SIM Swap, Account Takeover & Identity Exploitation
Your phone number is the master key to most of your accounts. One call to your carrier is sometimes all it takes to hand that key to someone else.
The Night Everything Stopped
Karan was asleep when his phone lost signal.
Not unusual. He assumed a network issue and went back to sleep.
By morning, he had received 140 email notifications. His Gmail password had been reset. His banking app was locked. His crypto wallet had been emptied - $34,000 gone.
His phone number had been stolen at 2:47 AM.
An attacker had called his mobile carrier, pretended to be Karan, and requested a SIM transfer to a new card. The customer service agent asked three security questions. The attacker answered all three correctly - the answers were in Karan's public social media posts.
Once the SIM transferred, every SMS-based verification code went to the attacker's phone. Every account that used his phone number for two-factor authentication was open.
How SIM Swap Works: The Five Steps
$68M
stolen in a single SIM swap attack against a US crypto investor in 2024.
SIM swap attacks typically target people known to hold high-value crypto or financial accounts.
Source: US Department of Justice press release, 2024Step 1: Reconnaissance. The attacker finds your phone number, carrier, and enough personal details to answer security questions. These often come from data breaches, social media, or purchased data.
Step 2: Carrier impersonation. The attacker calls your mobile carrier pretending to be you, claiming a lost or damaged phone, and requesting a SIM transfer to a new card.
Step 3: Transfer completes. Your phone loses signal. The attacker now receives all calls and SMS to your number.
Step 4: Account reset chain. Using SMS-based 2FA, the attacker resets your email password. With email access, they reset every other account linked to that email.
Step 5: Drain and lock. Bank accounts, crypto wallets, and investment accounts are emptied. Recovery options are changed to lock you out.
The 2FA Bypass: Why SMS Is the Weak Link
$48M in 2023 (US Only)
The FBI reported $48 million lost to SIM swapping in 2023, up from $72 million in 2022. Average loss per victim: $11,000.
Carrier Employee Bribery
Several documented SIM swap cases involved bribed carrier employees who performed the transfer without calling the customer at all. Your carrier's internal controls are part of your attack surface.
SMS-based 2FA is better than nothing. It is not good enough for high-value accounts.
An authenticator app (Google Authenticator, Authy) generates codes that never leave your device and cannot be intercepted by a SIM swap. A hardware security key (YubiKey) is stronger still.
Email as the Master Reset
Most people treat their email password as important. Few realise that their email account controls all their other accounts.
Every "forgot password" link goes to your email. If an attacker controls your email, they can reset every linked account systematically. The sequence typically takes under 15 minutes.
Accounts at highest risk after email takeover:
- Banking and investment apps
- Cryptocurrency exchanges
- PayPal, Apple Pay, Google Pay
- Shopping accounts with saved cards
- Work accounts (corporate email, Slack, Notion)
Protecting your email is not just about your email. It is about every account that uses it as a recovery address.
Try It: The Takeover Chain
This simulation walks you through a SIM swap attack from the victim's perspective. See how one phone number leads to a full account takeover in minutes.
Recovery When Accounts Are Fully Compromised
If you suspect a SIM swap has happened:
Within the first hour:
- Call your carrier immediately and report the fraudulent transfer
- Ask them to add a SIM lock or port freeze to your account
- Contact your bank and flag all accounts for fraud review
- Use a backup device or email to begin recovering your primary email
Within 24 hours:
- File a police report - required for most bank fraud investigations
- Contact your bank's fraud team directly, not through the app that may now be compromised
- Report to your national cybercrime authority (India: cybercrime.gov.in / 1930, US: FBI IC3, UK: Action Fraud)
Long-term:
- Switch all 2FA to an authenticator app or hardware key
- Remove your phone number as the recovery option for high-value accounts
- Request a SIM PIN from your carrier so that no SIM change can happen without it
What That Just Showed You
1. Phone signal loss in the night is an emergency, not a nuisance. If your phone loses all signal unexpectedly, check your accounts immediately from a different device.
2. Security questions are not secure. Answers to "What was your first pet's name?" or "What school did you attend?" are often on your social media or in data breaches. They are not security - they are a liability.
3. SMS-based 2FA protects against most attacks. Not this one. Use an authenticator app for your email, banking, and crypto accounts. Remove your phone number as the only recovery path.
Three Things Worth Doing
1. Set a SIM PIN with your carrier today. Most carriers allow you to set a separate PIN that must be given before any SIM change is processed. This is the most direct protection against SIM swap.
2. Switch to an authenticator app for your most important accounts. Your email and banking app should use Google Authenticator, Authy, or a similar app instead of SMS codes.
3. Review what your email address controls. Log into your email, search "password reset" or "verify your account," and list every service linked to that email. That list is what an attacker sees if they get in.
One Question Before You Continue
Your phone suddenly loses all network signal at 3 AM. When you wake up and check, you find emails saying your Gmail and banking passwords were reset overnight. What most likely happened?