SIM Swapping: Phone-Based Identity Theft

SIM swapping — also called SIM hijacking or port-out fraud — is a form of phone-based identity theft in which a fraudster redirects a victim's mobile phone number to a SIM card under the attacker's control. The technique exploits mobile carrier authentication processes to defeat phone-based two-factor authentication, enabling downstream account takeovers across banking, email, and cryptocurrency platforms. The Federal Communications Commission and the Federal Trade Commission both identify SIM swapping as a priority consumer threat within the broader category of account takeover fraud.

Definition and scope

SIM swapping is defined by the FTC as unauthorized porting or reassignment of a subscriber's mobile number to a device controlled by a threat actor, without the legitimate subscriber's knowledge or consent (FTC Consumer Information on SIM Swaps). The attack vector is not a flaw in SIM card hardware; it is a social engineering exploit targeting carrier identity verification procedures.

The scope of the threat is significant. The FBI Internet Crime Complaint Center (IC3) reported that SIM swapping complaints generated more than $68 million in adjusted losses in 2021 (IC3 2021 Internet Crime Report), rising sharply from $12 million across 320 complaints filed in 2018. The attack class intersects directly with financial identity theft and new account fraud, because a compromised phone number grants access to SMS-delivered one-time passwords (OTPs) that protect financial and identity accounts.

Regulatory framing for SIM swapping involves the FCC, which issued a Report and Order in November 2023 requiring wireless carriers to implement additional authentication safeguards before processing SIM changes or number transfers (FCC WC Docket No. 21-341). Carriers must now notify customers immediately upon any SIM change request and must apply secure methods of customer authentication that go beyond knowledge-based answers.

How it works

SIM swapping executes through a structured sequence of steps, each dependent on information gathered in prior phases:

1. Reconnaissance — The attacker collects the target's full name, phone number, carrier identity, billing address, account PIN or last four digits of a Social Security number. Sources include data breach databases, social engineering tactics, phishing, or public records. The personal information at risk involved typically includes SSN fragments, dates of birth, and account credentials.

2. Carrier contact — The attacker contacts the mobile carrier by phone, online chat, or in-store visit, impersonating the legitimate account holder. The attacker uses the collected personal data to pass the carrier's identity verification questions.

3. SIM reassignment — The carrier representative, deceived by the fraudulent authentication, transfers the target's phone number to a SIM card controlled by the attacker. At this point, the victim's legitimate device loses mobile service.

4. Account compromise — With the phone number active on the attacker's device, all SMS-based two-factor authentication codes for email, banking, cryptocurrency exchanges, and other services are delivered to the attacker. Password reset flows that rely on SMS verification are fully intercepted.

5. Fund or data extraction — The attacker resets account passwords, drains financial accounts, or harvests credentials for sale. Cryptocurrency wallets are a primary target because transfers are typically irreversible.

The entire sequence from initial carrier contact to fund extraction can complete in under 30 minutes. The attack is classified by NIST under supply chain and authentication bypass threat categories in NIST SP 800-63B, which designates SMS-based OTP as a "restricted" authenticator type precisely because of this vulnerability (NIST SP 800-63B §5.2.10).

Insider-assisted SIM swapping is a distinct variant. In this form, a carrier employee — either coerced or bribed — processes the fraudulent SIM change directly, bypassing customer-facing authentication entirely. The U.S. Department of Justice has prosecuted insider-assisted SIM swap cases under wire fraud statutes (18 U.S.C. § 1343) and the Computer Fraud and Abuse Act (18 U.S.C. § 1030). This variant differs from standard social engineering attacks in that no amount of consumer-side awareness prevents it; carrier-side access controls and audit trails are the primary countermeasure class.

Common scenarios

Cryptocurrency theft is the most prevalent SIM swap application documented by the IC3. Because cryptocurrency exchanges frequently use SMS-based two-factor authentication and hold assets that transfer irreversibly on blockchain networks, they are the highest-value target. The DOJ indicted a group in 2021 for stealing approximately $530,000 in cryptocurrency through SIM swapping targeting dozens of victims across multiple states.

Banking account takeover uses the intercepted OTP to initiate wire transfers or ACH payments. Losses in individual cases range from thousands to hundreds of thousands of dollars. Banks governed by Regulation E (12 C.F.R. Part 1005), administered by the Consumer Financial Protection Bureau, may provide limited liability protections for unauthorized electronic transfers — but recovery depends on prompt reporting and the type of account affected.

Email and social media hijacking targets accounts whose password reset flows rely solely on phone verification. A compromised email account cascades into additional account takeovers across any service using that email address for recovery. This overlaps with the threat landscape described in social media identity risks.

Business executive targeting involves SIM swapping as a component of business email compromise (BEC) schemes. An executive's personal phone number may be used to authorize fraudulent corporate wire transfers or to defeat enterprise MFA. The FBI's IC3 reported BEC losses of $2.9 billion in 2023 (IC3 2023 Internet Crime Report).

Decision boundaries

Understanding when SIM swapping risk is elevated — and when specific protective measures are appropriate — requires distinguishing between threat exposure levels and authentication architecture choices.

High-risk exposure indicators:
- Holding significant cryptocurrency balances on exchange platforms
- Using SMS-only two-factor authentication for financial or email accounts
- Having personally identifiable information exposed in a prior data breach (assessable through dark web monitoring)
- Being a public figure or executive whose contact information is widely available

Authentication architecture comparison — SMS OTP vs. authenticator app vs. hardware token:

NIST SP 800-63B classifies SMS OTP as a restricted authenticator, meaning its use is discouraged for high-assurance transactions. Authenticator app-based TOTP (Time-based One-Time Password, defined in RFC 6238) is not tied to a phone number and cannot be intercepted through carrier social engineering. Hardware security keys (FIDO2/WebAuthn, standardized by the FIDO Alliance) provide the highest assurance level and are phishing- and SIM-swap resistant by design. The multi-factor authentication identity protection reference covers these categories in full.

Carrier-side mitigations include placing a number transfer PIN, enrolling in carrier-specific SIM lock programs (all four major U.S. carriers offer some form of port freeze), and enabling account notifications for any SIM or plan change. These reduce but do not eliminate risk from insider-assisted attacks.

Post-incident classification: If a SIM swap has already occurred, the event constitutes an identity theft incident under FTC guidelines. Affected individuals should file a report at IdentityTheft.gov under the FTC identity theft reporting process and assess whether downstream accounts have been compromised. A credit freeze limits the attacker's ability to open new credit lines using captured identity data, though it does not directly address account takeover of existing accounts — a distinction explained in credit freeze vs. fraud alert. The broader recovery pathway is documented under identity restoration process.

References

• FTC Consumer Information: SIM Swap Scams
• FBI IC3 2021 Internet Crime Report
• FBI IC3 2023 Internet Crime Report
• FCC Report and Order, WC Docket No. 21-341 (SIM Swapping and Port-Out Fraud)
• NIST SP 800-63B: Digital Identity Guidelines — Authentication and Lifecycle Management
• FIDO Alliance: FIDO2/WebAuthn Specification Overview
• IETF RFC 6238: TOTP — Time-Based One-Time Password Algorithm
• CFPB Regulation E: Electronic Fund Transfers (12 C.F.R. Part 1005)
• 18 U.S.C. § 1343 — Wire Fraud Statute (Cornell LII)
• [18 U.S.C. §