SIM Swap

A SIM swap occurs when a fraudster persuades a mobile carrier to reassign a victim’s phone number to a SIM card the attacker controls. The attacker may use social engineering, bribed insiders, or fraudulent identity documents to authorize the transfer. Once the number is moved, all incoming calls and text messages, including SMS-based one-time passwords, are delivered to the attacker’s device.

With access to the victim’s phone number, the attacker can intercept authentication codes sent via SMS, reset passwords on accounts tied to that number, and bypass SMS-based multi-factor authentication. The victim typically notices only when their own device loses service.

Defenses include using phishing-resistant authentication methods such as passkeys or hardware security keys, registering for carrier-level PIN protections, and monitoring for SIM change events through carrier APIs.

For CIAM, the risk of SIM swap reinforces the case for moving customer authentication away from SMS-based one-time passwords toward stronger, phishing-resistant factors.