All termsFraudIntermediateUpdated April 22, 2026

What Is SIM Swap Scam?

A SIM swap scam occurs when a fraudster convinces a mobile carrier to transfer a victim's phone number to a SIM card under their control, enabling interception of SMS-based one-time passwords to hijack financial accounts.

Also known as: SIM hijacking, SIM jacking, port-out scam, phone number hijacking

Key Takeaways

  • SIM swap scams bypass SMS-based two-factor authentication by hijacking the victim's phone number at the carrier level.
  • Fraudsters use social engineering to trick mobile carriers into transferring a phone number to an attacker-controlled SIM card.
  • FBI IC3 data shows losses from SIM swap fraud exceeded $68 million in 2021, up more than 400% from the prior year.
  • App-based authenticators and FIDO2 hardware keys eliminate SIM swap risk; SMS OTP does not.
  • Merchants processing high-value transactions should integrate real-time phone intelligence APIs to detect recent SIM changes before authenticating users.

How SIM Swap Scam Works

A SIM swap scam unfolds through a series of deliberate steps that exploit gaps in mobile carrier verification processes. The attack typically takes minutes to execute once the fraudster has gathered enough personal data on the victim. Understanding each stage is critical for merchants and developers building fraud-prevention controls.

01

Reconnaissance and Data Harvesting

The fraudster collects the target's personally identifiable information — name, address, date of birth, and the last four digits of their Social Security Number. This data is sourced from data breaches, dark-web marketplaces, phishing campaigns, or open-source intelligence gathering on social media profiles. Automated scraping tools make this step faster than ever.

02

Contacting the Mobile Carrier

Armed with the victim's PII, the attacker contacts the mobile carrier — by phone, in-store, or via online account portals — and impersonates the account holder. They claim their phone was lost or damaged and request the number be transferred to a new SIM card they possess.

03

Carrier Authentication Bypass

Carrier verification is only as strong as the challenge questions asked. Many carriers historically relied on easily obtainable data such as billing address or the last four digits of a Social Security Number. Fraudsters exploit weak challenge questions or, in insider-assisted attacks, bribe carrier employees to approve the swap without proper vetting.

04

Number Ported to Attacker's SIM

Once the swap is approved, the victim's phone number is assigned to the attacker's SIM card. The victim's legitimate device immediately loses service — typically the first signal that something is wrong. All calls and SMS messages, including two-factor authentication one-time passwords, are now routed to the attacker's device.

05

Account Takeover and Financial Drain

With SMS OTPs in hand, the attacker resets passwords on banking, email, and cryptocurrency accounts. They initiate wire transfers, purchase gift cards, or liquidate crypto wallets. The complete account takeover chain — from SIM swap approval to fund extraction — can complete in under an hour.

06

Covering Tracks

Fraudsters forward or delete password-reset confirmation emails that arrive in the victim's inbox, often by compromising the email account immediately after gaining phone number control. By the time the victim restores their phone service, the financial damage is already done and trails have been obscured.

Why SIM Swap Scam Matters

SIM swap fraud sits at the intersection of telecom vulnerabilities and financial crime, making it uniquely damaging compared with most forms of payment fraud. Victims lose access to every account secured by SMS-based authentication simultaneously, not just a single card or credential. For payment platforms and ecommerce merchants, the downstream liability — chargebacks, reputational damage, and regulatory scrutiny — makes this threat highly material to risk strategy.

According to the FBI's Internet Crime Complaint Center (IC3), reported losses from SIM swapping climbed to $68.4 million in 2021, up from $12 million in 2020 — a more than 400% increase in a single year. By 2023, the IC3 recorded over 2,000 SIM swap complaints annually, though security researchers estimate true detection rates remain low due to systematic misclassification of these attacks as standard account takeovers in incident reporting.

