SIM Swapping

SIM swapping is moving from fringe threat to boardroom concern. In the U.K., nearly 3,000 SIM swap cases were reported in 2024, representing a staggering 1,055% surge from just 289 incidents the previous year. These attacks are pervasive in the U.S. as well, with nearly $50 million in losses reported due to port jacking or SIM swapping scams, according to the FBI’s 2023 Internet Crime Report. The rise in cases shows why leadership teams must treat mobile-account takeovers as a critical piece of their cybersecurity defences.

SIM swapping—also called SIM hijacking or port-out fraud—is an account-takeover technique that redirects a victim’s mobile service to a SIM card under the attacker’s control. A subscriber identity module (SIM) holds the mobile network credentials that tie a phone number to voice, SMS, and data services. When criminals convince a carrier to move those credentials to a new SIM, they seize the number without ever touching the victim’s device.

Threat actors typically social-engineer customer-support staff or exploit weak self-service portals. They present stolen PII, forged IDs, or manipulated deepfakes to pass identity checks, then request a “replacement SIM” or “number port”. Once the swap is complete, calls and SMS-based multifactor authentication codes flow to the attacker’s handset. This access lets them reset cloud passwords, drain bank accounts, or bypass corporate VPNs that rely on one-time passcodes.

Carriers have safeguards such as port-validation tickets and account-level PINs, yet gaps remain. Business leaders should view SIM swapping as an enterprise risk because many employees still use SMS for multifactor authentication (MFA) and account recovery. Understanding the tactic is a first step toward stronger controls that keep critical communications—and credentials—in the right hands.

SIM swap attacks follow a predictable playbook that exploits both digital vulnerabilities and human psychology. The success of these attacks hinges on the attacker’s ability to manipulate carrier employees or exploit weak verification processes at telecommunications companies.

1. Reconnaissance and data gathering: Attackers begin by collecting personal information about their target through social media profiles, data breaches, or phishing campaigns. Details like full names, addresses, phone numbers, and account security questions are used to convincingly impersonate the victim during carrier interactions.
2. Social engineering the carrier: Armed with personal data, criminals contact the mobile carrier’s customer service or visit retail locations to request a SIM transfer. They exploit human error by presenting themselves as distressed customers who have “lost their phone” or need an “emergency replacement”, often targeting newer employees or high-pressure situations where shortcuts in verification occur.
3. Executing the port-out request: Once they’ve gained the representative’s trust, attackers request that the victim’s phone number be transferred to a new SIM card in their possession. Some criminals even recruit or bribe carrier employees as inside accomplices, bypassing security protocols entirely through privileged access to customer accounts.
4. Account takeover and exploitation: With control of the victim’s phone number, attackers intercept SMS-based two-factor authentication codes and password reset links. This access allows them to systematically compromise email accounts, banking apps, cryptocurrency wallets, and corporate systems that rely on phone-based verification.

An important distinction to make clear is that “This technique compromises SMS-based MFA by transferring the target’s phone number to the attacker,” says Matthew Gardiner, Product Marketing Manager at Proofpoint. “To accomplish this, the threat actor needs to socially engineer the mobile carrier or have an insider at the organisation.”

SIM swapping has evolved from targeting individual consumers to disrupting major corporations and government agencies. These high-profile incidents demonstrate how attackers exploit mobile carrier vulnerabilities to cause financial havoc and institutional damage.

The SEC X Account Hack (January 2024)

In January 2024, hackers executed a SIM swap attack against the U.S. Securities and Exchange Commission’s X account, posting fake news about Bitcoin ETF approvals that caused Bitcoin prices to spike temporarily. The attackers hijacked the phone number associated with the @SECgov account to bypass two-factor authentication and gain unauthorised access to post fraudulent market-moving content. Eric Council Jr., an Alabama man, later pleaded guilty to his role in the attack and received a 14-month prison sentence.

