TL;DR
- SIM swap fraud occurs when a criminal convinces your mobile operator to transfer your phone number to a SIM they control, severing your access and giving them yours.
- Once in control of your number, fraudsters can intercept SMS one-time passwords used by banks and other services, enabling account takeovers.
- Operators use identity verification protocols to prevent unauthorised swaps, but social engineering attacks exploit gaps in these processes.
- Switching from SMS-based two-factor authentication to an authenticator app or hardware key significantly reduces your exposure.
- If you lose all mobile signal unexpectedly, contact your operator immediately — it could indicate a swap has already occurred.
The mechanics of a SIM swap attack
A SIM swap exploits the entirely legitimate process by which operators issue a new SIM to a customer who has lost their handset or damaged their original SIM card. In the genuine version of this process, the operator verifies the customer's identity — typically by asking security questions, cross-referencing account data, or, in a branch, inspecting identity documents — and then migrates the phone number to the new SIM. All calls and texts from that moment flow to the new SIM. The old SIM goes dead.
An attacker replicates this process fraudulently. They first gather enough personal information about the target to pass the operator's identity checks — name, date of birth, address, account number, and answers to common security questions. This information is harvested from data breaches (sold on criminal forums), social media profiles, phishing emails and texts, or in some cases by bribing operator staff. Armed with this data, the attacker contacts the operator — often through a call centre, live chat, or a retail store — poses as the victim, claims their SIM is lost or damaged, and requests a swap. If the verification check is passed, the operator migrates the number. The victim's phone immediately loses all signal. The attacker's new SIM begins receiving everything addressed to that number.
What fraudsters can do with your number
The primary objective in most UK SIM swap cases is financial: gaining access to the victim's online banking. Most UK banks use SMS one-time passwords (OTPs) as a second factor in their authentication flow, both for login and for authorising transactions under the Strong Customer Authentication (SCA) requirements of the Payment Services Regulations 2017. Once the attacker controls the victim's number, they can receive these OTPs, log into the victim's banking app using credentials obtained through phishing or data breach, and authorise outbound transfers.
Beyond banking, the attacker may reset passwords on email accounts (using an SMS recovery option), take over social media profiles, access cryptocurrency wallets, and impersonate the victim to their contacts. Recovery from a comprehensive account takeover of this kind can take days or weeks and involves significant distress and financial loss. The PSR's Authorised Push Payment (APP) fraud reimbursement framework, which came into force in October 2024, provides a mechanism for victims of certain types of authorised transfer fraud to seek reimbursement from their payment service provider, though the rules are complex and not all SIM-swap-enabled losses will automatically qualify.
How operators are supposed to prevent SIM swaps
Ofcom's published guidance requires operators to have robust processes for verifying customer identity before carrying out account changes including SIM swaps. The regulator has engaged with operators on this issue and published guidance encouraging stronger authentication, including multi-factor verification and alerts to customers when a SIM swap is requested. The GSMA has published industry guidance encouraging operators to use out-of-band notifications (for example, sending an email alert before processing a swap) and to apply heightened scrutiny to swap requests that coincide with changes to security settings.
The effectiveness of these controls varies across operators. High-street stores where staff may be socially engineered or, in rare cases, corrupted represent a particular vulnerability. Some operators have introduced a “SIM swap lock” or equivalent feature that requires the customer to verify through an app or PIN before any number transfer can be processed. Customers can enquire with their operator whether such a feature is available on their account.
| Prevention step | How it helps | Who takes this action |
|---|---|---|
| Switch from SMS OTP to an authenticator app (e.g. Google Authenticator, Microsoft Authenticator) | Codes are generated locally; a SIM swap does not intercept them | Consumer |
| Use a hardware security key for email and critical accounts | Physical key cannot be intercepted remotely | Consumer |
| Set a SIM swap lock or account PIN with your operator | Adds an extra barrier before operator processes any swap | Consumer (ask operator) |
| Avoid publishing personal details (address, DOB, answers to common security questions) on social media | Reduces data available for social engineering | Consumer |
| Use unique, strong passwords and a password manager | Limits damage if credentials are harvested separately | Consumer |
| Operator out-of-band swap alerts and heightened verification | Notifies genuine customer before or when swap is processed | Operator |
Warning signs that a SIM swap has occurred
The most immediate sign is losing all mobile signal on your handset — calls go straight to voicemail, texts do not deliver, and you have no mobile data. This happens because your number has been migrated to the attacker's SIM. If this occurs unexpectedly, particularly outside of a known network outage, contact your operator from a different device immediately. Some operators will send an email notification when a SIM swap is processed; check your email inbox from another device if you lose signal.