The FCC formally recognised the severity of the threat in 2023 when it adopted new rules requiring mobile carriers to implement stronger authentication before processing SIM changes and number ports, following years of high-profile victim losses and industry lobbying. Threat intelligence vendors consistently rank SIM swap among the top five identity fraud vectors targeting financial services customers, with average per-victim losses exceeding $30,000 — far above the average loss for card-not-present fraud incidents, which typically settle below $1,000.

Why SMS 2FA Is Structurally Vulnerable

SMS one-time passwords were never designed as a strong authentication factor. They traverse the public telephone network, rely entirely on carrier-side identity verification, and can be intercepted via SS7 protocol exploits in addition to SIM swap attacks. NIST deprecated SMS-based OTP as a sole authentication factor in its 2017 Digital Identity Guidelines (SP 800-63B), a position that has not changed in subsequent revisions.

SIM Swap Scam vs. Phishing

Both SIM swap scams and phishing attacks rely on social engineering to compromise victim credentials, but they differ significantly in execution, the party being deceived, and the controls that stop them. Understanding the distinction helps security teams allocate defensive resources correctly and avoid gaps where one defence addresses only one attack type.

DimensionSIM Swap ScamPhishing
Primary targetMobile carrier or carrier employeeThe victim directly via email, SMS, or fake web page
Party deceivedCarrier representative or automated portalThe victim themselves
Technical barrier for attackerLow — relies on carrier process weaknessesLow to moderate — off-the-shelf kits available
What is stolenPhone number control, enabling OTP interceptionCredentials, card data, or session tokens
Defeats SMS 2FAYes — completelyPartial — real-time phishing kits can relay OTPs live
Victim detection speedFast — phone loses service immediatelySlow — may take days to discover unauthorised access
Primary defenceApp-based MFA, carrier PIN, phone intelligence APIsSecurity awareness training, anti-phishing email filters
Key regulatory referenceFCC SIM swap rules (2023), CFPB guidancePCI DSS phishing controls, GDPR breach notification

Types of SIM Swap Scam

SIM swap attacks are not monolithic. Threat actors adapt their methods to carrier security posture, target profile, and the resources available to them. Merchants processing high-value transactions or managing large customer phone number databases should be familiar with each variant and the specific controls each requires.

Insider-assisted SIM swap: A fraudster bribes or coerces a carrier retail employee to process the SIM change without standard verification. This variant bypasses all over-the-phone authentication controls entirely and is significantly harder to detect through conventional fraud signals. Telecom industry investigations have found that insider-assisted SIM swap rings account for a disproportionate share of high-value cryptocurrency losses, where single-victim payouts justify the effort of carrier employee recruitment.

Port-out scam (number porting fraud): Instead of swapping the SIM within the same carrier, the attacker ports the victim's number to an entirely different carrier. Number porting is governed by FCC regulations designed to protect consumer choice in switching providers, but those same rules can be exploited if the receiving carrier's verification procedures are weak. The mechanics produce an identical outcome — the attacker receives all calls and OTPs — but remediation requires coordination across multiple carriers.

SS7 protocol interception: While technically distinct from a SIM swap, Signaling System 7 exploits allow technically sophisticated attackers to intercept SMS messages at the network level without any direct carrier interaction. This vector is typically associated with nation-state actors or organised crime groups rather than opportunistic fraudsters, but the end result — silent OTP interception with no service disruption to the victim — is identical and considerably harder to detect.

Portal-based account hijacking: With the widespread shift to online carrier account management, fraudsters increasingly exploit weak web authentication on carrier self-service portals. Using credentials obtained via credential stuffing or identity fraud, attackers log directly into a carrier's website and initiate the SIM change themselves, requiring no telephone social engineering and leaving minimal interaction logs.

Best Practices

SIM swap fraud is preventable, but prevention demands coordinated effort across merchant operations, developer tooling, and customer education. The controls below address the most common points of failure in real-world incidents and are deployable without major infrastructure changes.