The incident demonstrated how SIM swapping can manipulate financial markets and damage institutional credibility. The SEC could have prevented this attack by implementing hardware-based authentication instead of SMS-based 2FA for critical social media accounts. The breach also highlighted how government agencies remain vulnerable to the same social engineering tactics used against individual consumers.

T-Mobile’s $33 Million Cryptocurrency Loss (2025)

In March 2025, a California arbitrator ordered T-Mobile to pay $33 million after a SIM swap attack enabled thieves to steal approximately $38 million in cryptocurrency from a customer’s wallet. The attackers bypassed T-Mobile’s “NOPORT” security flag by convincing a call centre agent to issue a remote eSIM QR code, despite the victim having “extra security” measures on their account. This case represents one of the largest financial judgements against a carrier for SIM swap negligence.

The ruling established a new legal precedent for carrier liability in SIM swap incidents. T-Mobile could have prevented this attack by implementing supervisor-only approval for high-value account changes and replacing knowledge-based authentication with cryptographic security measures. The case demonstrates how enterprise-grade security failures can lead to multi-million-dollar losses and legal consequences.

Corporate account takeovers through SIM swapping are a critical threat multiplier that can cascade across entire organisations. When attackers target employees or executives, they gain access to corporate email accounts, cloud applications, and internal systems that rely on SMS-based authentication. A single compromised executive’s phone number can provide attackers with the keys to financial systems, customer databases, and strategic communications.

Remote workers face acute risks because many organisations still rely on SMS-based multifactor authentication for VPN access and cloud productivity tools. Distributed workforces often use personal devices for business purposes, creating attack vectors that bypass traditional network security controls. When remote employees become SIM swap victims, attackers can infiltrate corporate networks from thousands of miles away without ever touching company infrastructure.

SIM swapping also serves as an enabler for sophisticated business email compromise (BEC) attacks. Criminals use hijacked phone numbers to reset executive email passwords, then launch invoice fraud schemes or authorise fraudulent wire transfers using legitimate corporate accounts. The FBI’s Internet Crime Complaint Center (IC3) reported that BEC cost global organisations nearly $55.5 billion over the course of a decade, accounting for 305,000 incidents.

The threat extends beyond immediate financial damage to include long-term identity theft and regulatory compliance failures. Attackers who control executive phone numbers can access personal and corporate tax documents, healthcare records, and sensitive client information stored in cloud applications. Organisations in regulated industries face potential fines and legal liability when employee SIM swaps lead to data breaches or privacy violations that could have been prevented through stronger authentication protocols.

Preventing SIM swapping requires a layered security approach that combines technical controls with human awareness. No single solution provides complete protection against determined attackers, but organisations can significantly reduce their risk through strategic authentication choices and proactive security measures. The key lies in eliminating SMS dependencies while building a culture of security awareness across all levels of the organisation.

• Eliminate SMS-based two-factor authentication wherever possible: Replace SMS-based 2FA with app-based authenticators like Microsoft Authenticator, Google Authenticator, or Authy that generate time-based codes locally on devices. These applications don’t rely on cellular networks and remain functional even when attackers control your phone number.
• Deploy hardware-based MFA tokens: Implement hardware security keys such as YubiKeys or similar FIDO2-compliant devices for high-value accounts and privileged users. Hardware tokens provide the strongest protection against account takeovers because they cannot be intercepted or replicated through SIM swapping attacks.
• Enable carrier-level SIM protections and account PINs: Contact your mobile carrier to add a SIM lock, port freeze, or account-level PIN that requires additional verification before any number transfers. Request that representatives document these security measures and require supervisor approval for any SIM-related changes to high-risk accounts.
• Implement comprehensive security awareness training programmes: Educate employees about social engineering tactics used in SIM swap attacks and establish clear protocols for verifying identity during account support interactions. Regular training helps staff recognise manipulation attempts and creates a security-conscious workforce that serves as a human firewall against these attacks.
• Monitor accounts for unauthorised changes and suspicious activity: Set up alerts for password resets, new device logins, and changes to authentication methods across all critical business applications. Early detection of account compromise can limit damage and provide forensic evidence for incident response teams.
• Create backup communication channels for executives: Establish alternative contact methods for senior leadership that don’t rely on primary phone numbers, such as secure messaging apps or dedicated landlines. These backup channels ensure business continuity when primary mobile numbers become compromised during attacks.

