Skip to content
Compliance & Risk

A deep dive into the growing threat of SIM swap fraud

Kennedy Meda  Fraud Prevention Manager & SME / Deseret First Credit Union

· 7 minute read

Kennedy Meda  Fraud Prevention Manager & SME / Deseret First Credit Union

· 7 minute read

SIM swap fraud is growing at an alarming scale, highlighting the weaknesses in telecom authentication processes and the need for stronger regulatory interventions to protect customers

Key insights:

      • SIM swap fraud is a growing concern — The scale of this trend is alarming, with 1,075 SIM swap attacks investigated by the FBI in 2023, resulting in losses approaching $50 million.

      • Weak authentication processes in telecoms enable SIM swap fraud — This allows fraudsters to easily hijack phone numbers, highlighting the need for stronger authentication protocols in the telecommunications industry.

      • Regulatory intervention is necessary to protect customers — The FCC has introduced rules, such as FCC 23-95, to require telecoms to implement secure methods of authenticating customers before approving SIM changes or port-outs.

Even as cybercrime and fraud have escalated into a global crisis, one type of scheme has is seeing stunning levels of growth: SIM swap fraud. This fraud trend is specifically plaguing the telecom industry and its customers and was recently ranked as second only to synthetic identity fraud among damaging fraud schemes in the telecom industry.

SIM swap fraud

Through SIM swap fraud, fraudsters hijack victims’ phone numbers, gaining unauthorized access to sensitive accounts such as banking and cryptocurrency platforms. For example, one bank customer lost $38,000 after a fraudster deceived Xfinity Mobile into transferring the customer’s phone number and then intercepted authentication codes to drain his bank account. Likewise, in March T-Mobile had to pay a $33 million settlement involving a cryptocurrency-related SIM swap attack in 2020.

The scale of this trend is alarming. In 2023, the FBI investigated 1,075 SIM swap attacks, with losses approaching $50 million. In 2024, IDCARE reported a 240% surge in SIM swap cases, 90% of which occurred without victim interaction. These incidents highlight the need for stronger authentication protocols in the telecommunications industry to combat this growing trend.

What is SIM swap fraud?

SIM swap fraud occurs when a fraudster convinces a mobile carrier to transfer a victim’s phone number to a SIM card they control, exploiting the legitimate feature of mobile number portability. Once the swap is complete, the victim’s phone loses network connectivity, and the fraudster receives all calls and texts, including one-time passwords for account access.

SIM swap fraud is appealing to fraudsters due to its scalability, the lack of need for technical expertise, and the potential for massive payouts from a single attack, particularly when targeting high-net-worth individuals or cryptocurrency investors. Fraudsters also can increase their impact by exploiting data from large scale breaches purchased on the dark web to target multiple victims simultaneously using automated call lists or scripts and hitting numerous carrier accounts with minimal effort.

Additionally, SIM swapping requires no technical expertise, relying instead on the fraudster’s ability to manipulate carrier employees into transferring a victim’s phone number to a fraudster’s new SIM card. Using basic personal information that is often retrieved from public sources or data leaks, fraudsters can execute attacks with just a phone call or store visit, no coding or hacking skills needed. The only tools required are inexpensive prepaid SIM cards or burner phones.

Indeed, how the scheme works is relatively simple. Once, fraudsters collect personal information about their target — such as name, address, phone number, date of birth, or financial details — they use the collected information and contact the victim’s mobile carrier, posing as the account holder.

SIM swap fraud is appealing to fraudsters due to its scalability, the lack of need for technical expertise, and the potential for massive payouts from a single attack, particularly when targeting high-net-worth individuals or cryptocurrency investors.

Because mobile carriers typically verify identity using security questions, PINs, or personal details, fraudsters may be able to bypass these. And once approved on the account, the mobile carrier deactivates the victim’s SIM card and ports the phone number to the fraudster’s SIM. The victim’s phone displays “No Signal,” while the fraudster gains control of all communications.