For Merchants

Migrate away from SMS OTP for high-value authentication. Require customers to use TOTP authenticator apps — such as Google Authenticator or Authy — or hardware security keys implementing FIDO2/WebAuthn for account-level actions above defined risk thresholds. SMS OTP may remain as a fallback for low-risk interactions, but should not serve as the primary factor for transactions exceeding your chargeback tolerance.

Flag authentication anomalies at checkout and withdrawal. If a customer's device fingerprint, IP geolocation, or session behaviour changes suddenly — especially in conjunction with a recent password reset — treat the session as elevated risk. Require step-up authentication or impose a 24-hour fulfilment hold on high-value orders until the identity signal resolves.

Monitor for phone number change signals in real time. Integrate with a phone intelligence provider such as Telesign, Neustar, or SEON to receive alerts when a phone number associated with a customer account has been ported or swapped within the prior 24–72 hours. Many of these APIs return a SIM change flag within a standard authentication API call with no additional friction for legitimate users.

Educate customers through in-product prompts. Include clear guidance in your account security settings encouraging customers to set a carrier PIN and enrol in app-based 2FA. A targeted in-app prompt shown to users who have only SMS 2FA configured increases stronger-factor adoption at minimal development cost.

For Developers

Query phone intelligence before issuing an SMS OTP. Before dispatching a one-time password via SMS, call a phone intelligence API — Twilio Lookup, Telesign PhoneID, or equivalent — to check for recent SIM changes on the destination number. If a swap is detected within the past 24 hours, fall back to an alternative authentication channel and log the event for fraud review.

Implement phone number change cooling-off periods. When a customer updates their registered phone number in your platform, enforce a 24–48 hour window before the new number can receive authentication OTPs. Surface a clear UI notification explaining the delay so legitimate users understand the security control and do not create unnecessary support tickets.

Use authentication methods not tied to SMS for payment-critical actions. For initiating payouts, changing bank account details, or updating payout credentials, require re-authentication using biometrics, a hardware key, or an emailed one-time link in addition to any SMS factor. Never allow phone-number-sole authentication for irreversible fund movements.

Emit structured security events on 2FA method changes. Log whenever a user's authentication method changes and route those events into your fraud monitoring pipeline. Anomalies such as a 2FA method changed at 3 AM followed immediately by a large withdrawal request should trigger automated holds and human review before any funds are released.

Common Mistakes

Even security-conscious organisations make predictable errors in their SIM swap defences. The following mistakes appear consistently in post-incident reviews and account for the majority of preventable losses.

Treating SMS 2FA as sufficient protection. Many merchants enabled SMS OTP years ago as a compliance checkbox and never revisited the decision as SIM swap attacks matured and scaled. SMS OTP satisfies the "something you have" authentication factor on paper, but SIM swap eliminates the underlying security guarantee entirely. Revisit your authentication stack against your current transaction volume and fraud exposure at least annually.

Not querying phone intelligence at the point of login. Most fraud platforms log authentication events but do not query real-time phone intelligence APIs at the moment of the login attempt. A SIM swap that occurred an hour ago will not surface in historical risk data or velocity models — only a live carrier query made during the authentication flow will detect it in time to block the attacker.

Using email as the sole account recovery channel. SIM swap fraudsters routinely compromise the victim's email account immediately after gaining phone number control, since password-reset emails for both accounts arrive in the same inbox. Designing account recovery flows that rely solely on email after an SMS OTP failure creates a critical chained vulnerability that amplifies every successful SIM swap.

Ignoring sudden device and location change signals. A user authenticating from a new device in a new country within hours of a successful SMS 2FA event is a strong SIM swap indicator. Fraud engines that do not weight device fingerprint and geolocation change signals against the timing of authentication events will miss this attack pattern repeatedly, even at high transaction volumes.

Failing to set carrier-side PINs in corporate mobile security policy. For merchants who use corporate mobile accounts for internal authentication — approving large payouts, signing into payment portals — employee phones are as much an attack surface as customer phones. A corporate security policy that does not mandate carrier PINs on employee accounts creates organisational-level SIM swap exposure that no software control can fully compensate for.

