What a SIM Swap Actually Is
A SIM swap, also known as SIM hijacking or a port-out scam, is an account takeover attack where a criminal hijacks your phone number. Critically, they don’t need to hack your phone. They simply convince your mobile carrier to transfer your service to a SIM card they control.
This is technically classified as an account takeover fraud that targets a weakness in two-factor authentication, exploiting a mobile phone service provider’s ability to seamlessly port a phone number to a device containing a different subscriber identity module.
This mobile number portability feature is normally used when a phone is lost or stolen, or when a customer switches to a new device. The scam begins with a fraudster gathering personal details about the victim through phishing emails, buying them from organized criminals, social engineering, or retrieving them from data breaches.
The Numbers Behind the Surge
In 2024 alone, the FBI’s Internet Crime Complaint Center tracked nearly $26 million in reported losses from SIM swapping in the United States. That figure only captures what victims actually reported to federal authorities. Researchers widely acknowledge that most cases go unreported.
The UK’s fraud prevention service, Cifas, reported a staggering 1,055% increase in unauthorized SIM swaps, with nearly 3,000 cases filed in 2024 compared to just 289 the year before. That is not a rounding error. It is the steepest single-year rise ever recorded for any fraud category in that dataset.
According to IDCARE, SIM swap and mobile porting cases surged 240% in 2024 compared to 2023, with a staggering 90% of incidents occurring without any interaction from victims. Meaning the victim never even received a suspicious call or message before the damage was done.
How Attackers Get Through Carrier Verification
Threat actors typically social-engineer customer support staff or exploit weak self-service portals. They present stolen personal information, forged IDs, or manipulated deepfakes to pass identity checks, then request a “replacement SIM” or “number port.”
In some cases, telephone company employees have been bribed directly by attackers to change SIM numbers. Attackers have sought out employees at companies including T-Mobile and Verizon through social media or employee directories, sometimes promising cryptocurrency payments for each number they transferred.
AI-powered social engineering has made this even harder to stop. Cheap voice-cloning tools and AI-scripted call dialogues let attackers mimic victims or even carrier lingo, adding believability that defeats legacy knowledge-based verification.
When the SEC Itself Got SIM-Swapped
In January 2024, hackers executed a SIM swap attack against the U.S. Securities and Exchange Commission’s X account, posting fake news about Bitcoin ETF approvals that caused Bitcoin prices to spike temporarily. The attackers hijacked the phone number associated with the @SECGov account to bypass two-factor authentication and gain unauthorized access.
Eric Council Jr., an Alabama man, later pleaded guilty to his role in the attack and received a 14-month prison sentence. The incident demonstrated how SIM swapping can manipulate financial markets and damage institutional credibility.
The SEC could have prevented this attack by implementing hardware-based authentication instead of SMS-based 2FA for critical accounts. The breach also highlighted how government agencies remain vulnerable to the same social engineering tactics used against individual consumers.
Scattered Spider and the Industrialization of SIM Fraud
Scattered Spider is believed to have been founded in May 2022, with an initial focus on attacks on telecommunications firms. The group utilized SIM swap scams, multi-factor authentication fatigue attacks, and phishing by SMS and Telegram.
In November 2024, U.S. prosecutors accused Tyler Robert Buchanan and four other suspects of stealing at least $8 million in cryptocurrency after hacking at least a dozen companies. The list of breached organizations included companies from entertainment, telecommunications, technology, business process outsourcing, and cloud communications providers.
Noah Michael Urban, another key member of the Scattered Spider cybercrime collective, was sentenced to 10 years in prison after pleading guilty to wire fraud and conspiracy charges. These were not seasoned professionals operating from state-backed infrastructure. Several were teenagers.
The Structural Problem with SMS as a Security Layer
SMS was never built for security. It was built to send messages across a 2G cellular network in the late 1980s. Interception wasn’t even part of the conversation back then.
The Signaling System 7 protocol, which SMS relies on, allows attackers with access to telecommunications infrastructure to intercept SMS messages in transit, redirect messages to different devices, and read message content without alerting the sender or recipient.