Remember that determined attackers continuously evolve their techniques to bypass security measures. Human vigilance and regular security assessments remain the most effective defences against SIM swapping and related social engineering attacks.

Technology alone cannot solve the SIM swapping problem because these attacks fundamentally exploit human psychology and organisational weaknesses. Building effective defences requires organisations to invest equally in human awareness and technical controls.

• Implement security awareness training that specifically addresses SIM swapping attacks: Conduct quarterly training sessions that teach employees to recognise the warning signs of social engineering attempts, including unexpected account verification calls and urgent requests for sensitive information from purported carrier representatives.
• Train staff to identify and report social engineering tactics used in SIM swap attacks: Educate employees about common manipulation techniques such as impersonation, urgency creation, and authority exploitation that attackers use to bypass security protocols at telecommunications companies and within organisations.
• Foster a culture of accountability where cybersecurity becomes everyone’s responsibility: Establish clear security policies that make all employees stakeholders in protecting organisational assets, with regular communication from leadership about security priorities and recognition programmes for proactive security behaviours.
• Create incident response protocols that address mobile account compromises: Develop clear procedures for employees to follow when they suspect their phone numbers have been compromised, including immediate notification channels and steps to secure linked accounts before further damage occurs.
• Establish executive security programmes that protect high-value targets: Implement enhanced security measures for C-suite executives and other high-risk personnel, including dedicated security liaisons and regular threat briefings that address emerging attack techniques.
• Conduct regular security assessments that evaluate technical and human vulnerabilities: Schedule periodic red team exercises that test employee responses to social engineering attempts and assess the effectiveness of current security awareness programmes.
• Build cross-functional security teams that include HR, IT, and communications: Create collaborative security committees that can address the human elements of cybersecurity, ensuring that security awareness is integrated into hiring, onboarding, and ongoing employee development processes.

The most effective SIM swap defences combine robust technical controls with security-conscious employees who understand their role in protecting organisational assets. Human vigilance serves as the crucial last line of defence when technical safeguards fail or when attackers find new ways to exploit system vulnerabilities.

SIM swapping attacks succeed because they exploit the intersection of weak technical controls and human psychology. Attackers don’t need sophisticated hacking skills to drain bank accounts or breach corporate networks—they just need to convince one carrier employee to transfer a phone number. The simplicity of these attacks makes them particularly dangerous for organisations that rely on SMS-based authentication for critical business systems.

The good news is that SIM swapping is entirely preventable through proactive security measures. Organisations that eliminate SMS-based two-factor authentication, implement hardware security keys, and invest in security awareness training can effectively neutralise this threat. The key lies in recognising that mobile security is no longer a peripheral concern but a core component of enterprise cybersecurity strategy.

Now is the time to audit your current MFA policies and employee training programmes. Ask yourself: Are your executives still using SMS codes to access cloud applications? Do your employees know how to recognise social engineering attempts targeting their mobile accounts? The answers to these questions will determine whether your SIM cards remain a vulnerability or become part of your security foundation.

At Proofpoint, our comprehensive security platform addresses the human-centric vulnerabilities that enable SIM swapping attacks through advanced threat detection and security awareness solutions. Our integrated approach combines real-time threat intelligence with employee training programmes that help organisations recognise and respond to social engineering attempts before they escalate into account takeovers. By focusing on both the technical and human elements of cybersecurity, we empower businesses to build resilient defences against SIM swapping and other sophisticated social engineering attacks that target the weakest link in any security chain—people. Contact us to learn more.