SIM Swap Scam and Tagada

SIM swap fraud directly threatens the payment flows that Tagada orchestrates on behalf of merchants — particularly authentication events that trigger high-value payouts, refund approvals, or payout-account configuration changes. Because Tagada sits at the centre of the payment stack and routes authentication signals alongside transaction metadata, it is well-positioned to incorporate SIM swap risk signals before a fraudulent transaction completes and funds leave the merchant's account.

If you use Tagada for payment orchestration, work with your integration team to pass phone intelligence signals — including recent SIM change flags from a telco intelligence provider — as transaction metadata through Tagada's risk scoring layer. Flagging transactions where the payer's registered phone number was swapped within the prior 48 hours allows downstream fraud rules to apply step-up authentication or hold-for-review logic before funds are released, without adding friction to the 99%+ of legitimate transactions where no SIM change is detected.

Frequently Asked Questions

What exactly is a SIM swap scam?

A SIM swap scam is a form of identity fraud in which a criminal convinces a mobile carrier to reassign a victim's phone number to a SIM card under the attacker's control. Once the swap is complete, the attacker receives all calls and text messages — including SMS one-time passwords — sent to that number, allowing them to bypass two-factor authentication on banking, email, cryptocurrency, and ecommerce accounts. Victims typically lose phone service abruptly as the first warning sign.

How do fraudsters obtain the personal information needed to execute a SIM swap?

Fraudsters source victim PII from data breaches purchased on dark-web marketplaces, credential dumps from previous hacks, phishing campaigns that harvest personal details, and open-source intelligence gathered from social media. In some cases, fraudsters bribe carrier retail employees directly, bypassing the need for PII altogether. This makes individuals involved in past breaches — or those who share significant personal information publicly — disproportionately at risk of being targeted.

How can I tell if a SIM swap attack has been carried out against my account?

The most immediate signal is sudden loss of mobile service — calls drop, texts stop arriving, and carrier apps show no network. You should also watch for unexpected password-reset emails from your bank, email provider, or crypto exchange. Review account activity for login events from unfamiliar devices or IP addresses. If you suspect a swap has occurred, contact your carrier immediately to request an account freeze, then change passwords for critical accounts using a non-SMS recovery method.

Is SMS two-factor authentication safe enough for payment authentication?

SMS 2FA provides meaningful protection against opportunistic credential stuffing but is considered a weak factor against targeted attackers. SIM swap and SS7 interception attacks can defeat SMS OTPs without the user's knowledge. For high-value payment actions — initiating large payouts, changing bank account details, adding new beneficiaries — NIST SP 800-63B and PCI DSS guidance both recommend replacing SMS OTP with stronger factors such as TOTP authenticator apps, FIDO2 hardware keys, or biometric authentication.

What should merchants do immediately after discovering a SIM swap targeting a customer?

Immediately freeze the affected customer account to prevent further transactions. Document the authentication event chain — login timestamp, device fingerprint, IP address, and the OTP delivery record. Notify the customer through an out-of-band channel such as email only, not SMS. File a fraud report with your acquiring bank and, if losses exceed $1,000, consider an FBI IC3 complaint. Review whether any funds have already moved and initiate chargeback or recovery procedures where applicable.

What is the difference between a SIM swap and a port-out scam?

Both attacks route a victim's phone number to a device controlled by the attacker, but through different mechanisms. A SIM swap transfers the number to a new SIM card within the same carrier, while a port-out scam moves the number to an entirely different carrier using legitimate number porting rules. Port-out scams can be harder to reverse because the victim must coordinate between two carriers. The FCC's 2023 rules address both vectors by requiring stronger authentication for SIM changes and outbound number ports alike.

Tagada Platform

SIM Swap Scam — built into Tagada

See how Tagada handles sim swap scam as part of its unified commerce infrastructure. One platform for payments, checkout, and growth.