Coinbase revealed that 95% of its account takeovers involved customers using SMS-based multi-factor authentication. These users represented 95.65% of all account takeovers Coinbase experienced as of November 2022, despite making up that same percentage of their user base. It is a clear signal that SMS one-time passwords have become a critical vulnerability.
The FBI, CISA, and NIST All Said Stop
In December 2024, the FBI and the Cybersecurity and Infrastructure Security Agency issued a stark warning to American businesses and consumers: stop using SMS codes for two-factor authentication. The guidance came in response to the Salt Typhoon cyber espionage attacks, where nation-state actors infiltrated multiple telecommunications companies and accessed call and data logs for an unknown number of victims.
That warning came in response to Chinese state-affiliated hackers infiltrating multiple major U.S. telecommunications networks including AT&T, Verizon, T-Mobile, and Lumen Technologies. The attackers gained access to customer call records, metadata for millions of users, unencrypted text messages including authentication codes, and even the content of calls for targeted individuals.
Security experts said much the same in 2023, 2020, 2018, and as early as 2016, when NIST issued guidance discouraging the use of SMS as an authenticator. The warnings have been accumulating for nearly a decade. They are no longer fringe opinions.
Crypto, eSIMs, and the Expanding Attack Surface
Cryptocurrency is a primary driver of SIM swapping’s profitability. The irreversible and pseudonymous nature of blockchain transactions makes it a perfect target, as stolen funds are nearly impossible to recover.
In March 2025, a California arbitrator ordered T-Mobile to pay $33 million after a SIM swap attack enabled thieves to steal approximately $38 million in cryptocurrency from a customer’s wallet. The attackers bypassed T-Mobile’s own security flag by convincing a call center agent to issue a remote eSIM QR code, despite the victim having extra security measures on their account.
eSIMs also create new fraud vectors for SIM swapping. In the UK, while only 18 reports in 2022 referenced an eSIM, by 2024 that number had risen to 763, an increase of over 600%. Convenience features have a way of becoming attack surfaces faster than security teams expect.
Who Gets Targeted and What It Costs Them
SIM swapping victims lost more than $26,400 on average in 2024, which illustrates the concentrated, high-value nature of these attacks. This is not a scam that steals small amounts from many people. It tends to drain accounts in single, devastating incidents.
The elderly population has been disproportionately affected, with scam losses among those aged 60 and older quadrupling between 2020 and 2024. Some individual losses exceeded $100,000, and many cases remain unreported, suggesting the actual financial impact is larger than documented.
Facility takeover fraud, where criminals seize control of individual accounts, soared by 76% in 2024, with nearly half of all account takeover cases involving mobile phone accounts. The phone number has become the skeleton key to the broader digital identity ecosystem.
What Actually Works Instead
Hardware security keys and FIDO2 passkeys require physical possession of the key or a registered device to log in. They are immune to both SIM swapping and phishing attacks because the key verifies the website’s domain before authenticating, meaning a fake site cannot trigger a valid response.
Because the private key never leaves the device and is scoped to the service’s domain, phishing sites cannot trick the authenticator into responding. Passkeys therefore resist adversary-in-the-middle attacks that intercept or replay session tokens.
At the carrier level, users should contact their mobile carrier to add a SIM lock, port freeze, or account-level PIN that requires additional verification before any number transfers. Requesting that representatives document these security measures and require supervisor approval for any SIM-related changes adds another layer of friction for attackers. These carrier locks are free, take minutes to set up, and are currently underused by the vast majority of customers.
Conclusion: The Second Factor Needs a Second Look
There is a real irony here. The security habit that security professionals spent years convincing ordinary people to adopt, turning on two-factor authentication, has become the exact entry point that sophisticated criminals now target. The advice was never wrong. The implementation was.
The conversation can no longer be about whether you use MFA, but which MFA you use and, more importantly, understanding the systemic failures that can render it useless. SMS codes are better than nothing. They are just no longer enough.
By 2026, multiple countries including the UAE, India, and the Philippines are moving to phase out SMS one-time passwords for financial services entirely. The global regulatory direction is clear. The only real question is whether individuals and organizations will get ahead of it or wait until they become the next case study.