SIM-swap fraud: Scam prevention guide 

SIM-swapping is quickly becoming a favorite form of attack for cybercriminals. According to the National Fraud Database, SIM-swap fraud jumped by over 1,000% in 2024. Hackers port a victim’s number onto a rogue SIM, so they can intercept SMS-based two-factor authentication (2FA) codes, reset passwords, and gain unfettered access to everything from bank accounts to email and social media profiles. 

The tactic is believed to have been involved in the recent cyber-attacks on Marks and Spencer and the Co-Op, where social engineering was used to trick service desk agents. If hacking groups are seeing success, it’s unlikely this trend will slow down. We’ll unpack the technical mechanics of SIM-swap attacks and suggest a layered defense strategy that can keep your end users’ phones out of criminals’ virtual hands. 

What is SIM-swapping?  

SIM-swapping (also known as SIM hijacking) is a form of identity theft where an attacker convinces a mobile carrier to transfer (or port) a victim’s phone number onto a SIM card the attacker controls. Once the swap is complete, all calls, texts, and one-time authentication codes (used for 2FA) intended for the victim’s number are sent to the attacker’s device.  

An attacker will typically gather personal data (e.g. date of birth, address, social security number) through phishing, social engineering, or data breaches, and then use that information to impersonate the victim when contacting the carrier’s support. After hijacking the victim’s number, the attacker requests password resets and intercepts the verification codes, effectively locking the real user out. If this happens to an employee of your organization, it’s a potential route in for a hacker. 

SIM-swapping isn’t new – it began surfacing in the early 2010s as mobile number portability became widespread and hackers realized they could abuse carrier port-out processes for account takeovers. However, it only accelerated into a major threat around 2014–2015 as attackers perfected social-engineering workflows and 2FA via SMS became ubiquitous. 

Why is SIM-swap fraud rising in popularity?  

Hackers gravitate toward SIM-swap scams because they offer a high return on relatively little investment. By hijacking a phone number, an attacker can bypass SMS-based 2FA without needing to crack complex password hashes or exploit zero-day software vulnerabilities. The up-front cost is minimal (often just a few phishing emails or a quick social-engineering call to a carrier), but the potential payday can be enormous if they breach a major organization like Scattered Spider allegedly did with Marks and Spencer. 

SIM-swapping is also highly scalable. Once fraudsters refine their social-engineering scripts and build up a small pipeline of compromised PII (from phishing, breach dumps, or social media harvesting), they can target dozens or even hundreds of victims in rapid succession. Because the attacker never needs physical access to the victim’s device (and carriers often lack robust anti-fraud checks), the malicious port-out moves under the radar until the victim suddenly finds themselves locked out.  

How does a SIM-swapping attack play out?  

A SIM-swap attack typically unfolds in three stages: 

1. Reconnaissance and credential harvesting: The attacker first assembles enough PII to pass as the victim when talking to the carrier. This often comes from phishing e-mails that harvest credentials and PINs, data breaches, or social-engineering phone calls (“vishing”) in which the fraudster impersonates a bank or mobile-provider rep. In parallel, they may probe public-facing systems (e.g. social media, public records) for metadata—birthday, address, account numbers—that will satisfy the mobile operator’s identity-verification questions or their CRM workflow. 
2. Port-out / SIM-Provisioning abuse: Armed with the victim’s account credentials and PII, the attacker calls the mobile operator’s porting or support team (or abuses an online self-service portal). They request a “port-out” or a replacement SIM issuance, fraudulently claiming the old device was lost or damaged. As soon as the record changes, the attacker’s SIM card begins receiving all SMS, voice calls, and SS7‐based MAP (Mobile Application Part) messages previously destined for the victim. 
3. Bypassing 2FA and initial entry: With control of the SIM, the attacker can trigger password-reset flows that use SMS-OTP (one-time passcodes). When your organization sends an SMS-OTP to an end user “confirm it’s really them”, the OTP goes straight to the attacker’s device. Once initial access is gained, the attacker can escalate their privileges, steal data, or deploy ransomware.  

