SIM Swap Fraud: How It Works, Why It's Surging, and How to Stop It

Your Phone Number Is Your Weakest Link

In March 2025, a California arbitrator ordered T-Mobile to pay $33 million after a single SIM swap attack drained over $38 million in cryptocurrency from one customer. The carrier's authentication processes were so weak that a fraudster was able to port the victim's number, intercept every SMS-based security code, and empty the account, all before the victim knew anything was wrong.

This wasn't an isolated case. In the UK, SIM swap fraud surged 1,055% in a single year, from 289 reported cases in 2023 to nearly 3,000 in 2024, according to Cifas. In Australia, IDCARE reported a 240% increase in SIM swap and mobile porting cases, with 90% of incidents occurring without any interaction from the victim.

SIM swapping is no longer a niche attack. It's an industrialised fraud operation, and it's accelerating.

What Is SIM Swap Fraud?

A SIM swap attack occurs when a criminal convinces a mobile carrier to transfer a victim's phone number to a SIM card they control. Once the number is ported, the attacker receives every call and text message intended for the victim, including one-time passwords, account recovery codes, and two-factor authentication prompts.

The attack doesn't require sophisticated hacking tools. It requires personal information and a convincing phone call.

Here's how it typically works: the attacker gathers personal details about the target, name, date of birth, address, last four digits of a social security number, often sourced from data breaches or social media. They call the carrier, impersonate the victim, and request a SIM transfer. The carrier's customer service agent, working under time pressure and following a scripted verification process, approves the swap. The victim's phone drops to "No Service." The attacker now controls the number.

96% of SIM swap cases involve social engineering against carrier employees. In some cases, attackers have bribed carrier insiders directly, offering as little as $300 per fraudulent swap.

Why SIM Swapping Is Surging

Three factors are driving the explosion in SIM swap attacks.

The Data Breach Pipeline

Every SIM swap starts with stolen personal information. Over 1.7 billion credentials appeared on dark web markets in 2024, giving fraudsters the raw material they need to impersonate victims convincingly. The more data breaches occur, the easier SIM swaps become. 73% of attacks use information from prior breaches for victim impersonation.

eSIM Makes It Faster

eSIM technology allows numbers to be transferred digitally via QR code — no physical SIM card required. While eSIM is more convenient for legitimate users, it has compressed the SIM swap attack cycle to under five minutes. An attacker no longer needs to walk into a store with a fake ID. They can execute the entire swap remotely.

SMS Authentication Is Still Everywhere

42% of UK banks and 61% of crypto exchanges still use SMS as their default second factor. This means a successful SIM swap doesn't just compromise a phone number; it compromises every account protected by that number. 82% of hijacked numbers target banking 2FA codes first.

The Real Cost of SIM Swap Attacks

The FBI's IC3 recorded 982 SIM swap complaints and nearly $26 million in reported U.S. losses in 2024. But that number significantly understates the problem. Most SIM swaps get reported under broader fraud categories like investment scams, account takeover, business email compromise, rather than as SIM swaps themselves.

The downstream impact tells the real story. A 15-year-old in New York used SIM swapping to steal $24 million in Bitcoin. The FTX cryptocurrency exchange lost over $477 million in a breach that exploited a SIM swap. Marks & Spencer suffered a major breach in 2025 after attackers SIM-swapped an employee's number and used it to reset internal credentials.

Corporate SIM swap incidents average $1.2 million in damages. For individuals, the average loss is $39,000 per incident according to FBI data, and 73% of victims face an additional $5,000 or more in recovery costs.

Why Carrier-Level Fixes Aren't Enough

Carriers have responded with account PINs, transfer locks, and notification requirements. The FCC's Rule 23-95 now mandates stronger authentication and customer notifications for SIM changes. These measures help at the margins.

But they don't solve the fundamental problem: SIM swap prevention that relies on carrier-side human verification will always be vulnerable to social engineering. As long as a customer service agent can approve a port with a scripted identity check, attackers will find ways through. The $33 million T-Mobile arbitration proved this — the carrier had security processes in place, and they still failed.

The deeper issue is architectural. Every system that uses a phone number as an authentication factor inherits SIM swap risk. Adding more layers on top of the same vulnerable foundation doesn't remove the vulnerability; it just makes it more expensive to exploit.

A Different Architecture: Authentication Without the Phone Number

SLC Digital's approach eliminates SIM swap risk by removing the dependency on the phone number entirely.

Traditional SMS-based authentication works like this: a system sends a code to a phone number, and whoever controls that number receives the code. If the number has been swapped, the attacker gets the code. The phone number is the single point of failure.

SLC authenticates through the SIM's cryptographic identity, not the phone number associated with it. Authentication is signed by the physical SIM chip's secure element and transmitted through a dedicated channel via the mobile network. The phone number is irrelevant to the process.

This means:

• SIM swap attacks become meaningless. Even if an attacker successfully ports a victim's number, they gain nothing. The authentication doesn't use the number, it uses the cryptographic keys embedded in the physical SIM hardware, which cannot be ported, cloned, or transferred.

• No OTP to intercept. There is no one-time password sent over SMS. The proof of identity is generated at the hardware layer — not transmitted through a channel that can be redirected.

• No carrier dependency for security. The authentication doesn't rely on carrier-side verification processes. It doesn't matter whether a customer service agent makes an error, because the phone number isn't part of the trust chain.

• The attack surface disappears. SIM swapping works by exploiting the gap between a phone number and a person's identity. When authentication is rooted in hardware rather than a number, that gap doesn't exist.

The shift is from treating the phone number as a proxy for identity to using the SIM itself as deterministic, cryptographic proof of identity.

What This Means for Financial Services and Crypto

For banks, exchanges, and fintech platforms, SIM swap fraud creates three simultaneous problems: direct financial losses, regulatory liability, and customer trust erosion.

The T-Mobile arbitration set a precedent — carriers can now be held financially liable for weak SIM swap protections. Financial institutions that continue to rely on SMS-based authentication face the same exposure. When a customer loses funds to a SIM swap that bypassed SMS 2FA, the question regulators ask is: why were you still using SMS?

The FCC has already tightened requirements. The UK's Cifas data is forcing similar regulatory conversations in Europe. The direction is clear: SMS-based authentication is being deprecated as a primary security factor across regulated industries.

Institutions that move to hardware-rooted authentication now aren't just reducing fraud losses. They're positioning ahead of regulatory requirements that are already taking shape.

The Bottom Line

SIM swap fraud is surging because it exploits a fundamental design flaw: the assumption that controlling a phone number proves identity. It doesn't. It never did. And as eSIM technology makes swapping faster and data breaches make impersonation easier, the problem will only accelerate.

Carrier-level defences are necessary but insufficient. The only way to eliminate SIM swap risk is to remove the phone number from the authentication chain entirely.

Hardware-rooted identity authentication, where proof of identity is cryptographically bound to a physical SIM and delivered through a dedicated channel, doesn't just make SIM swapping harder. It makes it irrelevant.

The question for security teams is simple: is your authentication still anchored to a phone number?

If it is, it's anchored to a vulnerability.