Hijacked by a Text: Understanding and Preventing SIM Swapping Attacks

what is sim swapping
emma-stevens-bio-portrait
Written by Emma Stevens
Threat Intelligence Researcher

SIM swapping is not a novel cyber threat; it has been a persistent issue for over a decade. This technique exploits vulnerabilities in mobile carrier procedures and identity verification protocols. Attackers employ social engineering tactics to deceive telecom providers into transferring a victim’s phone number to a SIM card under their control. This breach grants them access to calls, texts, and crucially, SMS-based two-factor authentication (2FA) codes, often the final barrier protecting sensitive accounts.

The ramifications are significant: unauthorized access to financial accounts, corporate emails, and other high-value systems. A prominent example is the 2019 SIM swap attack on Twitter’s then-CEO Jack Dorsey, where hackers took over his account by exploiting this very vulnerability.

According to the FBI’s Internet Crime Complaint Center (IC3), SIM swapping incidents have seen a dramatic rise. In 2021 alone, the IC3 received 1,611 complaints related to SIM swapping, with adjusted losses exceeding $68 million

This threat extends beyond individual targets. Third-party vendors and partners are equally susceptible, potentially exposing organizations to cascading risks. A single compromised account can serve as a gateway for broader intrusions, including data breaches, ransomware attacks, or extortion attempts.

What is SIM swapping?

SIM swapping, also known as SIM hijacking, is a type of identity theft in which attackers deceive or bribe mobile carriers into transferring a victim's phone number to a SIM card they control. This gives the attacker the ability to intercept calls, text messages, one-time passcodes, and other multi factor authentication (MFA) methods. This allows the attackers to gain unauthorized access to the victim's accounts. 

How SIM swapping works and TTPs

Information gathering: Attackers first collect personal details about the target, such as full name, phone number, address, Social Security number, or account credentials, often through phishing, data breaches, or social media. Then they may carry out the attack through a variety of techniques, such as:

  1. Social engineering: Using the gathered information, the attacker contacts the victim’s mobile carrier, posing as the victim and requesting a SIM card replacement.
  2. Carrier manipulation: The attacker convinces the telecom provider, through deception or by exploiting weak verification processes, to activate a new SIM card under the victim’s number.
  3. SIM activation: Once the carrier transfers the number, the attacker’s SIM receives all incoming calls and texts, including one-time passcodes (OTP) and MFA codes.
  4. Account takeover: With control of the victim’s phone number, the attacker resets passwords for email, banking, and other sensitive accounts by intercepting OTPs.
  5. Data exploitation or theft: The attacker uses the access to steal PII, commit fraud, drain financial accounts, or demand ransom—often locking the victim out of their own services.

Why is SIM swapping dangerous? 

Once inside a victim’s accounts, threat actors commonly change account passwords to maintain persistent access and lock out the legitimate user. With control over these accounts, attackers can access sensitive data such as financial information, social media profiles, emails, and other personal content. This access enables them to impersonate the victim, facilitating the theft of personally identifiable information (PII) and financial assets. High-profile accounts are often targeted to increase leverage, allowing attackers to demand ransoms or engage in extortion by threatening to disclose stolen data or disrupt operations.

  • Account takeover: Attackers often change passwords to lock out the legitimate user and maintain long-term access.
  • Sensitive data exposure: Gained access allows threat actors to view and exfiltrate financial records, emails, social media content, and other personal or corporate data.
  • Identity theft: Control over accounts enables impersonation, leading to the theft of personally identifiable information (PII).
  • Financial fraud: Attackers can directly steal money or exploit financial accounts under the victim’s identity.
  • Reputational damage: Compromised accounts, especially high-profile ones, can be used to post malicious content or damage public trust.
  • Ransom and extortion: Cybercriminals may demand payment in exchange for not releasing stolen data or halting further disruption.
  • Operational disruption: Especially in business contexts, a hijacked account can interfere with workflows, communications, and service availability.
  • Identity theft: Attackers can pose as the victim and use this to gain trust of unsuspecting individuals for social engineering tactics or to steal data. 

Who does SIM swapping affect? 