Other indicators may follow quickly: you might receive an email saying your banking password has been reset, or find that you cannot log in to accounts that use SMS 2FA. Banks increasingly monitor for SIM swap signals — some participate in systems such as the GSMA's SIM Swap API, which allows them to query whether a customer's SIM has recently been swapped before processing a high-value transaction. If your bank contacts you to flag unusual activity, do not dismiss the call even if it seems unexpected.
What this means in practice
Rachel, based in Leeds, receives no mobile signal on a Tuesday afternoon. She assumes it is a network issue and waits an hour. By early evening, she has also received an email stating that her bank password has been reset — a request she did not make. She borrows a friend's phone and calls her operator, who confirms a SIM swap was processed earlier that afternoon at a high-street store, using personal details Rachel had not knowingly provided to the caller. The operator reverses the swap and restores her number. She contacts her bank immediately, which has already flagged suspicious activity and frozen three outbound payments totalling several hundred pounds. The bank's fraud team opens an investigation under the APP fraud reimbursement rules. Rachel then reports the incident to Action Fraud and, over the following week, changes passwords and switches all her SMS-based 2FA to an authenticator app. The bank reimburses the blocked payments in full. Had she acted later, the payments might have cleared.
Related Guides
How we verified this
This article draws on Ofcom's published guidance on SIM swap fraud and mobile security; the Payment Services Regulations 2017 as published on legislation.gov.uk; the Payment Systems Regulator's published framework on APP fraud reimbursement; GSMA publications on SIM swap API and industry best practice; and Action Fraud's published guidance on SIM swap fraud.
Disclaimer: Kaeltripton.com is an independent UK editorial publisher. We are not regulated by Ofcom or the FCA and we do not sell or arrange mobile services, insurance, or financial products. This content is for general information only and is not legal, financial, or technical advice. Rules, prices, and operator policies change. Verify the current position with Ofcom, GOV.UK, the ICO, or your provider before acting. ICO registered ZC135439. Last reviewed: 2026-06-05.
Frequently Asked Questions
What is SIM swap fraud?
SIM swap fraud occurs when a criminal successfully convinces your mobile operator to transfer your phone number to a SIM card that the criminal controls. From that point, all calls and texts intended for you — including bank security codes — are received by the attacker. Your own phone loses signal. The fraud exploits legitimate customer-service processes designed to help genuine customers who have lost or damaged their SIM.
How do criminals carry out a SIM swap?
Attackers first gather personal information about the target — from data breaches, social media, phishing, or occasionally corrupt insiders — sufficient to pass the operator's identity verification checks. They then contact the operator (by phone, online chat, or in store), claim to be the victim, and request a SIM replacement. If the verification is passed, the operator completes the swap. The entire process can take under an hour if the attacker has good personal data.
What can a fraudster do with my phone number?
With control of your number, a fraudster can receive SMS one-time passwords used by banks, email providers, and other services for two-factor authentication. This enables them to reset account passwords and authorise financial transactions you did not approve. They may also take over social media accounts, access cryptocurrency wallets, and use your identity to deceive your contacts. Financial losses can be substantial and recovery is complex.
How do I protect myself from SIM swap fraud?
The single most effective step is replacing SMS-based two-factor authentication with an authenticator app or hardware security key for your most sensitive accounts, particularly banking and email. Additionally: set a SIM swap lock or account PIN with your operator if available; use strong unique passwords with a password manager; and avoid publishing personal data (address, date of birth, security question answers) publicly on social media, as this data is used to pass operator verification checks.
What should I do if I think I have been SIM-swapped?
If you lose mobile signal unexpectedly or cannot log into accounts that use SMS 2FA, call your operator immediately from a different device and ask whether a SIM swap has been processed. If confirmed, ask them to reverse it. Then contact your bank to freeze accounts and report suspicious activity. Report the fraud to Action Fraud online. Change passwords for affected accounts and move from SMS 2FA to an authenticator app as quickly as possible.