With the phone number under their control, fraudsters can then intercept codes to reset passwords for email, banking, or cryptocurrency accounts, use password reset features that rely on phone number verification, and — most damagingly — transfer funds, make unauthorized purchases, or sell account access on the Dark Web.

Telecoms may be enabling SIM swap fraud

A 2020 Princeton University study examined the authentication processes of five major prepaid wireless carriers in the United States — AT&T, T-Mobile, TracFone, US Mobile, and Verizon — for SIM swap requests and their downstream effects on account protection. The study revealed a that 80% of first attempts at SIM swap fraud were successful. The report noted that a main reason for this success rate was that the carriers relied on weak authentication methods that fraudsters could easily bypass. While each carrier revealed distinct vulnerabilities in their SIM swap processes, none of them required in-person verification or strong multi-factor authentication, allowing fraudsters to execute remote attacks with relative ease.

The study also found that carriers prioritized usability over security, opting for simple authentication methods to streamline customer service, making it easier for fraudsters to exploit vulnerabilities. By undermining security to reduce customer friction, carriers inadvertently weakened their own defenses against SIM swap fraud.

By exposing telecom vulnerabilities and highlighting that telecoms were a weak link in the fraud ecosystem, the Princeton study led to a pivotal change within the telecom industry, sparking widespread attention and leading to lawsuits and consumer complaints. In fact, the study was cited by the U.S. Federal Communications Commission (FCC) in its efforts to create regulations to protect consumers.

Government intervention needed

On November 15, 2023, the FCC introduced rule FCC 23-95 to specifically address SIM swap fraud. Prior to the new rule, the FCC had general regulations to protect customer data, but these did not specifically target SIM swap fraud or mandate specific authentication and notification protocols that had to be followed by carriers. The lack of targeted regulations allowed inconsistent security practices across the telecom industry, which increased fraud vulnerabilities. FCC 23-95 would require telecoms to implement secure methods of authenticating customers before approving SIM changes, including the use of stronger authentication using methods such as account-specific PINs, passwords, or multi-factor authentication; and a prohibition on the use of “predictable or easily obtainable information” such as Social Security numbers or birthdates.

Customers must be immediately notified via text or email whenever a SIM change request is made. Notifications must be sent to the customer’s existing device (if available) or a secondary contact method. Also, carriers must immediately notify customers of failed authentication attempts related to SIM change requests. Further, carriers must train employees to identify fraudulent requests and implement secure processes to prevent social engineering, which is a common tactic in SIM swap fraud.

The new FCC rule established baseline requirements for fraud protection, ensuring consistency across the telecom industry while allowing telecoms the flexibility to adopt advanced tools like biometric authentication or behavioral analytics.

The new rule was set to go live July 8, 2024; however, telecommunication companies sought more time to upgrade technology and implement new employee training. Thus, the FCC has waived the deadline for all rules adopted in the FCC 23-95, and there has been no further update.

Combating the threat

To combat the rising threat of SIM swap fraud, telecom providers need to adopt strong fraud prevention procedures and tools, similar to those used by financial institutions. Implementing strict authentication protocols, such as multi-factor authentication with biometrics or app-based codes, can significantly reduce unauthorized SIM swaps. Real-time monitoring using AI-driven systems can detect anomalies such as unusual SIM swap requests or account changes from unfamiliar locations. Telecom carriers should also enhance customer verification processes, requiring strong identifiers beyond easily compromised data.

It’s also important to educate consumers about fraud risks and promptly notify them of suspicious activities, as mandated by FCC 23-95, which would allow victims to protect their devices immediately. By encrypting sensitive data, collaborating across industries to share threat intelligence, and leveraging advanced fraud detection tools, carriers can strengthen their defenses while maintaining consumer convenience.

You can find more information on the challenges organizations face in fighting financial fraud here

← Back to blog

Solutions

Thomson Reuters Risk & Fraud Solutions

Now more than ever, organizations need a risk-based, dynamic approach. With risk and fraud solutions from Thomson Reuters, you can tip the balance back towards those doing good in the world. It’s time we connected so you can have a trusted partner on your side.

Featured event

Related posts

More insights