Threat actors who leverage SIM swapping frequently target telecommunications companies due to their privileged access to vast amounts of personally identifiable information (PII) and their role in managing mobile services. In our State of the Underground 2025 report, Bitsight TRACE identified the telecommunications industry as one of the most targeted industries for critical vulnerabilities. By compromising telecom infrastructure or personnel, attackers can reassign phone numbers to SIM cards they control, bypassing multi-factor authentication and gaining unauthorized access to victims' accounts.

The range of SIM swapping targets is broad, including executives, cryptocurrency holders, public figures, social media influencers, and even everyday individuals. No one is immune, as attackers seek financial gain, personal data, or leverage for extortion across all levels of digital exposure.

Which threat actors leverage SIM swapping?

Scattered Spider (aka Octo Tempest), first observed in 2022, is a threat actor group known for targeting mobile telecommunications providers and business process outsourcing (BPO) organizations to facilitate SIM swapping attacks. Their operations involve a combination of SMS phishing, sophisticated social engineering tactics, and adversary-in-the-middle (AiTM) techniques to intercept authentication data and hijack user sessions.

Another notable actor, Kiberphant0m, a 20-year old US Army Soldier, has been linked to the advertisement of SIM-swapping services specifically aimed at Verizon Push-To-Talk (PTT) customers. Their targets have included high-value individuals such as U.S. government agency personnel and emergency responders, highlighting the elevated risk SIM swapping poses to critical infrastructure and public safety operations.

How do you know if you’re being SIM swapped?

SIM swapping attacks often happen without warning. If you know what to look for, you can catch them early and take action before significant damage occurs. Below are common red flags that may signal your phone number has been hijacked. If you notice any of these symptoms, act immediately to secure your accounts and contact your mobile provider.

  • Sudden loss of cellular service: You unexpectedly lose signal (no bars, “no service,” or “emergency calls only”) while in a known coverage area. This is often the first sign.
  • You stop receiving texts and calls: SMS messages and phone calls suddenly stop coming through, especially 2FA codes or alerts from your bank or email provider.
  • Unusual account activity: You receive notifications of login attempts, password resets, or new device logins on your email, banking, or social media accounts.
  • Locked out of accounts: You’re unable to log in to critical accounts, and password reset links or codes are no longer coming to your device.
  • Your carrier notifies you of a SIM change: You receive a confirmation message or alert about a SIM card or account change you didn’t authorize.
  • Unauthorized charges or messages: You see charges on your mobile account or receive messages you didn’t send, often indicating someone has access.

How to prevent SIM swapping

To mitigate the risks associated with SIM swapping, organizations should take a multi-faceted approach. One key step is to enhance carrier security protocols by collaborating with mobile service providers to strengthen identity verification processes and reduce the likelihood of unauthorized SIM swaps. Additionally, it is important to promote the use of authentication apps over SMS-based two-factor authentication (2FA), as these apps are less susceptible to interception via SIM Swapping.

Employee training plays a critical role as well; regular education on how to recognize and respond to social engineering tactics can significantly reduce the risk of compromise. Finally, organizations must remain compliant with evolving regulations, such as the FCC’s new rules designed to combat SIM swapping, to ensure legal alignment and reinforce their overall security posture.

Stronger authentication mechanisms

(Something You Have, Something You Know, Something You Are):

  • Physical security keys: Hardware-based authentication (e.g., YubiKeys, RSA Tokens) that cannot be intercepted remotely like SMS codes.
  • Biometric passkeys: Use of fingerprints or facial recognition to authenticate users securely.
  • Voice recognition passkeys: Adds an extra layer by using voice biometrics, especially useful in call-based verifications.

Multi-factor authentication (MFA)

  • Enable different types of MFA: Move away from SMS-based MFA to app-based (e.g., Google Authenticator) or push notification-based solutions for more secure authentication.

User education and awareness

  • Phishing and social engineering awareness training: Educates users on how to recognize and avoid scams that lead to SIM swapping or credential compromise.

 

Learn more about how Bitsight Pulse—your personalized, AI-driven stream of cyber threat intelligence content—can help you stay ahead of threats like SIM swapping.