New SIM-swap techniques and tactics 

Beyond the more familiar telco‐helpdesk scams and SMS‐OTP interceptions, attackers have also begun exploiting underlying network protocols—most notably the SS7 and Diameter signaling systems used to route calls and messages between carriers worldwide. By breaching or renting access to these signaling points, fraudsters can silently redirect SMS and voice traffic without any interaction with a customer‐service rep, making detection and attribution far more challenging. 

On the device side, the rollout of eSIM (embedded SIM) and remote SIM provisioning has opened a new front: criminals who compromise a user’s mobile-carrier account can initiate an over-the-air profile download to an attack SIM, all under the radar of physical SIM-swap controls. Likewise, as organizations phase out SMS-OTP in favor of push-based MFA, attackers are experimenting with sophisticated vishing campaigns to trick users into approving rogue logins on their authenticator apps.  

Help your service desk securely verify user identities and enforce user authentication

Tips to prevent SIM-swap fraud 

Organizations can harden their defenses against SIM-swapping by reducing reliance on SMS-based authentication and strengthening user identity proofing: 

• Enforce strong enrollment and recovery workflows. When users register devices or reset credentials, ensure you have a tool such as Specops Secure Service Desk so agents can verify end users are who they claim to be. 
• Implement continuous behavioral and device-based risk assessments. Embed anomaly detection (device fingerprinting, geolocation checks, velocity checks on login and password-reset attempts) to flag and block suspicious sessions before they can succeed. 
• Negotiate carrier-level SIM-port protections. Work with mobile operators to set up “port-freeze” or “SIM-lock” flags on corporate lines, requiring pre-established PINs or out-of-band approvals for any port-out requests. 
• Monitor telephony events and SS7 signaling. Leverage telecom fraud-detection services or managed security providers to alert on unauthorized signaling queries or sudden IMSI/ICCID changes. 
• Train staff and drill incident response. Educate help-desk and IT teams on social-engineering tactics used in SIM-swap scams, and run regular simulations of a compromised line – so the organization can swiftly isolate affected accounts, enact manual overrides, and coordinate with carriers to reverse malicious ports. 
• Maintain an up-to-date threat-intelligence feed. Subscribe to industry-wide breach notifications (e.g., FS-ISAC, NCSC alerts) and monitor for spikes in regional SIM-swap campaigns (like those that recently hit UK retailers) so you can proactively harden or segment exposed systems. 

Defend against SIM-swapping with phishing-resistant 2FA/MFA 

As threat actors continue to evolve their tactics, SIM-swapping has emerged as a particularly effective way to bypass traditional defenses. If your organization is still relying on SMS-based two-factor (2FA) authentication, you’re exposing users to a critical vulnerability that can be exploited with a single phone call and some well-crafted social engineering. The solution isn’t to abandon multi-factor authentication—it’s to make it phishing-resistant. 

That’s where tools like Specops Secure Access come into play. MFA tools like Specops Secure Access can replace or augment SMS one-time passcodes with app-based push notifications (where the user must explicitly approve a login on a registered device) that don’t rely on the telephone network at all. Since there’s no SMS channel to hijack, a SIM-swap gives attackers no way to intercept or replay the second factor.  

Pair that with Specops Password Policy, and you’re solving the second half of the equation: enforcing strong, unique passwords that aren’t easily guessed or previously compromised. Together, these solutions drastically reduce your exposure to SIM-swap attacks by eliminating the weakest links in your authentication chain. 

Treat SIM-swap risk not just as a user-level issue, but as a strategic IAM concern. Upgrading to phishing-resistant MFA and enforcing strong password hygiene aren’t just best practices – they’re essential for defending against social engineering attacks. If you haven’t already, it’s time to evaluate your current controls and see where Specops can help raise the bar. Speak to a Specops expert today.