in the process use cryptographic remote verification methods, which cross-match customers' live biometrics against databases of issued identification.
Forced Dual-Ping and Verification Windows
Another thing is that SIM swapping can trigger a dual-ping and verification window. In this case, before the porting of the number to a new IMSI is processed by a carrier, a carrier's system must issue a pre-swap notification to the number currently being active on the existing SIM. The pre-swap notification is sent immediately in the form of an SMS and push notification to all short-code and long-code mobile applications, including financial institutions' mobile applications. The notification should contain a single button to press to confirm porting of the number to a new IMSI or to reject a porting request in case it was a fraudulent attempt to port a number to a new SIM.
Cooling-Off Periods and Telemetry Anomaly Monitoring
A newly swapped SIM is a very volatile asset for the carriers, and a strict 24-to-48-hour cooling-off period is widely recommended for the newly activated lin cooling-off period for the newly activated line, where that line would not be able to receive automated short-code SMS notifications from financial institutions, is critical to mitigating damage. Additionally, the telecom internal systems should include behavioral analytics to alert on anomalies such as a password reset on an account followed immediately by an emergency eSIM download request from a completely different IP geolocation (e.g. US vs. China).
7. Bank/Fintech-Side Detection
When it comes to securing financial transactions via mobile, it is a fact of life that the carrier controls the pipe (i.e. the mobile network) but it is the financial institution that suffers the loss of funds (and subsequent brand damage) as a result of account takeover. This is a losing strategy for all involved and the focus for detection should be independent of the carrier's ability to secure their own network.
Leveraging Standardized Network APIs (GSMA Open Gateway & CAMARA)
In the face of account takeovers, the biggest leap in financial anti-fraud infrastructure will be the global adoption of network APIs in financial institutions' risk engines, provided by the telecom companies over the standardized GSMA Open Gateway or the open-source CAMARA project. These APIs will allow the financial institutions' risk engines to interrogate the mobile network of the telecom company in real-time before executing high-risk actions on the financial services provided to the customer over the mobile channel.
For financial services companies, it is ideal to check for a recent SIM swap event in real-time via the SIM Swap API when a user such as a customer or business account holder performs a high-risk action such as a high-value fund transfer, a password reset or profile update. This API call returns a timestamp and date when a specific mobile number was last paired with a new SIM card.
Financial Activity Cool-Downs and Behavioral Safeguards
If a SIM swap has occurred within a specified risk window (i.e. last 24 hours), implement a temporary cool-down period to allow the institution's risk detection systems to relearn new mobile account activity. Transactions such as password changes, daily limit increases, and high-value wire transfers will be blocked during this time. Account logins and general account viewing will remain active, allowing customers to service their accounts as normal during this time.
Step-Up Authentication and the Sunset of SMS
When a network anomaly or recent SIM change has occurred, all SMS-based authentication is bypassed and the highest level of Step-Up Authentication is triggered instead.
Device-Bound Push Notifications: Utilizing secure tokens embedded directly within the bank's encrypted mobile app hardware container.
FIDO2 WebAuthn / Passkeys: Public-key based authentication, protected by on-device biometrics (e.g. Face ID, fingerprint) and therefore cannot be intercepted over the air.
Hardware Authenticator Apps: One-time password (TOTP) codes generated locally by sandboxed authentication apps, avoiding the risks associated with cellular networks.
8. Regulatory Direction
Regulatory bodies around the globe have turned voluntary industry guidelines into binding regulations. With the volume and financial loss of mobile hijacking increasing rapidly, it was only a matter of time before treating SIM swaps as just another customer service feature was over.
The United States (FCC Framework): The Federal Communications Commission (FCC) has just finalized its comprehensive Report and Order on Protecting Consumers from SIM-Swap and Port-Out Fraud. The framework amends the rules governing Customer Proprietary Network Information (CPNI) and Local Number Portability (LNP) within the FCC Framework for wireless providers. For example, wireless providers must implement more secure methods of authentication for service transfers, notify customers prior to completion of a request for a new SIM card, and allow customers to place their accounts on "freeze" for free to prevent unauthorized ports.
The UK (Ofcom and FCA): Ofcom tightened its Calling Line Identification (CLI) rules in January 2025 to block calls from abroad that spoof UK numbers. In parallel, the FCA's FG24/6 and PS24/17 require payment service providers to incorporate telecom-risk intelligence such as recent SIM-swap flags into their fraud decision engines, encouraging carrier-to-bank data sharing through initiatives like the GSMA Open Gateway and the Telecommunications Fraud Sector Charter."
The European Union (eIDAS 2.0 Integration): As the eIDAS framework evolves, so too does the pressure placed on financial entities to move away from unencrypted telecoms channels for high-risk transactions. Instead, today, there is great incentive to utilize verified digital wallets, combined with qualified electronic signatures that are cryptographically tied to those wallets. SMS interception will become less viable for transaction authorization in financial services as the EUDI Wallet rollout progresses toward the end-2027 compliance deadline
9. Victim Recovery
A SIM swap attack can become a nightmare for victims when the attack succeeds in bypassing the first line of defense of both the carrier and the fintech infrastructure of the respective companies involved. A complex process of recovery has to start quickly, in a multi-party environment, where several industries are involved.
Step 1: Carrier Reversal and Line Containment
In cases of SIM swap fraud, the first step to resolving the issue would be to have the cellular signal returned to you. This would involve contacting your carrier over a secure line (i.e. by visiting a local retail branch in person or by calling from a verified landline). The operator would then reverse the activation of the SIM/eSIM in question and provision a new token to a physical device (e.g. a dedicated mobile phone) that you can confirm is your own.
Step 2: Account Access Recovery & Token Revocation
In this process, the victim, or their support team, will need to log out of all web email account sessions established during the account hijack. Also, within these sites' security settings the "trusted devices" that were added by the fraudster during the hijacking will need to be removed.
Step 3: Financial Institution Coordination
Financial institutions must immediately freeze the accounts to prevent any further outgoing transactions. They must then be able to determine whether the transactions that a fraudster conducted using a hijacked account are in line with the normal behavior of that account's owner, based on the account's historical activity. In order to make this determination, the financial institution's forensic team must analyze the session data from the hijacked accounts to see if they can determine the device fingerprint from the fraudulent login sessions in order to compare them with the legitimate behavior of the account owner.
Step 4: Law Enforcement and Regulatory Reporting
It is critical to report fraud incidents, especially those that involve organized crime such as SIM swapping, to cybercrime units such as the IC3 at the FBI as well as local and national cyber security centers. These reports support insurance claims, help establish liability (including possible collusion by employees at retail telecom locations involved in the fraud), and assist financial institutions and other online service providers in recovering lost funds.
