SIM Swapping: Phone-Based Identity Theft

SIM swapping is a form of phone-based identity theft in which an attacker fraudulently transfers a victim's mobile phone number to a SIM card under the attacker's control. The technique exploits mobile carrier authentication procedures rather than device hardware or malware, making it distinct from most endpoint-based attacks. Because phone numbers function as identity verification anchors across banking, email, and authentication systems, a successful SIM swap grants broad downstream access to accounts the victim never intended to expose.

Definition and scope

A SIM swap — also called SIM hijacking or port-out fraud — occurs when a threat actor convinces or bribes a mobile carrier representative to reassign a subscriber's phone number to a new SIM card. Once complete, the attacker's device receives all calls and SMS messages intended for the victim, including one-time passcodes (OTPs), account recovery codes, and two-factor authentication (2FA) prompts.

The Federal Communications Commission (FCC) classifies SIM swapping and port-out scams as distinct but related threat categories under its consumer protection framework. Port-out fraud involves transferring a number to a different carrier entirely; SIM swapping reassigns the number within the same carrier to a new SIM. Both produce functionally identical outcomes for the attacker: control over the victim's phone number.

The Federal Trade Commission (FTC) treats SIM swap fraud as a category of account takeover under its identity theft enforcement authority. The statutory basis for FTC action against carriers with inadequate account security practices derives from Section 5 of the FTC Act (15 U.S.C. § 45), which prohibits unfair or deceptive acts or practices. Practitioners navigating the broader will find SIM swapping increasingly central to financial account compromise patterns.

How it works

A SIM swap attack follows a structured sequence that exploits carrier authentication gaps at each stage.

  1. Reconnaissance — The attacker collects personal identifiers: full name, phone number, account PIN, billing address, and the last four digits of a Social Security number. Sources include data broker records, prior data breaches, phishing campaigns, and social media profiling.

  2. Carrier contact — The attacker contacts the mobile carrier through a customer service channel — phone, in-store visit, or online portal. The attacker impersonates the account holder using the collected identifiers.

  3. Authentication bypass — The attacker presents fabricated identity verification (stolen credentials, false account recovery responses) or, in documented insider-threat cases, bribes a carrier employee directly. The U.S. Department of Justice has prosecuted multiple cases involving carrier insiders who accepted payments between $1,000 and $2,500 per swap (U.S. Department of Justice press releases, various districts, 2019–2023).

  4. SIM reassignment — The carrier reassigns the target phone number to an attacker-controlled SIM. The victim's phone immediately loses service — a primary warning signal.

  5. Account takeover — With the phone number active on their device, the attacker triggers password resets and OTP delivery across targeted accounts: online banking, cryptocurrency exchanges, email providers, and brokerage platforms.

  6. Monetization or escalation — Funds are transferred, cryptocurrency wallets drained, or accounts sold. In high-value cases, attackers maintain access long enough to enumerate further linked accounts before the victim regains the number.

The entire sequence from step 2 to step 5 can complete in under 30 minutes.

Common scenarios

SIM swap attacks cluster around 3 primary target profiles based on attacker motivation.

Cryptocurrency account holders represent the highest-value target category. Cryptocurrency accounts frequently lack the fraud detection infrastructure of regulated banks, and transfers are irreversible. The FBI's Internet Crime Complaint Center (IC3) reported $72.6 million in losses attributed to SIM swap attacks in its 2022 annual report.

Online banking and brokerage targets are selected for rapid fund transfer. Attackers use SMS-based 2FA intercept to reset banking credentials and initiate wire transfers or ACH transactions within the window before the victim detects service loss.

High-profile individuals and executives are targeted for account access that enables secondary fraud — business email compromise, extortion, or competitive intelligence theft — rather than immediate financial transfer. Social media accounts with large audiences are also targeted for their platform monetization value.

A contrast relevant to identity protection service providers: traditional phishing attacks require victim interaction with a malicious link or attachment. SIM swapping requires zero victim interaction after the carrier is compromised — the victim is a passive target throughout the attack.

Decision boundaries

Several classification questions determine how SIM swapping intersects with regulatory, insurance, and liability frameworks.

Carrier liability vs. individual account takeover: When a SIM swap leads to bank account fraud, the responsible party for loss recovery is contested between the carrier (whose authentication failure enabled the swap) and the bank (whose SMS-based 2FA was the exploited verification method). The FCC's 2023 rulemaking on SIM swap protections — published in the Federal Register as part of the FCC's broader customer proprietary network information (CPNI) proceeding under 47 C.F.R. Part 64 — introduced requirements for carriers to implement additional authentication steps before processing SIM changes.

SMS 2FA vs. authenticator-app 2FA: SMS-based OTPs are vulnerable to SIM swapping by definition; time-based OTP (TOTP) apps (such as those conforming to IETF RFC 6238) are not, because they generate codes locally without carrier involvement. NIST's Special Publication 800-63B categorizes SMS OTP as a "restricted" authenticator type and discourages its use at higher assurance levels precisely because of SIM swap and SS7 interception risks.

Criminal vs. civil jurisdiction: SIM swapping prosecutions proceed under 18 U.S.C. § 1028 (identity fraud), 18 U.S.C. § 1029 (access device fraud), and in cases involving wire transfers, 18 U.S.C. § 1343 (wire fraud). Civil recovery actions by victims against carriers have proceeded in federal court under state consumer protection statutes. Individuals assessing their exposure should consult the identity protection resource framework for guidance on navigating professional service categories.

 ·   · 

References

Read Next

Identity Protection Directory: Purpose and Scope ANA › Professional Services Authority Authority › National Cyber Authority Authority › Identity Protection Authority Identity Protection Network: Purpose and Scope... Identity Protection Listings ANA › Professional Services Authority Authority › National Cyber Authority Authority › Identity Protection Authority Identity Protection Providers The identity... Phishing Attacks and Identity Theft Connection ANA › Professional Services Authority Authority › National Cyber Authority Authority › Identity Protection Authority Phishing Attacks and Identity Theft Connection...