SIM-swapping explained

How hackers pull off the scary SIM-swapping scam

Author

Sead Fadilpasic
April 10, 2025

Last week, while I was discussing multi-factor authentication (MFA), I told you I wouldn’t use SMS as a second layer of protection, since it’s susceptible to so-called SIM-swapping attacks.

Now, I want to delve a little deeper into this topic, explain how the attack works and show you a few examples of a successful attack.

The premise is that you’re using your phone number as a second layer of security. After providing the correct password during login, the service will send a separate code, valid for only a few minutes, via SMS. Only after entering that code are you allowed into the account.

In theory, it’s a great solution, since it makes the hackers’ job that much more difficult:

  1. They need to have your login credentials

  2. They need to have your phone number

  3. They need access to your mobile device

Here’s how they can still make the hack a success:

  1. Login credentials and phone numbers leak all the time. Organizations are harvesting your data all the time (you often provide them during registration), and then keep it in an unprotected, misconfigured cloud database, available for anyone who knows where to look. 

Just look at these examples:

Massive online data breach sees 2.7 billion records leaked - here's what we know

Billions of records leaked in major breach

www.techradar.com/pro/security/massive-online-data-breach-sees-2-7-billion-records-leaked-heres-what-we-know

Mystery database containing sensitive info on 762,000 car-owners discovered by researchers

Someone has been gathering information on Chinese drivers

www.techradar.com/pro/security/mystery-database-containing-sensitive-info-on-762-000-car-owners-discovered-by-researchers

A top online gift card store may have exposed private data on hundreds of thousands of users

MyGiftCardSupply was keeping sensitive data in an unprotected database

www.techradar.com/pro/security/a-top-online-gift-card-store-may-have-exposed-private-data-on-hundreds-of-thousands-of-users

  1. Criminals can then buy this information from the dark web, and create a full profile about you: Your name, your phone number, email address, postal address, LinkedIn and other social accounts, etc. 

  2. The third step is the tricky one - they need to convince your phone carrier to transfer your SIM card to another device. 

It sounds like a stretch, but it really isn’t. Many telcos allow this to be done online, provided you share copies of your ID card (which, again, can often be found online). I’ve seen examples of telco employees being bribed into swapping the SIM card, too. 

Here are a few examples of successful SIM-swap scams:

Man has $10,000 stolen in SIM card scam

An Aussie business owner who had $10,000 stolen from his bank account as part of an elaborate SIM card scam has slammed the telcos for failing to stop the scammers.

www.news.com.au/finance/money/wealth/man-has-10000-stolen-in-sim-card-sneaky-scam/news-story/eaa8f75814201beeb1f5efe45a6c0641

Cyber police recover bizman’s 4.6cr lost in SIM swap fraud | Mumbai News - Times of India

Mumbai: The ‘1930' cyber helpline managed to secure Rs 4.

timesofindia.indiatimes.com/city/mumbai/cyber-police-recover-bizmans-4-6cr-lost-in-sim-swap-fraud/articleshow/116639291.cms

  1. After that, they can log into your accounts and do even the most sensitive activities - make purchases, wire money, change passwords, and more.

The good news is that, if you react on time, you might be able to stop the transaction and retrieve your money. But this is not guaranteed, and your business might still suffer.

Honestly, this is a completely unnecessary risk. Just don’t use SMS for multi-factor authentication. Either use a mobile app (Google Authenticator is a great choice, I suppose), or a physical device. I would recommend a physical device, since your phone can also be infected with infostealing malware that can grab these codes, as well.

There are a few great options, such as Yubikey, Google’s Titan, or Thetis

Until next time, stay safe!

  • Sead from SmallBiz CyberWiz